An event based technique for detecting spoofed IP packets

Abstract Distributed Denial of Service (DDoS) attacks are one of the prominent network security attacks. In DDoS attack several machines send large amount of network traffic to the victim using spoofed IP address. Unfortunately there is no reliable technique to detect spoofed IP packets. In this paper we argue that, a proactive detection of spoofed IP packets will help in predicting DDoS attacks. In this paper we describe an event based detection method to identify spoofed IP packets. Our method works by proactively probing received packets for genuineness. Active probing technique uses inconsistencies in TTL values of received packets to decide whether the first packet was spoofed or genuine. We enumerate several possible spoofing scenarios with our detection method in place and identify its type based on the response to probing. Further, we study limitations of event based method and discuss ways to overcome those. We design and experiment with all spoofing scenarios in a real network setup and report the results. With few optimizations done to the probing strategy, the overhead incurred can be minimized considerably, which makes the proposed technique useful for detecting DDoS attacks.