Preventing DRDoS Attacks in 5G Networks: a New Source IP Address Validation Approach

摘要

Distributed Reflection Denial of Service (DRDoS) attack has become one of the most serious threats to Internet security. With the ongoing development of 5G, a massive number of insecure Internet of Things (IoT) devices are connected to the Internet, which brings great challenges to defend against DRDoS attacks. To overcome these challenges, we extend the User Plane Function (UPF) of 5G core network, and propose a new framework accordingly for source IP address validation, so as to suppress the source IP address spoofing behaviors of DRDoS attackers. Under this framework, the packet inspection rate (PIR), i.e., the inspection probability of each packet, is crucial to simplify the validation complexity. To unveil the optimal PIR, we establish a two-player game which models the IP address spoofing and detection behaviors. Analysis on the formulated game implies a lower bound of sufficient PIR, which may be used to set PIR in practice. Simulation results show that the proposed method can efficiently deter IP spoofing behaviors. Thereby the derived PIR could achieve low-cost and effective defense of DRDoS.