Anil Kulkarni, Swaroopa .


IP spoofing is a attack in which attacker launch the attack by using forged source IP address. It is long known attackers may use forged source IP address to conceal their real locations. To capture the spoofers, a number of IP traceback mechanisms have been proposed. However, due to the challenges of deployment, there has been not a widely adopted IP traceback solution, at least at the Internet level. As a result, the mist on the locations of spoofers has never been dissipated till now. Here it proposes passive IP traceback (PIT) that bypasses the deployment difficulties of IP traceback techniques. PIT investigates Internet Control Message Protocol error messages (named path backscatter) triggered by spoofing traffic, and tracks the spoofers based on public available information (e.g., topology). In this way, PIT can find the spoofers without any deployment requirement. Here it illustrates the causes, collection, and the statistical results on path backscatter, demonstrates the processes and effectiveness of PIT, and shows the captured locations of spoofers through applying PIT on the path backscatter data set. These results can help further reveal IP spoofing, which has been studied for long but never well understood.


Computer Network Security; Denial of Service (Dos); IP Traceback;


. S. M. Bellovin, “Security problems in the TCP/IP protocol suite,” ACM SIGCOMM Comput. Commun. Rev., vol. 19, no. 2, pp. 32–48, Apr. 1989.

. ICANN Security and Stability Advisory Committee, “Distributed denial of service (DDOS) attacks,” SSAC, Tech. Rep. SSAC Advisory SAC008, Mar. 2006.

. C. Labovitz, “Bots, DDoS and ground truth,” presented at the 50th NANOG, Oct. 2010.

. S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical network support for IP traceback,” in Proc. Conf. Appl., Technol., Archit. Protocols Comput. Commun. (SIG-COMM), 2000, pp. 295–306.

. S. Bellovin. ICMP Traceback Messages. [Online]. Available:, accessed Feb. 2003.

. A. C. Snoeren et al., “Hash-based IP trace-back,” SIGCOMM Comput. Commun. Rev., vol. 31, no. 4, pp. 3–14, Aug. 2001. D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage,“Inferring internet denial-of-service activity,” ACM Trans. Comput. Syst., vol. 24, no. 2, pp. 115–139, May 2006. [Online]. Available:] M. T. Goodrich, “Efficient packet marking for large-scale IP traceback,” in Proc. 9th ACM Conf. Comput. Commun. Secur. (CCS), 2002, pp. 117–126.

. D. X. Song and A. Perrig, “Advanced and authenticated marking schemes for IP traceback,” in Proc. IEEE 20th Annu. Joint Conf. IEEE Comput. Commun. Soc. (INFOCOM), vol. 2. Apr. 2001, pp. 878–886.

. K. Park and H. Lee, “On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack,” in Proc. IEEE 20th Annu. Joint Conf. IEEE Comput. Commun. Soc. (INFOCOM), vol. 1. Apr. 2001, pp. 338–347.

. M. Adler, “Trade-offs in probabilistic pack-et marking for IP traceback,” J. ACM, vol. 52, no. 2, pp. 217–244, Mar. 2005.

. A. Belenky and N. Ansari, “IP traceback with deterministic packet marking,” IEEE Commun. Lett., vol. 7, no. 4, pp. 162–164, Apr. 2003.

. Y. Xiang, W. Zhou, and M. Guo, “Flexible deterministic packet marking: An IP trace-back system to find the real source of at-tacks,” IEEE Trans. Parallel Distrib. Syst., vol. 20, no. 4, pp. 567–580, Apr. 2009.

. R. P. Laufer et al., “Towards stateless sin-gle-packet IP traceback,” in Proc. 32nd IEEE Conf. Local Comput. Netw. (LCN), Oct. 2007, pp. 548–555. [Online]. Availa-ble: LCN.2007.160

. M. D. D. Moreira, R. P. Laufer, N. C. Fer-nandes, and O. C. M. B. Duarte, “A stateless traceback technique for identifying the origin of attacks from a single packet,” in Proc. IEEE Int. Conf. Commun. (ICC), Jun. 2011, pp. 1–6.

. A. Mankin, D. Massey, C.-L. Wu, S. F. Wu, and L. Zhang, “On design and evaluation of ‘intention-driven’ ICMP traceback,” in Proc. 10th Int. Conf. Comput. Commun. Netw., Oct. 2001, pp. 159–165.

. H. C. J. Lee, V. L. L. Thing, Y. Xu, and M. Ma, “ICMP traceback with cumulative path, an efficient solution for IP traceback,” in Information and Communications Security. Berlin, Germany: Springer-Verlag, 2003, pp. 124–135.

. H. Burch and B. Cheswick, “Tracing ano-nymous packets to their approximate source,” in Proc. LISA, 2000, pp. 319–327.

. R. Stone, “CenterTrack: An IP overlay net-work for tracking DoS floods,” in Proc. 9th USENIX Secur. Symp., vol. 9. 2000, pp. 199–212.

. A. Castelucio, A. Ziviani, and R. M. Salles, “An AS-level overlay network for IP trace-back,” IEEE Netw., vol. 23, no. 1, pp. 36–41, Jan. 2009. [Online]. Available:

. Castelucio, A. T. A. Gomes, A. Ziviani, and R. M. Salles, “Intradomain IP traceback us-ing OSPF,” Comput. Commun., vol. 35, no. 5, pp. 554–564, 2012. [Online].

. Al-Duwairi and M. Govindarasu, “Novel hybrid schemes employing packet marking and logging for IP traceback,” IEEE Trans. Parallel Distrib. Syst., vol. 17, no. 5, pp. 403–418, May 2006.

. M.-H. Yang and M.-C. Yang, “Riht: A nov-el hybrid IP traceback scheme,” IEEE Trans. Inf. Forensics Security, vol. 7, no. 2, pp. 789–797, Apr. 2012.

. Gong and K. Sarac, “A more practical ap-proach for single-packet IP traceback using packet logging and marking,” IEEE Trans. Parallel Distrib. Syst., vol. 19, no. 10, pp. 1310–1324, Oct. 2008.

. R. Beverly, A. Berger, Y. Hyun, and K. Claffy, “Understanding the efficacy of dep-loyed internet source address validation fil-tering,” in Proc. 9th ACM SIGCOMM Conf. Internet Meas. Conf. (IMC), 2009, pp. 356–369.

. G. Yao, J. Bi, and Z. Zhou, “Passive IP tra-ceback: Capturing the origin of anonymous traffic through network telescopes,” in Proc. ACM SIGCOMM Conf. (SIGCOMM), 2010, pp. 413–414. [Online]. Available:

. J. Postel. Internet Control Message Protocol, RFC792. [Online]. Available:, accessed Sep. 1981.

Full Text: PDF


  • There are currently no refbacks.

Copyright © 2012 - 2021, All rights reserved.|

Creative Commons License
International Journal of Innovative Technology and Research is licensed under a Creative Commons Attribution 3.0 Unported License.Based on a work at IJITR , Permissions beyond the scope of this license may be available at