Address protection-as-a-service an inter-AS framework for IP spoofing resilience

Abstract

IP spoofing, which is generally used for anonymity and amplification, constantly leads to pervasive distributed denial-of-service (DDoS) attacks. To mitigate IP spoofing, source address validation is divided into access network, intra-autonomous system (AS), and inter-AS levels. However, because of ambiguous incentives, heterogeneous demands, and fragile trust, techniques for the inter-AS level fail in practice, and thus, IP spoofing is still considered as an almost open vulnerability of the entire Internet. In this study, we aim to transform the inter-AS source address validation into an "address protection" service, and we mitigate IP spoofing through an economics-driven framework - apf ('a'ddress 'p'rotection 'f'ramework). In such a protection, the addresses belonging to one AS can be prevented from being spoofed by others. Behind the framework, such a service will be consolidated by a unified trust anchor with a uniform interface, and deployer ASes will be free to select their preferred techniques and invoke the service when needed. Based on the empirical data and theoretical analysis, we prove that the service is acceptable for triggering economics-driven implementation under the guidance of the apf framework.