A method to prevent source address spoofing in TCP/IP based networks so as to reduce the risk of Denial of Service (DoS) attacks on any host in the network
Original Publication Date: 2004-Feb-09
Included in the Prior Art Database: 2004-Feb-09
Disclosed herewith is a method to prevent address spoofing in TCP/IP based networks. The method can be implemented in both software and hardware/firmware. The method involves performing source address checks before sending the packets on the wire. This is similar to the checks that are performed when packets are received.
A method to prevent source address spoofing in TCP /IP based networks so as to reduce the risk of Denial of Service (DoS) attacks on any host in the network
One of the most commonly used protocol suite for network communication is the TCP/IP protocol suite. TCP/IP is a layered protocol. The machines using TCP/IP have at least two addresses which forms an integral part of two of the layers in the TCP/IP suite namely the Network Layer and the Data Link Layer. One is the physical (Data Link Layer) address i.e. the address of the network card. This is commonly referred to as the MAC address. The other address is the network address (Network Layer) which is commonly referred to as the IP address.
When data needs to be sent from machine A (referred to as source) to machine B (referred to as destination), the TCP/IP protocol suite in machine A forms a packet by using its own MAC address and IP address as well as the MAC address and IP address of machine B. The MAC address of machine A is referred to as the source MAC address and the IP address of machine A is referred to as the source IP address. Consequently the MAC address of machine B is referred to as the destination MAC address and the IP address of machine B is referred to as the destination IP address.
Machine A then sends the packet to the network i.e., the actual physical media. Two levels of check are made by machine B before accepting the packet from machine A. First level of check is the matching of destination MAC address in the packet with its own MAC address or with the broadcast/multicast address. Machine B will reject the packet if the destination MAC address does not match with its own MAC address or it's not a broadcast/multicast address. This checking is usually taken care by the firmware of the adapter. The next level of checking is done at the network layer (of the TCP/IP protocol suite). Machine B will reject the packet if the destination IP address in the packet does not match with its own IP address. However there is an exception to the second level of checking. This checking is not performed if the machine is configured as a router.
While transmitting the packets to the network no such checks are made. As a consequence it is very easy to build packets with any source address and send it to the network. This is referred to as source address spoofing. Most common is IP address spoofing whereby packets with fake source IP address are sent to the network. It has resulted in the hackers creating havoc in the network at will. Specially crafted packets with fake source IP addresses are sent randomly to a machine on the network to cause a denial of service attack on that machine. Softwares are available to automate this kind of spoofing. So no special expertise is required to perform IP address spoofing.
Nearly all the Denial of Service (DoS) attacks are based on address spoofing. The recent trend of Distributed Denial of Service attacks noticed in 2000 - 03...