WHIT: A More Efficient Hybrid Method for Single-Packet IP Traceback Using Walsh Matrix and Router Degree Distribution

Single-packet attack can be tracked with logging-based IP traceback approaches, whereas DDoS attack can be tracked with marking-based approaches. However, both approaches have their limits. Logging-based approaches incur heavy overhead for packet-digest storage as well as time overhead for both path recording and recovery. Marking-based approaches incur little traceback overhead but are unable to track single packets. Simply deploying both approaches in the same network to deal with single-packet and DDoS attacks is not an efficient solution due to the heavy traceback overhead. Recent studies suggest that hybrid approaches are more efficient as they consume less router memory to store packet digests and require fewer attack packets to recover attack paths. Thus, the hybrid single packet traceback approach is more promising in efficiently tracking both single-packet and DDoS attacks. The major challenge lies in reducing storage and time overhead while maintaining single-packet traceback capability. We present in this paper a new hybrid approach to efficiently track single-packet attacks by designing a novel path fragment encoding scheme using the orthogonality of Walsh matrix and the degree distribution characteristic of router-level topologies. Compared to HIT (Hybrid IP Traceback), which, to the best of our knowledge, is the most efficient hybrid approach for single-packet traceback, our approach has three advantages. First, it reduces the overhead by 2/3 in both storage and time for recording packet paths. Second, the time overhead for recovering packet paths is also reduced by a calculatable amount. Finally, our approach generates no more than 2/3 of the false-positive paths generated by HIT.