Annual Computer Security Applications Conference (ACSAC) 2017

Full Program »

RESECT: Self-Learning Traffic Filters for IP Spoofing Defense

IP spoofing has been a persistent Internet security threat for decades. While research solutions exist that can help an edge network detect spoofed and reflected traffic, sheer volume of such traffic requires handling further upstream.

We propose RESECT — a self-learning spoofed packet filter, which detects spoofed traffic upstream from the victim by combining information about the traffic’s expected route and about the sender’s response to a few packet drops. RESECT is unique in its ability to autonomously learn correct filtering rules when routes change, or when routing is asymmetric or multipath. Its operation has minimal effect on legitimate traffic, while it quickly detects and drops spoofed packets. In isolated deployment, RESECT greatly reduces spoofed traffic to the deploying network and its customers, to 8–26% of its intended rate. If deployed at 50 best-connected autonomous systems, RESECT protects the deploying networks and their customers from 99% of spoofed traffic, and filters 91% of spoofed traffic sent to any other destination. RESECT is thus both practical and highly effective solution for IP spoofing defense.

Jelena Mirkovic
United States

Erik Kline
United States

Peter Reiher
United States


Powered by OpenConf®
Copyright©2002-2017 Zakon Group LLC