Internet attack traceback - Cross-Validation and pebble tracing

It is of strategic importance for our cyber space security to be able to trace back to the origin of an Internet attack However, it is particularly challenging due to the evading techniques that attackers use: IP spoofing and attacking across stepping stones. A number of attack traceback methods have been proposed, most of them deal with DoSIDDoS attacks or do not perform well in a non-cooperate or hostile environment. In this contribution, we propose a single packet and host-based traceback scheme. It consists of two phases: Cross-Validation for coping with IP spoofing; and Pebble-Trace for uncovering original attack host location. Cross-Validation is the process that a validation server analyzes an attack packet and determines whether its source IP address is spoofedfor making a decision on the feasibility and strategy of traceback. If a source IP address is invalid, we can only black-list and block it. Otherwise, we propose a new technique called Pebble-Trace to uncover the attack original source by probing packets. While a probing packet from the validation server traverses through stepping stones to the attacker it spreads tracing packets on its way, which "report" the IP address of the machine that it traverses (or its payload passes) through back to the validation server. All the trace operations are done automatically and secretly to prevent the attacker from detecting and evading the process.