Round trip time to improve hop count filtering

Abstract

Cyber attacks are a major threat to today's Internet services. Most of these attacks utilize IP spoofing to conceal the actual source of the attack. In this paper, Hop Count Filtering (HCF), presented by Wang et al., is extended by utilizing both Round Trip Time (RTT) and Hop Count (HC) to detect IP spoofing where RTT calculation is possible. Based on one month traceroute data from 6 different sources to more than 380 destinations, an analysis is conducted to illustrate how the HC & RTT vary as seen by IPs in the same Autonomous System (AS) and same country, IPs in the same country but different AS, and IPs in different AS and different country. Results show that although IPs in the same AS have a high degree of similarity in terms of HC, the RTT can be used in conjunction with the HC to better differentiate between these IPs. RTT provides valuable information that would help improve the efficiency of HCF technique which solely relies on HC.