Linear and Remainder Packet Marking for fast IP traceback

Several packet marking schemes have been proposed for DoS/DDoS defence to trace back the attackers to their source. One of the major challenge in design of efficient traceback scheme is to minimize the number of packets required for successful traceback. DDoS attacks are becoming highly distributed and increasingly sophisticated. Even though the net sum of attack packets is high enough to overwhelm the resources at the victim, number of packets originating from individual sources is not so high. Hence in order for traceback scheme to be efficient in tracing in case of DDoS attacks, traceback scheme should require minimal number of packets from the attacker to perform IP Traceback. In this paper we propose a novel packet marking scheme called Linear Packet Marking (LPM) which requires number of packets which is equal to hop distance between attacker and the victim which is less than 31 [5]. We also present a randomized version of LPM called Remainder Packet Marking (RPM). Even though RPM requires a bit more number of packets for successful traceback, it is more robust to certain kind of attacks that are possible on LPM. Both the scheme uses IP ID field and TTL values for deciding which router in the path will mark the packet. Using extensive simulation we show that our algorithm performs much better than the existing packet marking schemes in term of packets required for successful traceback and in handling large scale DDoS attacks. Besides it generates no storage overhead and only a small processing overhead at the intermediate routers.