A deterministic packet marking scheme for tracing multiple Internet attackers

Tsern-Huei Lee*, Tze Yau William Huang, Iven Lin

*Corresponding author for this work

Research output: Contribution to journalConference articlepeer-review

3 Scopus citations


Deterministic packet marking (DPM) has recently been proposed as an alternative approach for IP traceback. It requires no extra bandwidth and is backward compatible with Internet equipments that do not implement it. Moreover, service providers can implement it without revealing their internal network topology. Unfortunately, the false positive rate could be very high if multiple hosts use the same source address to attack the victim simultaneously. Even worse, no source will be identified if attackers change their source addresses for every packet they send. These two problems can be solved with a modified DPM scheme which we called DPM with address digest (DPM-AD). We found that the false positive rate of the DPM-AD scheme could be much higher than it was claimed when the number of ingress router interfaces is larger than the number of attackers. In this paper, we propose and evaluate the false positive rate of a novel DPM scheme that is much more scalable than the DPM-AD scheme. Our analysis and simulation results show that the proposed DPM scheme can trace 1K simultaneous attackers at a false positive rate less than 0.5% with acceptable reconstruction complexity. 2005 IEEE.

Original languageEnglish
Pages (from-to)850-854
Number of pages5
JournalIEEE International Conference on Communications
StatePublished - 15 Sep 2005
Event2005 IEEE International Conference on Communications, ICC 2005 - Seoul, Korea, Republic of
Duration: 16 May 200520 May 2005

Fingerprint Dive into the research topics of 'A deterministic packet marking scheme for tracing multiple Internet attackers'. Together they form a unique fingerprint.

Cite this