| The trustworthiness of the Internet has imposed an important influence on the development of the society and the security of the state. However, security events of networks happen frequently, which impairs the trustworthiness of the Internet. For example, attackers forge source IP addresses of packets and launch IP spoofing attacks, which cripple the foundation of the trustworthiness of the Internet, namely, the validity of source IP addresses. Hence, it is important to build effective prevention mechanisms to filter IP spoofing packets and to build the trustworthy network.Meanwhile, researches on existing spoofing prevention mechanisms such as spoofing preventions based on labels and filters based on routes, discovered that the spoofing prevention is being burdened with serious problems. For example, the small domains of the preventions and the coarse-grained filtering have resulted in the defect of spoofing preventions. In this thesis, by integrating the above two methods and controlling the granularity of aggregating source IP addresses and the domain of the coordination of defenders, we research on the inter-domain IP spoofing prevention. The main contribution of the thesis is detailed as follows:Recent proposals of IP spoofing preventions are inefficient at filtering spoofing packets due to partial deployments. To address the problem, we propose an efficient mechanism called MASK to extend the domain of inter-domain IP spoofing prevention. Source MASK nodes inform destination MASK nodes about the source IP spaces and labels of their neighbor Stub-ASes in order to implement the marking and verification of packets towards the Stub-ASes, and limit the number of MASK peers through the propagation of BGP updates so as to reduce the overheads of computing and storing of labels. By utilizing the method of extending the spoofing prevention to Stub-ASes, MASK could not only enlarge the domain of the spoofing prevention service, but also filter spoofing packets in advance.Inter-domain IP spoofing preventions ignore the flooding of spoofing packets on middle networks. To handle the above problem, a novel mechanism named ESP to enhance the inter-domain IP spoofing prevention is proposed. Via integrating path labels into source labels ESP solves the collision of source labels at destination networks and enables filtering IP spoofing packets toward other nodes in middle networks, thus preventing flooding attacks in advance and extending the protected domain of the spoofing prevention. Based on BGP update ESP develops the validation of prefix security to restrict the scope of the propagation of labels, thus decreasing the cost of the computing and storing of labels.Many proposals of the IP spoofing preventions have the shortcoming that can't filter spoofing packets forging IP addresses of other hosts in the same domain. To handle the problem, a mechanism called RISP to refine the inter-domain IP spoofing prevention is proposed. Based on the stability of the topologies of ASes, RISP introduces unsymmetrical fine-grained labels between source subnets and destination ASes, which could filter spoofing packets orienting from ASes or subnets. Based on the main characteristics of the attacks employing IP spoofing, RISP combines the anomaly detection with IP spoofing preventions, which could trigger dynamic marking, and restrain the cost of computing and storing of labels from expanding and limit the rates of malicious flows.Towards the coordination in the integrative IP spoofing prevention, HCM (Hierarchical Coordination Model) is proposed. By combining the centralized control of intra-domain and the distributed coordination of inter-domain, which adopts HCM, we develop the hierarchical IP spoofing prevention, which enhance the ability of the spoofing prevention. |