The pervasiveness of the Internet makes it an attractive target to people with malicious intent. Also, the design of the Internet makes it quite easy to obscure the origin of a packet, despite the presence of a source IP address in every packet, since the routers in the Internet rarely, if ever, do anything to ensure or check that the source IP address is the actual origin of a packet. Thus, many attacks use “spoofed” IP source addresses, to obscure the actual origin of the attack.
Some routers do offer a means to ensure that the source address of a packet corresponds to the subnet attached to the interface the packet arrived on (“source address filtering”), but this feature requires careful configuration, and can only be used when the interface is connected to a single subnet at the edge of the Internet. The design of the Internet makes it virtually impossible to implement such a feature in routers in the core of the network, or at borders between different service providers. Thus, the feature is not often used, and is in any case insufficient to guarantee the validity of IP source addresses in packets.
Also, Internet routers keep no records of individual packets, or even TCP connections, so there is little forensic evidence left in routers from an attack.
For attacks which involve TCP connections, or other protocols involving the exchange of several packets between the endpoints, it is difficult for the IP source address to be spoofed, since packets must flow back to the origin, to execute the protocol correctly. Thus, TCP-based attacks generally involve the compromise of intermediate systems (often referred to as “zombies” or “steppingstones”), and the location of the intermediate system can be correctly extracted from the source IP address. However, there are attacks on the TCP protocol implementation itself, or on existing connections, which employ spoofed source address packets, since the reply packets are not required to be correctly routed to achieve the attacker's goal.
There are also connectionless attacks, in which the attacker activates a previously compromised system using one or more packets which contain spoofed IP source addresses. (While the attack itself is connectionless, the attacker's control packets may have the appearance of TCP or another connection-oriented protocol, without the protocol itself being used.)
Some worms, such as the “SQL Slammer” or “Sapphire” worm, also use connectionless direct attacks employing spoofed IP source addresses. The SQL Slammer worm is an example of the worst case—an attack that is completely contained in a single packet with a spoofed source address.
Most work to date on IP traceback has focused on tracing packet streams back to their origin. This usually necessitates both cooperation on the part of the Internet infrastructure (including the addition of new features to routers), and a sufficient number of packets to allow some kind of step-by-step backtracking, while the attack is still taking place. Unfortunately, adding novel features to existing routers is not always feasible, and many known attacks do not include a sufficiently-long stream of attack packets for many proposed traceback methods to work properly.
One known method, the Source Path Isolation Engine (SPIE), developed earlier by BBN of Cambridge Mass., is capable of tracing a single packet to its origin point. Although this system works quite well, it does require upgrades to some of the routers along the attack path before it can produce results. These upgrades require the addition of high speed logic and memory to the router interface, or the installation of external monitoring devices on the interfaces of most routers. In addition, SPIE keeps a record of packets seen in backbone routers for up to ten minutes or so, making it useful primarily when trigged by automated defense systems. And such systems often miss novel attacks.
Thus, it is desirable to find a new means of tracing back individual packets with spoofed source IP addresses, without requiring substantial hardware changes to existing routers, and with the ability to trace packets of interest hours or days after they transited the network.