Deterministic and Authenticated Flow Marking for IP Traceback

In this paper, we present a novel approach to IP traceback - Deterministic Flow Marking (DFM) - which allows the victim to traceback the origin of incorrect or spoofed source addresses up to the attacker node, even if the attack has been originated from a network behind a NAT or a proxy server. DFM is scalable and simple to implement, it is capable of tracing thousands of simultaneous distributed attacks in near real time. Moreover, it has a small footprint, resulting in low processing and memory overhead at the victim machines and edge routers. Additionally, DFM provides an optional authentication, so that a compromised router cannot forge markings of other uncompromised routers. Our results show that DFM can reach to similar to 99% traceback rate with no false positives.