A New Active Path Identification and Filtering Method

Network attacks based on source address spoofing have become one of the most serious threats to the network security. In this paper, we propose an active source validation scheme based on path identification, referred to as Active SI, which combines the router marking mechanism and the end-system filtering mechanism. In router marking, the router mark each received packet before forward it. In end-system filtering, end-systems send probe packet and perform path learning according to response messages. The learning ability enable end-systems to efficiently verify source address authenticity of received packets. Based on the result of active learning, we establish a trust table which provides support for the subsequent validation. The trust table well solves the imprecision problem of positive learning including such based on probability, threshold and so on. We also present performance analysis of our scheme, and results show that our scheme can efficiently defense against source address spoofing attacks with high filtering precision and good adaptability. Moreover, Active SI support incremental deployment which demonstrates the practicality of our scheme.