A path information caching and aggregation approach to traffic source identification

Probabilistic packet marking (PPM) is a technique designed to identify packet traffic sources with low storage and processing overhead on network routers. In most previous PPM approaches, individual path messages carry only partial path information. These methods are susceptible to "path falsification" attacks, which greatly reduce their effectiveness. This work proposes a path-falsification-attack free PPM algorithm called Path Information Caching and Aggregation (PICA) that records paths of packet streams in fix-length path messages, thus eliminating the need of path reconstruction at the receiver end. Besides, by using a router\´s forwarding table to decompose packet volume, this semi-stateful method is more accurate in traffic volume report. It also supports both a packet rate-based path message generation algorithm and a redundant path message suppression mechanism to further eliminate path messages with the same destination. Finally, PICA protects PICA routers from being attacked by faked path messages. We have performed a trace-driven simulation study on the proposed PICA algorithm and compared its effectiveness with IETF\´s iTrace scheme by varying the sampling probability, the number of attack sources, and attack traffic rate. Compared to iTrace, the PICA algorithm reduces the total number of path messages required by a factor of more than 2, while reporting traffic volume more accurately.