Stefan Savage,
David Wetherall, Anna Karlin, and Thomas Anderson.
Network Support for IP Traceback. IEEE/ACM
Transactions on Networking, vol. 9, no. 3, June 2001, pages 226 - 237.
Also appeared in Proceedings of the 2000 ACM SIGCOMM Conference, pages
295-306, August 2000.
Abstract:
This paper describes a technique for tracing
anonymous packet flooding attacks in the Internet back toward their source. This
work is motivated by the increased frequency and sophistication of
denial-of-service attacks and by the difficulty in tracing packets with
incorrect, or “spoofed,” source addresses. In this paper, we describe a
general purpose traceback mechanism based on probabilistic packet marking in the
network. Our approach allows a victim to identify the network path(s) traversed
by attack traffic without requiring interactive operational support from
Internet Service Providers (ISPs). Moreover, this traceback can be performed
“post mortem”—after an attack has completed. We present an implementation
of this technology that is incrementally deployable, (mostly) backward
compatible, and can be efficiently implemented using conventional technology.