Robust and Scalable Deterministic Packet Marking Scheme for IP Traceback

Abstract

Deterministic packet marking (DPM) has recently been proposed as an alternative approach for IP traceback to identify the ingress router interfaces that receive and forward attack packets. Scalable, simple to implement, and no extra bandwidth required are the major advantages of DPM. Besides, it allows incremental deployment and service providers can implement it without revealing their internal network topology. Several DPM schemes have recently been proposed. Unfortunately, these schemes suffer from either a high false positive rate when there are multiple simultaneous attackers or a high false negative rate when packet loss happens because of congestion. In this paper, we propose and evaluate the false positive and false negative rates of a novel DPM scheme that is much scalable than the previous schemes. In the proposed DPM scheme, we use multiple hash functions to reduce the probability of address digest collision. Our analysis and computer simulations show that the proposed DPM scheme results in much smaller false positive rate than previous schemes. Moreover, by modifying the reconstruction procedure, one can control the false negative rate to combat packet loss with slight increase of false positive rate. With eight different kinds of marks, the expected number of packets required to reconstruct an interface address is only 22.