COLLOQUIUM Department of Computer Science and Engineering University of South Carolina Hop-Count Filtering: An Effective Defense Against IP Spoofing Haining Wang Department of Electrical Engineering and Computer Science University of Michigan Date: April 4, 2003 (Friday) Time: 3:30-4:30PM Place: Swearingen 1A03 (Faculty Lounge) Abstract The growing number of Distributed Denial of Service (DDoS) attacks imposes a serious threat to the availability of Internet services. DDoS attackers have exploited IP spoofing to (1) conceal flooding sources and localities of flooding traffic, and (2) coax un-compromised hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victims is essential to their own protection as well as to their avoidance of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he cannot falsify the number of hops an IP packet takes to reach its destination. This hop-count information can be inferred from the Time-to-Live (TTL) value in the IP header. Based on this observation, this talk describes a novel filtering technique for Internet servers to winnow away spoofed IP packets. By clustering address prefixes based on hop-counts, Hop-Count Filtering (HCF) builds an accurate IP to hop-count (IP2HC) mapping table to detect and discard spoofed IP packets. Even if an attacker is aware of HCF, he cannot easily circumvent it. Through analysis using network measurement data, we show that HCF can identify and then discard close to 90% of spoofed IP packets with little collateral damage. We implement and evaluate the HCF in the Linux kernel, demonstrating its benefits with experimental measurements. Haining Wang is a PhD candidate in the Electrical Engineering and Computer Science department at the University of Michigan. He expects to complete his dissertation work in summer 2003. His thesis advisor is Prof. Kang G. Shin. His research interests lie in the area of networking, security and distributed computing. He is particularly interested in network security and network Quality of Service to support secure and service-differentiated internetworking.