On the (in)effectiveness of Probabilistic Marking for IP Traceback under DDoS Attacks

Abstract—Distributed denial-of-service attacks (DDoS) pose an immense threat to the Internet. The most studied solution is to let routers probabilistically mark packets with partial path information during packet forwarding, which is referred as Probabilistic Packet Marking (PPM). After receiving enough number of packets, the victim would be able to reconstruct the attack graph based on the information in the packet markings. Because of probabilistic marking, a large fraction of the packets reach the victim unmarked by any router, thus carrying the spoofed markings set by the attacker. In this paper, we study the effect of simple attacker strategies to spoof the markings to impede victim’s capacity to traceback. We show that random marking is sufficient to impede the victim from tracing the attackers. A simple enhancement based on IP path length distribution makes it harder for the victim. We also study the challenges related to the attack graph reconstruction process and collecting the attack packets for traceback. We hope that this analysis would help researchers to adapt the current PPM techniques accordingly to thwart the DDoS attacks. I