Advantages and Disadvantages

Some advantages come from the adoption of this approach. First, the complete route of each packet can be individually determined. Such behavior is idealized by every IP traceback system since it permits the identification of every source of a distributed attack, even if it contributed with only one packet. By enabling backtracing of a single packet, the system becomes as scalable as it can be. Besides, no information needs to be stored in the network infrastructure. All traceback data is stored at the victim, who chooses to hold it or not according to the local security policy. Another advantage is the ability of tracing an attack long after it is over and without any help from network operators. On the other hand, additional processing overhead is introduced during each packet routing. Moreover, the adoption of a Bloom filter introduces false positives into the attack path. During the reconstruction procedure, a false positive implies the incorrect integration of a router into the attack path. If this probability is small enough, the occurrence of false positives does not significantly impact on the reconstruction. There would be some concurrent routes for the same packet but the set of possible attackers would still be reduced. Nevertheless, since the attacker controls the initial content of the packet, he can fill all the filter bits with 1. By saturating the filter, every router is integrated into the attack path during the reconstruction procedure, making impractical to distinguish the real path. In order to minimize misleading techniques and to make the system less dependent of the initial state of the filter, a generalization of the Bloom filter is here proposed [1].