The Reconstruction Procedure

To reconstruct the attack path, the following procedure is used. Initially, the victim checks for the presence of all neighbor routers in the Bloom filter of a received attack packet. The router that is recognized as an element of the filter is identified as the upstream router and is therefore integrated into the attack path. Afterwards, this selected router receives the Bloom filter from the victim and checks which neighbor router is also recognized as an element of the filter, identifying the next upstream router. This process is recursively repeated on each upstream router to reconstruct the actual path traversed by the packet. When a router does not recognize any neighbor router as an element of the filter, the process stops and this router may be considered the source of the attack.