Security management with scalable distributed IP traceback

In this paper we propose an IP traceback mechanism based on deterministic packet marking and logging, using protected nodes set to reduce logged data amount. The proposed scheme exploits the fact that the number of nodes that may be under attack is usually limited to a small fraction of total nodes in the Internet, greatly reducing storage requirements by logging only the traffic destined to this fraction of nodes, thus meeting the hardware limitations of high speed core routers. Before logging at the traceback-enabled router every packet is checked whether it is destined to a host in the protected nodes set by using bloom filter. Protected nodes set and list of traceback-enabled routers is managed by security management infrastructure, which can be mirrored to avoid introduction of single point of failure. Maintaining the list of traceback-enabled routers allows performing neighbor discovery in the overlay network, which is required to detect faked identification field value in IP header by an attacker. By adding initialization stage and infrastructure the proposed scheme can provide constant complexity of per-packet processing and much longer bloom filter refresh period comparing to other approaches that use logging paradigm. Performance evaluation shows that the proposed IP traceback mechanism can be implemented in the real Internet with scalability and good deployment feasibility in terms of false positive ratio and memory usage.