IP traceback with sparsely-tagged fragment marking scheme under massively multiple attack paths

Abstract

IP traceback is known to be one of the most effective measures to deter Internet attacks. Various techniques for IP traceback have been suggested. Among them, we focus on Probabilistic Packet Marking scheme (PPM) with tagging. We believe PPM is more advantageous than others because it does not generate additional network traffic and requires minimal protocol change. However, three parameters need to be optimized to make PPM practical under massively multiple attack paths: the number of packets to collect, the number of fragment combinations to recover the IP addresses, and the false positive error rate. Tagging is an effective way to reduce the number of combinations but it increases the false positive error rates when the number of routers in the attack paths grows. Other PPM-related techniques suggested in the past have similar problems. They improve one or two parameters at the expense of others, or they require additional data structures such as an upstream router map. In this paper, we propose a method that optimizes the three parameters at the same time and recovers original IPs quickly and correctly even in the presence of massive multiple attack paths. Our method does not need either a combinatorial process to recover IPs or additional information such as an upstream router map. Our result shows that our method recovers 95% of the original IPs correctly with no fragment combinations and with zero false positives. It needs to collect only 8N packets per router where N is the number of routers involved in the attack paths.