Defense Against Spoofed IP Traffic Using Hop-Count Filtering

IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to conceal flooding sources and dilute localities in flooding traffic, and coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victim servers is essential to their own protection and prevention of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he cannot falsify the number of hops an IP packet takes to reach its destination. More importantly, since the hop-count values are diverse, an attacker cannot randomly spoof IP addresses while maintaining consistent hop-counts.