|
IP spoofing makes many Internet security threats hard to prevent. This paper proposes SMA, a state machine based anti-spoofing method for AS-level IP source address prefix validation. In SMA, each ordered pair of ASes is associated with a secret state machine. The AS edge routers use the state machine to generate and verify the signatures periodically and automatically. The signatures are tagged into the outgoing packets at the source AS edge router, and verified by the edge router at the destination AS. The state machine can transit very fast, so that the signatures change very fast to prevent signature-replay attacks. Compared with SPM, this system is more secure and more practical. We designed the protocol based on IPv6, and implemented a prototype. Our experiment results based on the prototype show that this system can filter 99.99% of spoofing packets. And the computation overhead is less than 14%. SMA is more than a system, but a theoretical model with high flexibility. It can take either fast pseudo random number generator or secure hash function as its signature generation algorithm. So SMA can be applied in many end-to-end verification situations. |
|
Keywords:Spoofing Prevention; DoS Defense; State Machine |
|