A Caltech Library Service

Defense Against Spoofed IP Traffic Using Hop-Count Filtering

Wang, Haining and Jin, Cheng and Shin, Kang G. (2007) Defense Against Spoofed IP Traffic Using Hop-Count Filtering. IEEE/ACM Transactions on Networking, 15 (1). pp. 40-53. ISSN 1063-6692.

See Usage Policy.


Use this Persistent URL to link to this item:


IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to: 1)conceal flooding sources and dilute localities in flooding traffic, and 2)coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victim servers is essential to their own protection and prevention of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he cannot falsify the number of hops an IP packet takes to reach its destination. More importantly, since the hop-count values are diverse, an attacker cannot randomly spoof IP addresses while maintaining consistent hop-counts. On the other hand, an Internet server can easily infer the hop-count information from the Time-to-Live (TTL) field of the IP header. Using a mapping between IP addresses and their hop-counts, the server can distinguish spoofed IP packets from legitimate ones. Based on this observation, we present a novel filtering technique, called Hop-Count Filtering (HCF)-which builds an accurate IP-to-hop-count (IP2HC) mapping table-to detect and discard spoofed IP packets. HCF is easy to deploy, as it does not require any support from the underlying network. Through analysis using network measurement data, we show that HCF can identify close to 90% of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its effectiveness with experimental measurements.

Item Type:Article
Related URLs:
URLURL TypeDescription
Additional Information:© Copyright 2007 IEEE. Reprinted with permission. Manuscript received October 4, 2004; revised September 19, 2005, and December 19, 2005; approved by IEEE/ACM TRANSACTIONS ON NETWORKING Editor D. Yau. [Posted online: 2007-02-20] This work was supported in part by the National Science Foundation under Grants CCR-0329629 and CNS-052392 and by the Office of Naval Research under Grant N00014-04-10726. This paper was previously presented in part at the 10th ACM Conference on Computer and Communications Security, CCS 2003, Washington, D.C.
Subject Keywords:DDoS attacks, IP spoofing, hop-count, host-based
Issue or Number:1
Record Number:CaltechAUTHORS:WANiatnet07
Persistent URL:
Usage Policy:No commercial reproduction, distribution, display or performance rights in this work are provided.
ID Code:7704
Deposited By: Archive Administrator
Deposited On:23 Mar 2007
Last Modified:02 Oct 2019 23:44

Repository Staff Only: item control page