IP traceback is a method of identifying the origin of packets on the Internet. IP traceback may have various applications in network management and security.
Various IP traceback methods rely on packet marking, i.e., transmitting traceback information inside “live” packets. For such transmission of traceback data, these methods rely on rarely used fields of the IP header, such as the Reserved Flag and Fragmentation ID field. Typically traceback data is an IP address, which is a 32-bit string. Because fewer than 32 bits are unused and available in the typical IP header, the transmitted IP address must be split in two or more parts. Each of these parts is then separately transmitted together with other information required for the IP address reconstruction. The process of determining information to be inserted into a packet and then inserting it is frequently referred to as “marking.”
The splitting of the transmitted IP addresses results in the victim receiving only parts of the transmitted IP addresses, which presents several problems.
First, complex, and memory- and processor-intensive reconstruction procedures are required to ascertain the actual transmitted IP addresses. These procedures match parts of the embedded and transmitted IP addresses to assemble complete IP addresses. For real-time traceback, these reconstruction procedures must be performed while the victim is being attacked.
Second, inevitably, as the number of attacking entities, such as slaves and reflectors, increases, the number of false positive identifications also increases. Some algorithms have been developed to increase the number of reconstructed IP addresses while keeping the false positive rate under a certain predetermined value, such as 1%. At the moment, several thousand simultaneous attackers seems to be the limit for currently existing systems.
Third, because, typically, the fragmentation ID field is used for transmission of the traceback information, IP fragmentation is adversely affected. Since information used for reconstruction of fragmented packets has been overwritten with traceback information, it may be impossible to reconstruct the original packet.
A key benefit of the marking-based traceback methods is that the traceback information reaches as far as the attack packets. Some traceback methods rely on the generation of new ICMP packets that carry traceback information. While such ICMP-based methods do not present the above problems associated with packet marking, traceback using ICMP packets is problematic because ICMP packets are frequently filtered.
Accordingly, there is a need for an out-of-band traceback method that does not present limitations of packet marking and ICMP traceback.