On the use of BGP AS numbers to detect spoofing

Spoofed IP traffic (traffic containing packets with incorrect source IP addresses) is often used by Internet-based attackers for anonymity. This method reduces the risk of trace-back and avoids attack detection by traffic-based sensors. An ISP's Security Operations Center (SOC) needs an efficient spoofed source detection mechanism to protect its customers from network based attacks. Typically an SOC needs to offer such protection under the following operational constraints: a) Limited traffic monitoring points within the network core rather than at the edge, owing to the performance cost associated with incorporating monitoring b) Limited information on network topology and routing paths c) Very high data rates d) Sampled traffic data and e) Limited storage and processing capabilities for analysis. This paper describes an approach for spoofed source detection intended for an operational ISP network under the above constraints. The approach relies on the creation of concise source BGP AS (Autonomous System) profiles for each available monitoring point in the network. Profiles are constructed by observing recent historical monitoring data; each constructed profile is then used to detect spoofed traffic in real-time. An AS based network profile is advantageous compared to an IP address based profile due to (a) the relative conciseness of the former and (b) the ability to make inferences about network source IP addresses not observed during training or profiling periods. A preliminary evaluation of AS based profiles was performed using real time traffic observed in an enterprise network. The evaluation focus was on profile size and profile convergence time.