Scalable Hash-based IP Traceback Using Rate-limited Probabilistic Packet Marking

Abstract

Recent surveys show that DDoS attack is still one of the major threats to the Internet security. Many techniques have been proposed to trace the origin of attacking packets, known as IP traceback problem, using either hash-based packet logging or probabilistic packet marking. However, both approaches have scalability problems under the heavy DDoS attacks in terms of the space and computational overheads. In this paper, we propose a novel scalable IP Traceback scheme by utilizing the advantage of both packet logging and marking to balance the overheads at routers and at the victim, hence scalable for both sides. The baseline idea of our approach is to sample a very small percentage (e.g., 1%) of packets at the routers, and save the digests of only sampled packets. At the same time, the routers mark their signature using very simple marking scheme into the marking field of sampled IP packets to send out the "information of logging" to the victim in probabilistic way to help the traceback procedure. We also propose a heuristic technique to improve the performance of the marking scheme. In the result, the number of attacking packets the victim should collect for the traceback procedure to achieve high level of traceback accuracy is much less than the numbers in previous PPM schemes, and also the computational and storage overhead in routers are much less than previous packet logging approach.