On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack

K. Park, H. Lee

Research output: Contribution to journalConference articlepeer-review

247 Citations (Scopus)


Effective mitigation of denial of service (DoS) attack is a pressing problem on the Internet. In many instances, DoS attacks can be prevented if the spoofed source IP address is traced back to its origin which allows assigning penalties to the offending party or isolating the compromised hosts and domains from the rest of the network. Recently IP traceback mechanisms based on probabilistic packet marking (PPM) have been proposed for achieving traceback of DoS attacks. In this paper, we show that probabilistic packet marking-of interest due to its efficiency and implementability vis-à-vis deterministic packet marking and logging or messaging based schemes-suffers under spoofing of the marking field in the IP header by the attacker which can impede traceback by the victim. We show that there is a trade-off between the ability of the victim to localize the attacker and the severity of the DoX attack, which is represented as a function of the marking probability, path length, and traffic volume. The optimal decision problem-the victim can choose the marking probability whereas the attacker can choose the spoofed marking value, source address, and attack volume-can be expressed as a constrained minimas optimization problem, where the victim chooses the marking probability such that the number of forgeable attack paths is minimized. We show that the attacker's ability to hide his location is curtailed by increased the marking probability, however, the latter is upper-bounded due to sampling constraints. In typical IP internets, the attacker's address can be localized to within 2-5 equally likely sites which renders PPM effective against single source attacks. Under distributed DoS attacks, the uncertainty achievable by the attacker can be amplified, which diminishes the effectiveness of PPM.

Original languageEnglish
Pages (from-to)338-347
Number of pages10
JournalProceedings - IEEE INFOCOM
Publication statusPublished - 2001
Externally publishedYes
Event20th Annual Joint Conference on the IEEE Computer and Communications Societies (IEEE INFOCOM 2001) - Anchorage, AK, United States
Duration: 2001 Apr 222001 Apr 26


  • Denial of service attack
  • IP spoofing
  • Network security
  • Probabilistic packet marking
  • Traceback analysis

ASJC Scopus subject areas

  • Computer Science(all)
  • Electrical and Electronic Engineering


Dive into the research topics of 'On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack'. Together they form a unique fingerprint.

Cite this