A Network Coding-Based Approach to Probabilistic Packet Marking Pegah Sattari, Minas Gjoka, Athina Markopoulou EECS Department, University of California, Irvine Email: {psattari, mgjoka, athina}@uci.edu Abstract Traceback schemes aim at identifying the source(s) of a sequence of packets and the nodes these packets traversed. This is useful for tracing the sources of high volume traffic, e.g., in Distributed Denial-of-Service (DDoS) attacks. In this paper, we are interested in Probabilistic Packet Marking (PPM) schemes, in which intermediate nodes probabilistically mark packets with information about their identity and the receiver uses information from several packets to reconstruct the paths traversed by these packets. The main idea of the paper is a network coding-based approach that marks pack- ets with random linear combinations of the router ids instead of individual router ids. We show that this approach decreases significantly the number of packets re- quired to reconstruct the attack paths. We also show that it is implementable in practice using a small number of under-utilized bits on the IP packet header; our proposed practical scheme optimizes the tradeoff in the bit-budget allocation, nat- urally raised by the network coding marking approach, and reconstructs the attack graph with low computational complexity, high accuracy and low delay. We also combine the network coding marking approach with adjusting the marking prob- abilities of different routers and show that this further improves the performance. Along the way, we accurately model the performance of our proposed as well as of prior PPM schemes based on the coupon collector’s problem with unequal probabil- ities. We show the significant benefit of our proposed schemes through comparison to several baseline schemes, under the same bit-budget, and considering various at- tack topologies. The ideas of network coding-based marking and adjusted marking probabilities are orthogonal to and can be combined with several existing PPM schemes to improve the overall performance. Key words: Network Coding, Network Measurement and Inference, Network Security, Distributed Denial-of-Service Attacks, Probabilistic Packet Marking 1