On the use of path identification to block attack packets

Many techniques have been proposed by the research community to mitigate the effect of flooding denial of service (DoS) attacks. The effects of DoS attacks are aggravated by the ability of attackers to hide the source of the attack packets. A widely used class of solutions. (e.g. trace-back) is based on marking packets, from source to destination, by intermediate routers and selectively blocking packets based on the path they traveled. In this paper we show that router level path identification offers more details then needed. We also show that packets originating from a group of devices will follow almost identical paths to the destination. Thus a single attacker can spoof its address in such a way that will lead to a whole group in the source domain to be labeled as attack source. We argue that a more coarse grained path identification, such as the autonomous system path identification, be used instead.