Towards an Adaptive Packet Marking Scheme for IP Traceback

Denial of Service attacks have become one of the most serious threats to the Internet community. An effective means to defend against such attacks is to locate the attack source(s) and to isolate it from the rest of the network. This paper proposes an adaptive packet marking scheme for IP traceback, which supports two types of marking, namely source router id marking and domain id marking. For each packet traversing, we let the border routers perform probabilistic router id marking if this packet enters the network for the first time, or perform probabilistic domain id marking if the packet is forwarded from another domain. After collecting sufficient packets, the victim reconstructs the attack graph, by which we keep track of the intermediate domains traversed by attack packets instead of individual routers within a domain; however, the source routers serving as ingress points of attack traffic are identified at the same time. Simulation results show that the proposed marking scheme outperforms other IP traceback methods as it requires fewer packets for attack paths reconstruction, and can handle large number of attack sources effectively; and the false positives produced are significantly low. Further, it does not generate additional traffic.