Scalable packet digesting schemes for IP traceback

Identifying the sources of an attack is an important task in the Internet security area. An attack could consist of a large number of packet streams generated by many compromised slaves that consume resources associated with various network elements to deny normal services or a few offending packets to disable a system. Several techniques based on probabilistic samples of transit packets have been developed, to determine the sources of large packet flows. It seems that logging of packet digests is necessary for traceback of an individual packet. A clever technique based on Bloom filters has recently been proposed to generate the audit trails for each individual packet within the network. The scheme is effective. However, the storage requirement is approximately 0.5% of the link capacity, which becomes a problem as link capacity increases. In this paper, we propose packet digesting schemes for flows and sets of packets sharing the same source and destination addresses. Compared with the individual packet digesting scheme, these schemes can achieve similar goals and are much more scalable. Simulations with real Internet traffic show that the storage requirements of our proposed schemes are one to two orders of magnitude lower.