Page 1 D istributed Denial of Service attack is one of the most menacing security threats on the Internet. In order to put down these attacks, the real source of the attack should be identified. IP traceback is the function to trace the IP packets within the Internet traffic. The Internet Protocol Structure of an IP packet IP (Internet Protocol) is the primary protocol of the Internet communication standards. It delivers packet from the source host to the destination device based on the information carried in the packet header. The IP packet is composed of the header which carries the IP address, the destination IP address and other meta-data required to route and deliver the packet. Even if the source IP address is stored in the header, address spoofing is possible by exploiting security loopholes. Version IHL Type of Service Total Length Identification Flags Fragment Offset Time To Live Protocol Header Checksum Source IP Address Destination IP Address Options Padding Figure 1: Structure of an IP packet header Vulnerabilities of the protocol The TCP/IP protocol has been designed to send data reliably but it does not secure the process 1 . In fact, the authenticity of the source address carried in IP packets is never checked by the network routing infrastructure. Thus, a motivated attacker can easily trigger a Denial of Service (DoS) attack. These kinds of attacks mainly rely on forged IP addresses or source address spoofing. Source address spoofing In an IP spoofing attack, an intruder uses a forged source IP address and establishes a one-way con- nection in order to execute malicious code at the remote host 2 . This technique is usually used for DoS attacks especially SYN flood attacks. The latter is a form of DoS in which the attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traf- fic 3 . Every connection in TCP/IP starts with a three- way-handshake. The client sends a synchronization signal SYN to the server which acknowledges it by sending back a SYN-ACK, and waits for the client to send an ACK signal. In case of an attack, the SYN-ACK is sent to a spoofed IP address, therefore, the ACK message never arrives and the server resources will be blocked, degrading the service for legitimate users. IP Traceback Information Security Technical Update

