IP Traceback Based on Deterministic Packet Marking and Logging

Abstract

IP traceback mechanisms are a critical part of the defense against IP spoofing and DoS attacks. Currently proposed traceback mechanisms are inadequate to address the traceback problem for the following reasons: they lack incentives for ISPs to deploy IP traceback in their networks; they do not scale to large scale distributed DoS attacks. In this paper, a novel IP traceback approach based on packet logging and deterministic packet marking (LDPM) is proposed, that significantly improves IP traceback in several aspects: (1) LDPM is built on a distributed hierarchical IP traceback system, and is simple to deploy. (2) LDPM uses a new IP header encoding scheme to store the complete identification information of a router into a single packet, thus it can protect the privacy of network topology and victims can identify attack ingress router with one packet. It also can cope with large distributed attacks with thousands of attackers. (3) LDPM can manipulate the marking information at the edge ingress routers. Therefore, as a value-added services, ISPs can provide traceback business to their customers. Compared with previous traceback schemes, LDPM improves the performance and practicability of IP traceback.