A Reactive Architecture for IP Traceback

The rising threat of cyber attacks makes the IP traceback problem very relevant to today´s Internet security. Numerous approaches have been proposed to support IP traceability. They can be divided into proactive and reactive solutions. Proactive measures record and exchange tracing information as packets are routed through the network. The victim uses the resulting traceback data for attack path reconstruction and subsequent attacker identification. On the other hand, a reactive traceback process is initiated in response to an attack; it starts from the victim and moves toward the attacker. Proactive solutions are very effective for tracing attacks that consist in single or few packets. On the other hand, they are very resource demanding since every packet - even legitimate - is analyzed. Moreover, in the case of long-period attacks, the tracing of the packets can succeed even when the whole process is initiated after the detection of the attack. These reasons lead to the conclusion that even if the reactive methods are not efficient against few-packets attacks, they still are efficient against major party of Internet attacks. In this paper we present a signaling architecture that reactively traces back the source(s) of an attack. This architecture is distributed, and based on the collaboration of several centralized per-administrative domain (AD) traceback systems