Fast Traceback against Large-Scale DDoS Attack in High-Speed Internet

This paper describes a novel DDoS traceback scheme. It aims at the disadvantages of the current schemes, which can not traceback the large-scale DDoS attack with the increasing false positive rate, or which can not traceback the DDoS attack fast from the large number of packets required for reconstruction, or which can not apply in the high-speed Internet because of the high overhead of network and router etc. The proposed scheme maps k hash digests of the router´s IP into an m-bit Bloom Filter array. Then the m-bit Bloom Filter array is probabilistically written into the IP header of the passing packet or deterministically accumulated with the marking information in the IP header of the marked packet. If the Bloom Filter array in the marking information is full, the marking information is probabilistically written into another packet with the same source address and same destination address. This scheme has several advantages low false positive rate; fewer packets to reconstruct the attack path; and low computation overhead and storage overhead at the router. It implements the local traceback fast under large-scale DDOS attack in high-speed Internet.