Distributed Denial of Service (DDoS) attacks in the real world have become a major threat in Internet society. While the attack itself is rather easy to be performed by anyone, it is difficult for the victim to overcome the attacks. Researchers have to make some ways to face this problem such as building attack detection, prevention, mitigation, and follow-ups toward the attack. This research talks about one of follow-up action called Attack Traceback which tries to locate the original source of packet senders and reveals the path traversed by these packets during the attack.
We propose a traceback system called Source Locator Autonomous System Traceback (SLAST) which uses Autonomous System (AS) as the unit of tracing. This proposed system utilizes deterministic packet marking along with dynamic packet marking scheme where every packet have chance to be marked with partial node’s information when it passed through a marking router. We use 25 bits of marking information inside IP header in every packet to store information regarding the AS number and router ID. Because we overload the information inside the IP header field, thus this system doesn’t require additional bandwidth in its implementation.
Our proposed system can greatly suppress the number of false positive by utilizing hash number to find the attacker candidates and discarding the invalid nodes or path as well. Thus making this scheme has an optimal processing time and able to reconstruct the attacking path as well as the original source information. The proposed system is capable of tracing hundreds of nodes involved in attacks and can distinguish between the real source and the packet forwarder nodes with low false positives in the reconstruction result.
Our system result is analyzed and verified with simulation using real AS traceroute dataset from The Cooperative Association for Internet Data Analysis (CAIDA). We compare our system with another system called FAST (Fast Autonomous System Traceback) and showed that our system outperforms the performance of FAST in speed, false positives, and path length problem. In addition, our system also provides the marking router ID of the attacker’s AS so the victim will have more information about the source of attack.

Distributed Denial of Service (DDoS) attacks in the real world have become a major threat in Internet society. While the attack itself is rather easy to be performed by anyone, it is difficult for the victim to overcome the attacks. Researchers have to make some ways to face this problem such as building attack detection, prevention, mitigation, and follow-ups toward the attack. This research talks about one of follow-up action called Attack Traceback which tries to locate the original source of packet senders and reveals the path traversed by these packets during the attack.
We propose a traceback system called Source Locator Autonomous System Traceback (SLAST) which uses Autonomous System (AS) as the unit of tracing. This proposed system utilizes deterministic packet marking along with dynamic packet marking scheme where every packet have chance to be marked with partial node’s information when it passed through a marking router. We use 25 bits of marking information inside IP header in every packet to store information regarding the AS number and router ID. Because we overload the information inside the IP header field, thus this system doesn’t require additional bandwidth in its implementation.
Our proposed system can greatly suppress the number of false positive by utilizing hash number to find the attacker candidates and discarding the invalid nodes or path as well. Thus making this scheme has an optimal processing time and able to reconstruct the attacking path as well as the original source information. The proposed system is capable of tracing hundreds of nodes involved in attacks and can distinguish between the real source and the packet forwarder nodes with low false positives in the reconstruction result.
Our system result is analyzed and verified with simulation using real AS traceroute dataset from The Cooperative Association for Internet Data Analysis (CAIDA). We compare our system with another system called FAST (Fast Autonomous System Traceback) and showed that our system outperforms the performance of FAST in speed, false positives, and path length problem. In addition, our system also provides the marking router ID of the attacker’s AS so the victim will have more information about the source of attack.

[1] A. Belenky and N. Ansari. “IP Traceback with Deterministic Packet Marking”. IEEE Communication Letters 7(4), 162-164 (2003).
[2] Y. Xiang. “Trace IP Packets by Flexible Deterministic Packet Marking”. IP Operations and Management. Proceedings IEEE 2004, pp. 246-252.
[3] Siris V.A., Ilias Stavrakis. “Provider based deterministic packet marking against distributed DoS attacks”. Journal of Network and Computer Applications 30 (2007) pp. 858-876.
[4] R. Shokri. “DDPM Dynamic Deterministic Packet Marking for IP Traceback”. Networks ICON. IEEE 2006, pp. 1-6.
[5] Lin, Iven. “Robust and Scalable Deterministic Packet Marking Scheme for IP Traceback”. IEEE GLOBECOM 2006.
[6] Rayanchu, SK. “Tracing Attackers with Deterministic Edge Router Marking (DERM)”. ICDCIT 2004. pp. 400-409.
