Linear and Remainder Packet Marking

IP traceback methods provide a victim with the ability to identify the true source of the packet causing a denial of service (DoS) or distributed DoS attack. Several packet marking schemes have been proposed for DoS/DDoS defence to trace back the attackers. One of the major challenges in design of efficient traceback scheme is to minimize the number of packets required for successful traceback. The problem has become more challenging as DDoS attacks are becoming highly distributed and increasingly sophisticated. Even though the number of packets originating from individual attack sources is not very high, net sum of attack packets is high enough to overwhelm the resources at the victim. Hence in order for traceback scheme to be efficient in tracing in case of DDoS attacks, traceback scheme should require minimal number of packets from the attacker to perform IP Traceback. In this work we propose a novel packet marking scheme called Linear Packet Marking (LPM) which requires number of packets which is equal to hop distance between attacker and the victim whose upper bound is 30. We also present a randomized version of LPM called Remainder Packet Marking (RPM). Even though RPM requires a bit more number of packets for successful traceback, it is more robust to certain kind of attacks that are possible on LPM. Both the scheme uses IP ID and TTL field in the IP header values for deciding which router in the path will mark the packet. Using extensive simulation we show that our algorithm performs much better than the existing packet marking schemes in term of packets required for successful traceback and in handling large scale DDoS attacks. Besides it generates no storage overhead and only a small processing overhead at the intermediate routers. This work has been published in the Fourth International Conference on Communication Systems and Networks, 2012. COMSNETS 2012 held at Bangalore, India in January 2012