Performance of IP address fragmentation strategies for DDoS traceback

Abstract

Distributed denial-of-service (DDoS) attacks are among the most difficult and damaging security problems that the Internet currently faces. The component problems for an end-system that is the victim of a DDoS attack are: determining which incoming packets are part of the attack (intrusion detection); tracing back to find the origins of the attack (i.e., "traceback"); taking action to mitigate or stop the attack at the source by configuring firewalls or taking some kind of punitive measures. The preferable solution to these problems operates in real time so that a DDoS attack can be mitigated before the victim is seriously harmed. The paper focuses on the technique of packet marking/overloading for automated DDoS traceback which is a complex problem simply because attackers can use spoof source IP addresses in their attacking packets. A new packet marking strategy is proposed and is shown to yield better results in terms of complexity and performance.