On Evaluating IP Traceback Schemes: A Practical Perspective

This paper presents an evaluation of two promising schemes for tracing cyber-attacks, the well-known Deterministic Packet Marking, DPM, and a novel marking scheme for IP traceback, Deterministic Flow Marking, DFM. First of all we explore the DPM in detail and then by investigating the DFM, we analyze the pros and cons of both approaches in depth in terms of practicality and feasibility, so that shortcomings of each scheme are highlighted. This evaluation is based on CAIDA Internet traces October 2012 dataset. The results show that using DFM may reduce as many as 90% of marked packets on average required for tracing attacks with no false positives, while it eliminates the spoofed marking embedded by the attacker as well as compromised routers in the attack path. Moreover, unlike DPM that traces the attack up to the ingress interface of the edge router close to the attacker, DFM allows the victim to trace the origin of incorrect or spoofed source addresses up to the attacker node, even if the attack has been originated from a network behind a network address translation (NAT), firewall, or a proxy server.