SAVE : Source Address Validation Enforcement

In today's Internet, any node can send a packet to any other node that uses the standard protocol set. When abused by attackers, such flexibility can also lead to various kinds of disastrous behaviors at the target. The SYN denial-of-service attack is one example. While developing more robust protocol behaviors is important, complex protocols are unlikely to be completely bullet-proof. One good method of foiling such attacks is to identify the culprit and take measures to stop him, such as shutting off his node from the network, contacting his system administrator, or notifying law enforcement authorities.

This method only works if the attacker can almost always be correctly identified. Unfortunately, in today's Internet one cannot easily identify attackers with any confidence. The obvious way to determine the sender of a malicious packet is to examine the source address field in the IP header; but existing Internet protocols allow senders to fill in this field arbitrarily. Despite incorrect source address field, the network will properly route the packet to its destination. Responses, of course, will go to someone other than the attacker, which means that this vulnerability most likely cannot be used to obtain secret information or services. On the other hand, sometimes this feature allows the attacker to assault two sites for the price of one, since any bad responses to the packet will be routed to the misidentified sender, possibly causing further difficulties there. The receiver of the malicious packet has no confidence that the source address field is accurate.

Researchers in the Laboratory for Advanced Systems Research in UCLA's Computer Science Department have been working on address filtering project to solve this problem. Thanks to a funds and equipment grant from the Intel Corporation, we have an opportunity to study the feasibility of putting important security enhancements into high-speed routers. In the SAVE project, we are using Intel's IXP equipment to develop a system capable of filtering out packets with forged IP source addresses.

This project is sponsored by NSF under grant ANI-9980501.

Project Members:

Peter Reiher, co-principal investigator
Lixia Zhang, co-principal investigator
Jun Li, former graduate student, now at University of Oregon
Jelena Mirkovic, graduate student
Zhiguo Xu, graduate student
Mattew Schnaider, graduate student
Gregory Prier, graduate student

Publications:

Simulation Tools:

Parsec has been selected as the simulation platform for this project. Currently both RIP and BGP-4 are being studied. We will further study other routing protocols as well.

Links:

Total  visits since 12/01/2002.