A more practical approach for single-packet IP traceback using packet logging and marking

Tracing IP packets back to their origins is an important step in defending the Internet against denial-of-service (DoS) attacks. Two kinds of IP traceback techniques have been proposed as packet marking and packet logging approaches. In packet marking, routers probabilistically write their identification information into the forwarded packets. This approach incurs little overhead but requires a large flow of packets to collect the complete path information. In packet logging, routers record the digests of the forwarded packets. This approach makes it possible to trace even a single packet and hence is considered more powerful. At routers forwarding a large volume of traffic, however, the high storage overhead and access time requirement for recording packet digests introduce practicality problems. In this paper, we present a novel scheme to improve the practicality of log-based IP traceback by reducing its overhead on routers. Our approach makes an intelligent use of packet marking to help improve the scalability of log-based IP traceback. We use mathematical analysis and simulations to evaluate our approach. Our evaluation results show that compared to the state-of-the-art log-based approach called Source Path Isolation Engine (SPIE), our approach maintains the ability to trace a single IP packet while reducing the storage overhead by half and the access time overhead by a factor of the number of neighboring routers.