Tracing Anonymous Packets to Their Approximate Source

Denial-of-service attacks are characterized by a flood of packets with random, apparently valid return addresses. These addresses are spoofed, created by a malicious program running on an unknown host, and carried by packets that bear no clues as to who their originating host is. Identifying the source of such an attack requires tracing the packets back to the source, hop by hop. Current approaches for doing so, even when assisted by a script, require tedious continued attention and cooperation by each intermediate Internet Service Provider (ISP). Neither constraint is well met in the current Internet industry climate. We outline a technique for tracing spoofed packets back to their actual source host without relying on the cooperation of intervening ISPs. First, we locate sources of network load, usually hosts or networks offering the UDP chargen service. Then, we map the paths from the victim to all possible networks. Finally, we work back through the tree, loading lines and routers, observing the effects on loss statistics of the invading packets. We can often prune the tree and trace back to the attacking network.