The RAT Traceback System

The proposed IP traceback system is based on the packet-marking approach to avoid state storage at routers. Instead of using a marking procedure as the one suggested by Savage et al. [3], each router inserts a "signature" into the packet, which indicates its presence on the path. A Bloom filter [4] is employed to reduce the amount of information inserted into the packet and to limit the size of this information to a fixed value to avoid packet fragmentation. In addition, the use of a generalized Bloom filter prevents "signature" forgery by the attacker and therefore backtracing failures. In order to reduce the required space on each packet and to avoid the processing cost of appending data to packets, the attack route is stored in a built-in Bloom filter integrated into the packet. Hence, a static field must then be allocated in the packet header for the Bloom filter.