Techniques described herein augment packet tagging Distributed Denial-of-Service (DDOS) mitigation solutions with a powerful anti-spoofing capability. A Segment Routing over Internet Protocol (IP) version 6 (SRv6) network programming technique is proposed herein wherein authenticated sessions are given an SRv6 header to append to all outbound packets. Traffic with the valid SRv6 header is allowed to pass thru the service provider network whereas all other traffic destined to the victim of the DDOS attack is dropped. The valid SRv6 header address can be rotated from amongst the 18, 446, 744, 073, 709, 551, and 616 possible addresses found in a /64 IPv6 subnet, thus making it nearly impossible to spoof the valid SRv6 address.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.