Abstract—Source IP address spoofing is still a significant problem on today’s Internet. Recent DDoS attacks, which combined source IP spoofing and amplifying UDP services, have resulted in attack traffic volumes exceeding hundreds of gigabits per second. In this work we argue that the ingress packet filtering solutions proposed in BCP 38 more than 13 years ago have failed to solve the issue due to fundamental incentive misalignment. We present an SDN implementation of feasible path reverse path forwarding which tier 2 ISPs could implement using OpenFlow switches at peering points with no impact to the performance of their routers. We show how an SDN solution can handle error cases more gracefully than current reverse path forwarding implementations. We illustrate that this proposal is well-aligned with the economic incentives of the adopting parties and furthermore does not require ubiquitous adoption to create network-wide immunity. We describe our open code implementation on OpenFlow. Finally, we discuss the limitations of this filtering approach.

Index Terms—IP Spoofing, SDN, Distributed denial of service attacks, Internet routing.

The authors are with the School of Informatics and Computing, Indiana University, Bloomington, IN, USA.

Cite:Kevin Benton, L. Jean Camp, Tim Kelley, Martin Swany, "Filtering Source-Spoofed IP Traffic Using Feasible Path Reverse Path Forwarding with SDN," International Journal of Computer and Communication Engineering vol. 5, no. 6, pp. 441-454, 2016.