A New IP Traceback System Against Distributed Denial-of-Service Attacks Rafael P. Laufer 1 , Pedro B. Velloso 1,2 , Daniel de O. Cunha 1 , Igor M. Moraes 1 , Marco D. D. Bicudo 1 , and Otto Carlos M. B. Duarte 1 1 Grupo de Teleinform´ atica e Automac ¸˜ ao (GTA) 2 Laboratoire d’Informatique de Paris 6 (LIP6) Universidade Federal do Rio de Janeiro Universit´ e Pierre et Marie Curie - Paris VI Rio de Janeiro, RJ, Brazil Paris, France Abstract— On most denial-of-service (DoS) attacks, packets with spoofed source addresses are employed in order to disguise the true origin of the attacker. A defense strategy is to trace attack packets back to their actual source in order to make the attacker accountable and isolate him from the network. To date, the proposed traceback systems require either large amounts of storage space on router-connected devices or a sufficient number of received attack packets. In this paper, we propose a new IP traceback system capable of determining the source of every packet received by the victim without storing state in the network infrastructure. For practical purposes, a generalization of the Bloom-filter theory is developed and evaluated. Analytical results are presented to show the efficacy of the proposed system. I. I NTRODUCTION The current Internet routing infrastructure is vulnerable to anonymous denial-of-service (DoS) attacks [1]. Such attacks are specially designed to conceal the true identity of the attacker in addition to making the services provided by the victim inaccessible to users. These attacks are generally con- ducted by sending packets to the victim at a higher rate than they can be served, what causes the denial of legitimate service requests. In distributed denial-of-service attacks (DDoS), the aggregate traffic from several different sources is responsible for disabling the services provided by the victim. Recently, the number of distributed attacks against famous websites is alarming and digital plagues have been specifically developed for that purpose [1]. Although less common, denial-of-service attacks constituted by a single packet also exist and are much easier to be conducted [2]. In both cases, the results are financially devastating and a solution that identifies the true origin of attack packets becomes necessary. Due to the datagram technique employed in the IP protocol, the attacker can inject packets with spoofed source addresses into the network and remain anonymous throughout the attack. In fact, there is no entity or mechanism responsible for verifying the authenticity of the source. Once the routing infrastructure is exclusively based on the destination address, packets with spoofed source addresses generally reach the victim without difficulty. Denial-of-service attacks can also become anonymous due to the stateless nature of IP routing. Currently, no information about forwarded packets is stored in routers for future queries and, as a consequence, it is not possible to deduce the route traversed by a spoofed attack packet. This work has been supported by CNPq, CAPES, FAPERJ, FINEP, RNP and FUNTTEL. Several schemes have been proposed for defeating anony- mous denial-of-service attacks through IP traceback. The main purpose of IP traceback is to disclose the identity of the attacker by tracing the attack back to its source. Stone [3] proposed an intuitive way for tracing an ongoing attack by observing the interface from which the attack flow comes in every hop. Burch and Cheswick [4] described a flooding technique for detecting from which upstream router the attack packets come. Under another perspective, Savage et al. devel- oped a traceback scheme where routers probabilistically insert information about themselves in the packets routed to the victim. After receiving enough attack packets, the victim can reconstitute the entire route. Bellovin [5] suggested a similar approach that employs router-generated ICMP packets instead of inserting information directly into the routed packet. Using high-capacity storage devices connected to routers, Snoeren et al. [6] proposed a system capable of tracing a single IP packet by storing digests of every routed packet in Bloom filters [7] located at these devices. In this paper, we introduce a new approach to the IP traceback problem. We also propose a generalization of Bloom filters [7] and derive its analytical expression. This generaliza- tion arises as a solution to evasion techniques that could be implemented if a standard Bloom filter were employed. The proposal consists of using a generalized Bloom filter integrated into the packet for compactly storing the address of each traversed router. Therefore, it is possible to probabilistically trace the complete route traversed by each individual packet. We also show that with the generalized Bloom filter the evasion capability is limited by system parameters. In addition, the traceback process can be started long after the attack is over and without any help from network operators. To date, existing proposals that present equivalent results demand high- capacity storage devices that must be directly connected to routers [6]. The rest of the paper is structured in the following way. In Section II, we introduce the proposed IP traceback system and analyze our proposition of Bloom-filter generalization. Analytical results are then presented in Section III, showing the efficacy of the system. Finally, conclusions and future research work are discussed in Section IV. II. THE PROPOSED IP TRACEBACK SYSTEM This section presents a new IP traceback technique designed to trace the source of each individual packet. The proposal is based on the packet-marking approach to avoid state storage