Towards a SDN-Based Integrated Architecture for Mitigating IP Spoofing Attack

Current Internet packet delivery only relies on packet's destination IP address and forwarding devices neglect the validation of packet's IP source address, it makes attackers can leverage this flaw to launch attacks with forged IP source address so as to meet their vicious purposes and avoid to be tracked. In order to mitigate this threat and enhance Internet accountability, many solutions have been proposed either from the intra-domain or the inter-domain aspects. However, most of them faced with some issues hard to cope with, e.g., low filtering rates, high deployment cost. And most importantly, few of them can cover both intra-domain and inter-domain areas at the same time. With the central control and edge response pattern, the novel network architecture of software defined networking (SDN) possess whole network intelligence and distribute control rules directly to edged SDN switches, which brings a good opportunity to solve the IP spoofing problem. By taking advantage of SDN, in this paper, we propose an SDN-based integrated IP source address validation architecture (ISAVA) which can cover both intra- and inter-domain areas and effectively lower SDN devices deployment cost, while achieve desirable control granularities in the meantime. Specifically, within autonomous system (AS), ISAVA relies on an SDN incremental deployment scheme which can achieve IP prefix (subnet)-level validation granularity with minimum SDN devices deployment. While among ASes, ISAVA sets up border server and establishes a vouch mechanism between allied ASes for signing outbound packets so as to achieve AS-level validation granularity. Finally, conducted experiments confirm that ISAVA intra-domain scheme can get beyond 90% filtering rates with only 10% deployment in average, while the inter-domain scheme can get high filtering rates with low system cost and less storage usage.