Research On The Technology Of Intra-domain Source Address Validation

Networks attacks using the source address spoofing have been known as one of the most severe threats to the network security. As one of the most effective techniques, source validation is widely used to solve the problem. Meanwhile, the research on source validation is of great importance in both theory and practices.Many solutions based on source validation have been proposed. Through the careful study on these solutions, we propose a novel source validation architecture called SVA.The SVA architecture consists of two key components: Active path identification (Active SPi) and OSPF assisted reverse path forward (OAuRPF), each of which can be independently used to validate the source address.Active SPi is an end system of validation technique, in which routers mark packets, and end system performs filtering. We use the hash of the IP address to calculate the mark value, taking a labeling scheme of fixed-length, and write the label of the next-hop into the packet head. End system takes a proactive verification technology, sends verification messages to the source of packets, and based on the value brought by reply packets from source to determine the authenticity of the source address of packets. This end system filtering mechanism has higher deployment incentives, and can dynamically adapt to network topology changes.OAuRPF is a network authentication technology for source address validation. Routers filter out the attacking flows by using the forwarding information. We add a route symmetry computing module in the router's control engine, which generates appropriate filter rules, and then forms a matching table. Also, we add a source address validation module in the router forwarding engine, which interacts with the forwarding table and the matching table, and filter packets dynamically, to improve the effectiveness of the uRPF mechanism in the case of asymmetric routing, reducing the drop ratio of the user packets.Finally, a proto-type system of SVA is implemented in Linux, and we construct the simulation with various network topologies to verify the effectiveness and the filtering accuracy of the SVA architecture. The simulation results show that, SVA can respond quickly to the source address forgery attack, and has a better filtration.