End Host Defense against DDoS Attacks with IP Spoofing

DDoS attacks are becoming a common nature to the internet and effective defense mechanisms are yet to be discovered. IP spoofing is a common nature of many DDoS attacks. While forging any field in an IP header is possible, number of hops an IP packet takes to reach its destination is solely depended on the routing infrastructure of the internet. A spoofed packet received at a specific host, would have wrong number of hops if it has been generated by an attacker with different distance to the host comparing to the legitimate packet generated by the original source. Since most modern Operating Systems, use only a few initial Time-to-Live (TTL) values, the final TTL value in a received packet could be used to determine whether or not the packet is spoofed. In this paper we propose a simple but yet effective filtering scheme, TTLF, we will use the final TTL values in previously captured legitimate IP packets as method of authentication for any new coming IP packet. Finally, we will present an implementation of TTLF in Linux kernel and demonstrate the performance gain obtained by using TTLF.