Active Probing
Stone [19] proposed a traceback scheme called CenterTrack, which selectively reroutes
the packets in question directly from edge routers to some special tracking routers. The
tracking routers determine the ingress edge router by observing from which tunnel the
packet arrives. This approach requires the cooperation of network administrators, and the
management overhead is considerably large.
Burch and Cheswick [20] outlined a technique for tracing spoofed packets back to their
actual source without relying on the cooperation of intervening ISPs. The victim actively
changes the traffic in particular links and observes the influence on attack packets, and
thus can determine where the attack comes from. This technique cannot work well on
distributed attacks and requires that the attacks remain active during the time period of
traceback.
ICMP Traceback (iTrace)
Bellovin [21] proposed a scheme named iTrace to trace back using ICMP messages for
authenticated IP marking. In this scheme, each router samples (with low probability) the
forwarding packets, copies the contents into a special ICMP traceback message, adds its
own IP address as well as the IP of the previous and next-hop routers, and forwards the
packet to either the source or destination address. By combining the information obtained
from several of these ICMP messages from different routers, the victim can then
reconstruct the path back to the origin of the attacker.
A drawback of this scheme is that it is much more likely that the victim will get ICMP
messages from routers nearby than from routers farther away. This implies that most of
the network resources spent on generating and utilizing iTrace messages will be wasted.
An enhancement of iTrace, called Intention-Driven iTrace, has been proposed [22,23].
By introducing an extra “intention-bit,” the victim is able to increase the probability of
receiving iTrace messages from remote routers.
Packet Marking
Savage et al. [24] proposed a Probabilistic Packet Marking (PPM) scheme. Since then
several other PPM-based schemes have been developed [25,26,27]. The baseline idea of
PPM is that routers probabilistically write partial path information into the packets during
forwarding. If the attacks are made up of a sufficiently large number of packets,
eventually the victim may get enough information by combining a modest number of
marked packets to reconstruct the entire attack path. This allows victims to locate the
approximate source of attack traffic without requiring outside assistance.
The Deterministic Packet Marking (DPM) scheme proposed by Belenky and Ansari [28]
involves marking each individual packet when it enters the network. The packet is marked
by the interface closest to the source of the packet on the edge ingress router. The mark