A marking scheme using Huffman codes for IP traceback

In (Distributed) Denial of Service attack ((D)DoS), attackers send a huge number of packets with spoofed source addresses to disguise themselves toward a target host or network. Various IP traceback techniques such as link testing, marking, and logging to find out the real source of attacking packets have been proposed. We present a new marking scheme (with marking and traceback algorithms) in which a router marks a packet with a link that the packet came through. Links of a router are represented by Huffman codes according to the traffic distribution among the links. If the packet runs out of space allotted for the marking field in the packet header then the router stores the marking field in the router's local memory along with a message digest of the packet. We analyze the memory requirement of routers to store marking fields, compare the new scheme with other existing techniques, and address practical issues to deploy the new scheme in the Internet. The new scheme marks every packet, therefore IP traceback can be accomplished with only a packet unlike in probabilistic markings; also it requires far less amount of memory compared to logging methods and is robust in case of DDoS.