Analysis of adjusted probabilistic packet marking

Probabilistic packet marking (PPM) has been proposed for the identification of the source of a denial of service (DoS) attack (Savage, S. et al., Proc. ACM SIGCOM, p.295-305, 2000). PPM is based on marking packets with a fixed probability by all routers. However, using a fixed marking probability allows a large number of packets to reach the victim unmarked, which can be spoofed to impede traceback. Also, using a fixed marking probability, the victim receives fewer marked packets from routers further away from the victim, which increases the computational time needed for traceback. Hence, we study the adjusted probabilistic packet marking (APPM) scheme (Teo Peng et al., Proc. Networking, 2002), where variable marking probability is used so that the victim receives packets from all routers with equal probability. However, using the analysis similar to that of Kihomg Park and Heejo Lee (see Proc. IEEE INFOCOM, 2001) we show that APPM is also subject to spoofing of the marking field for smaller path lengths. A modified version of APPM is proposed that reduces unmarked packets reaching the victim and the computational time needed for traceback.