IP traceback solutions based on time to live covert channel

Due to its stateless nature, the Internet protocol (IP) requires forwarding devices to only know each packet's next hop to correctly route any IP datagram towards its final destination. Thus, since identification of the source solely relies on the information provided by the sender itself, IP makes it extremely difficult to correctly identify the real origin of any datagram. We propose a novel way to locate the entry point of an IP flow into a given network domain based on a marking method using the IP header time to live (TTL) field as a covert channel to carry the information. The proposed solution overcomes drawbacks that undermine previous traceback schemes based on overloading various IP header fields and does not rely on attack signatures.