TOPO: A Topology-aware Single Packet Attack Traceback Scheme

Abstract

With the phenomenal growth of the Internet, more and more people enjoy and depend on its provided services. Unfortunately, the number of network-based attacks is also increasing quickly. Network attackers can very easily hide their identities, and thereby reduce the chance of being captured and punished. Some attacks can even succeed by using only one or a few well-targeted packets. Therefore, it is desirable to design effective and efficient single packet IP traceback systems to attribute attackers. Several single packet IP traceback systems have been designed using Bloom filters. However, the inherent false positives of Bloom filters caused by unavoidable collisions restrain the effectiveness of these systems. To reduce the impact of unavoidable collisions in Bloom filters, we propose a topology-aware single packet IP traceback system, namely TOPO. We utilize the router's local topology information, i.e., its immediate predecessor information. Our performance analysis shows that TOPO can reduce the number and scope of unnecessary queries, and significantly decrease false attributions. Furthermore, to improve the practicability of Bloom filter-based IP traceback systems, we design TOPO to allow partial deployment while maintaining its traceback capability. When Bloom filters are used, it is difficult to decide their optimal control parameters a priori. We design a k-adaptive mechanism which can dynamically adjust parameters of Bloom filters to reduce the false positive rate