A deployable approach for inter-AS anti-spoofing

Filtering IP packets with spoofed source addresses not only improves network security, but also helps with network diagnosis and management. Compared with filtering spoofing packets at the edge of network which involves high deployment and maintenance cost, filtering at autonomous system (AS) borders is more cost-effective. Inter-AS anti-spoofing, as its name suggests, is implemented on AS border routers to filter spoofing packets before their entering or leaving an AS. Existing inter-AS anti-spoofing approaches focus on filtering efficiency, but lacks of deployability. In this paper we first introduce three properties of a deployable inter-AS anti-spoofing approach, incremental deployability, high deployment incentives and low deployment cost. Then we propose DIA, the first inter-AS anti-spoofing approach meeting the three properties. We present the design of DIA and evaluate its deployability with real Internet data. The evaluation results show that DIA provides high deployment incentives for Internet Service Providers by significantly mitigating spoofing based denial of service attacks. Our implementation proves that DIA can be easily implemented in commodity routers and minimize the deployment cost.