ICMP based IP traceback with negligible overhead for highly distributed reflector attack using bloom filters

Most of the schemes that mitigate DRDoS attack only provide mechanism for filtering the attack traffic. They do not provide any tool for tracing back to the attacker. The few schemes that perform IP traceback requires involvement of the reflectors which is quite difficult to obtain. They require reflectors to store huge amount of traffic logs and cooperate during the attack. Reverse iTrace is one of the only methods that help in identifying the attack source without any involvement of reflectors. However, it generates huge amount of overhead traffic and does not scale well in case of large number of reflectors. These problems have discouraged its deployment in the Internet. In this paper, we propose a system of two bloom filters known as Additive and Multiplicative Bloom Filters, which when incorporated with Reverse iTrace reduces the number of iTrace generated approximately by 100 times. It also prevents iTrace from becoming another DoS attack during the reflector attack. Our system has Attacker Identification Probability of around 95%. Moreover, it is highly scalable. Extensive mathematical analysis and experimental results obtained from traffic traces prove the effectiveness and accuracy of our work.