
Summary:
As a new scheme to deal with IP spoofing, which is among the attackers'
favorite weapons to carry out DDOS (Distributed Denial of Service)
attacks, this paper presents a Hop-Count Filtering scheme to detect and
discard spoofed IP packets to conserve system resources.

The rationale is that most spoofed IP packets, when arriving at the
victims, do not carry hop-count values that are consistent with the IP
addresses being spoofed. The feasibility of hop-count filtering depends on
the following factors, which the paper claims to be valid: (1) hop-counts
are stable, (2) hop-count-distribution is diverse, and (3) hop-count
filtering is hard to evade even when the attackers are aware of its
deployment.

The author monitored the routes between hosts among 113 sites during 4
months' interval, and observed that 95% of the paths had less fewer than 5
observable daily changes. So hop-count is very stable. It's also showed
that Hop-count roughly follows Gaussian distribution, and the largest
percentage of IP addresses that have a common hop-count value is only 10%,
which makes it possible for hop-count filtering to work effectively. If
the attacker knows the hop-count that it takes from the spoofed IP address
to the target victim, he/she can fake the initial TTL value accordingly
and hop-count filtering can be evaded. But the DDOS attackers usually use
a large set of randomly generated IP addresses to carry-out attacks, and
it's very hard, if not impossible, for the attacker to know all the
hop-counts between the spoofed IP addresses and the target. The author
further proves that no matter whether the attacker carries the DDOS from a
single source, multiple source, or use more sophisticated attack schemes,
none of these efforts are much more effective than each other to elude
hop-count filtering.

The accuracy of hop-count filtering is based on an IP-to-hop-count table.
The author shows that the IP-to-hop-count table can be spatially
inexpensive when using aggregation techniques such as 24-bit prefix or
hop-count clustering. And the table can be safely initialized and kept
up-to-date without any pollution.

Hop-count filtering operates in two different states: alert and action. By
default, HCF stays in alert state and monitors the trend of hop-count
changes without discarding packets. Upon detection of a spike of spoofed
packets, it switches to action state to examine each packet and discards
spoofed IP packets.

Conclusion:
Analysis based on network measurements shows that 90 percent of the
spoofed traffic can be removed by hop-count filtering. Overall, hop-count
filtering is straightforward, easy to implement, readily deployable, and
hard to escape.

Pros:
This paper is well written: it clears describes what they are doing with
very focused effort. The hop-count filtering idea is simple and yet has
good properties such as being effective and hard to escape. The proof of
concept implementation shows its practicalness. The two-mode operation
reduces its collateral damage.

Cons:
This proposed approach, which is claimed to be host-based, handles
CPU-based DDOS attacks, but doesn't work well for bandwidth-based attacks
unless cooperation of the router is provided.
It's not clear how long it takes to build from scratch a "fully"
functional IP-to-hop-count table. Nor does the author discuss what
qualifies a good threshold to switch between alerts and actions, or how
often the switching-over happens. Some of the results in the paper, e.g.,
the 90% effectiveness of hop-count-filtering, are inferred indirectly from
analysis of collected network measurements. However, it would be more
interesting to see how hop-counter-filtering behaves in a real-world
scenario.
There's not much room for hop-count-filtering to improve. Given that the
hop-count distribution in the Internet is as it is now: the most common
hop-count can be 10%, hop-count-filtering is not likely to be more
effective than 90%. Also, it's hard for hop-count filtering to handle
cases like NAT (network address translation), where the seemingly same IP
address can be reused by multiple hosts with possibly different
hop-counts, and DRDoS, where not every reflector necessarily has an
incentive to get hop-count-filtering deployed.

Votes:
Strongly Accept: 4
Accept: 6
Reject: 1
Strongly Reject: 0