Abstract

Several IP traceback schemes employing packet marking have been proposed to trace DoS/DDoS attacks that use source address spoofing. The major challenges in the design of an efficient traceback technique are to minimize the number of packets required for successful traceback, and also to reduce the number of bits marked per packet by any router along the attack path. We propose a graph-coloring approach here that specifically addresses these issues. We propose to view the deployment of the traceback-enabled routers as an Internet traceback overlay network, which not only provides easy scalability and incremental deployment, but also allows for the spatial reuse of the router labels used for packet marking, directly resulting in a reduced bit-space, and hence in fewer packets required for successful traceback. We additionally propose an enhanced (logical) partitioned coloring technique to achieve an order of magnitude improvement over the best known schemes today. We also propose a 2-tier architecture that provides greater incentives for deployment to different ISP networks worldwide. We analyze the proposed techniques using real Internet AS-level topologies obtained from various sources