Analysis of the false-positive error rate of tagged fragment marking scheme

Abstract

IP traceback is an effective measure to deter internet attacks. A number of techniques have been suggested to realize IP traceback. The Fragment Marking Scheme (FMS) is one of the most promising techniques. However, it suffers a combinatorial explosion when computing the attackerʼs location in the presence of multiple attack paths. The Tagged Fragment Marking Scheme (TFMS) has been suggested to suppress the combinatorial explosion by attaching a tag to each IP fragment. Tagging is effective because it allows the victim to differentiate IP fragments belonging to different routers, thereby greatly reducing the search space and finding the correct IP fragments. TFMS, however, increases the number of false positives when the number of routers on the attack path grows beyond some threshold. In this paper, we rigorously analyze the performance of TFMS to determine the correlation between the number of routers and the false positive error rate. Using a probabilistic argument, we determine the formulas for combination counts and error probabilities in terms of the number of routers. Under TFMS, our results show that we can reduce the required time to find an attackerʼs location at the cost of a low error rate for a moderate number of routers.