Date Added: Jan 2013
The Distributed Denial-of-Service (DDoS) attack is a serious threat to the legitimate use of the Internet. In this paper, the authors propose an Inter Domain Packet Filter (IDPF) architecture that can reduce the level of IP spoofing on the Internet. A key feature of their scheme is that it does not require global routing information. IDPF's are constructed from the information implicit in Border Gateway Protocol (BGP) route updates and are deployed in network border routers and IDPF's does not discard packets with valid source addresses. Here, they show that, even with partial deployment on the Internet, IDPF's can proactively limit the spoofing capability of attackers. In addition, they can help localize the origin of an attack packet to a small number of candidate networks.