[7] Andrew et al. “Adaptive Deterministic Packet Marking”. IEEE Communication Letters, Vol. 10 No. 11 (2006).
[8] V. Paruchuri, A. Durresi, and L. Barolli, “FAST: Fast Autonomous System Traceback,” Elsevier: Journal of Network and Computer Applications 32. 2009, pp. 448-454.
[9] B. Zhang, R. Liu, D. Massey, and L. Zhang. “Collecting the Internet AS-level Topology”. SIGCOMM Computer Communications Review, 35(1), 53-61 (2005).
[10] D. Dean, M. Franklin, and A. Stubblefield. “An Algebraic Approach to IP Traceback”. ACM Transactions on Information and System Security (TISSEC) 5(2), 119-137 (2001).
[11] S. Kent, C. Lynn, and K. Seo. “Secure Border Gateway Protocol (S-BGP)”. IEEE Journal on Selected Areas in Communications, 18(4), 582-592 (2000).
[12] J. Liu, Z. Lee, and Y. Chung. “Dynamic probabilistic packet marking for efficient IP traceback”. Computer Networks, 51(3), 866-882 (2007).
[13] C. Douligeris and A. Mitrokotsa. “DDoS attacks and defense mechanisms: classification and state-of-the-art”. Computer Networks 44, 643-666 (2004).
[14] P. Ferguson and D. Senie. “Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing”. RFC 2827 (2000).
[15] S. Savage, D. Wetherall, A. Karlin, and T. Anderson. “Network Support for IP Traceback”. In IEEE/ACM Transaction on Networking 9(3), 226-237 (2001)
[16] C. Brenton. “Egress Filtering FAQ”. SANS Intitute 2007.
[17] K. Park and H. Lee. “On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internet”. In Proceeding of the ACM SIGCOMM’01 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, 15-26 (2001).
[18] S.M. Bellovin. “ICMP traceback messages”. IETF Draft, March 2000.
[19] H. Burch and H. Cheswick. “Tracing anonymous packets to their approximate source”. In Proceeding of USENIX LISA Conference, 319-327 (2000).
[20] Changlai Huang et al. “Autonomous System-based Marking Scheme for Internet Traceback”. Computer Science and Information Engineering WRI World Congress. IEEE 2008, pp.81-85.
[21] Z. Gao and N. Ansari. “A practical and robust inter-domain marking scheme for IP traceback”. Computer Networks 51, 732-750 (2007).
[22] Qu Zhaoyang and Huang Chengfeng. “A Fractional-step DDoS Attack Source Traceback Algorithm Based on Autonomous System”. Intelligent Information Hiding and Multimedia Signal Processing on IEEE 2008, pp. 1383-1387.
[23] Tamaela, Aldo. “An Autonomous System Traceback to Counter Large-Scale Anonymous Attack in Internet”. 2008.
[24] Z. Gao and N. Ansari. “Tracing cyber attacks from the practical perspective”. IEEE Communications Magazine 43, 123-131 (2005).
[25] H. Aljifri. “IP traceback: a new denial-of-service deterrent?”. IEEE Security & Privacy 1, 24-31 (2003).
[26] R. Stone. “CenterTrack: An IP Overlay Network for Tracking DoS Floods”. In Proceeding 9th Usenix Security Symposium, Usenix Association, 199-212 (2000).
[27] A.C. Snoeren et al. “Single Packet IP Traceback”. IEEE/ACM Transaction on Networking, 10(6), 721-734 (2002).
[28] S. Shioda and H.J. Wang. “A Comparative study on different probabilistic packet marking schemes for IP traceback”. IEEE TENCON Region 10 Conference, 1-4 (2006).
[29] D.X. Song and A. Perrig. “Advanced and authenticated marking scheme for IP traceback”. In Proceeding of IEEE INFOCOM, 2, 878-886 (2001).
[30] M. Ma. “Tabu marking scheme to speedup IP traceback”. Computer Networks, 50(18), 3536-3549 (2006).
[31] CAIDA. http://www.caida.org/.
[32] W. Feller. “An Introduction to Probability Theory and Its Applications”. John Wiley & Sons, Inc., 3rd edition, (1968).