Probabilistic flow marking for IP traceback (PFM)

Distributed-Denial-Of-Service attacks are one of the hardest security issues on the Internet today. One difficulty to counter these attacks is to trace the source of the attacks because they often use spoofed source IP addresses to hide their original source. This paper presents a new IP traceback scheme, called Probabilistic Flow Marking (PFM). The goal is to trace anonymous flooding attacks on the network back toward their original source, even if the source is located behind a network address translation (NAT) or a proxy device. In this approach, PFM embeds a fingerprint in the packets randomly. This enables PFM to identify the origin of the traffic traversing through the Internet on a per flow basis, regardless of the source IP address spoofing. We evaluate PFM on three real-life Internet data sets from the CAIDA archives. Our evaluation results show that compared to the previous IP traceback schemes, PFM significantly decreases the number of marked packets required to traceback and represents a step forward in terms of performance and deployability.