MIT's Spoofer Project

The classic design tenets of Internet architecture produced a network capable of remarkable scalability while relegating security to the end hosts. As a result, the public Internet includes no explicit notion of authenticity and will forward packets with forged headers. Malicious users capitalize on the ability to ``spoof'' source IP addresses for anonymity, indirection, targeted attacks and security circumvention. Compromised hosts on networks that permit IP spoofing enable a wide variety of attacks. Despite being first exploited over two-decades ago, IP spoofing is a persistent problem and a continued threat. In addition to mounting spoofed-source bandwidth-based denial-of-service (DoS) attacks, new exploits utilizing IP spoofing surface regularly.

The anonymity afforded by spoofing greatly complicates the job of network operators defending their networks. Ingress address filtering [RFC2827] or unicast reverse path forwarding (uRPF) checks [RFC3704] can prevent spoofing when practical. In production networks however, these filtering techniques are limited by multi-homing, route asymmetry, filter list maintenance and router design. As a result, our initial study demonstrates that a considerable portion of the Internet is vulnerable to IP spoofing while analysis of backscatter shows spoofing remains widespread.

Previous research investigates various means of tracing or mitigating spoofing. Jin et. al give a scheme to block spoofed packets based on hop count, while Duan et. al detail a filtering mechanism based on feasible path construction. Packet marking and traceback mechanisms provide a means to trace spoofed packets to their origin, removing the advantage of anonymity. Despite these research efforts, finding and preventing sources of spoofed traffic remains an operationally difficult problem for network operators. This project seeks to determine the extent to which spoofing is currently possible and a relevant issue on the Internet.