Abstract

IP spoofing exacerbates many security threats, and reducing it would greatly enhance Internet security. Seven defenses that filter spoofed traffic have been proposed to date; three are designed for end-network deployment, while four assume some collaboration with core routers for packet marking or filtering. Because each defense has been evaluated in a unique setting, the following important questions remain unanswered: 1) Can end networks effectively protect themselves or is core support necessary? 2) Which defense performs best assuming sparse deployment? 3) How to select core participants to achieve best protection with fewest deployment points? This paper answers the above questions by: 1) formalizing the problem of spoofed traffic filtering and defining novel effectiveness measures, 2) observing each defense as selfish (it helps its participants) or altruistic (it helps everyone) and differentiating their performance goals, 3) defining optimal core deployment points for defenses that need core support, and 4) evaluating all defenses in a common and realistic setting. Our results offer a valuable insight into advantages and limitations of the proposed defenses, and uncover the relationship between any spoofing defense's performance and the Internet's topology.