Because the design of the IP-Protocol makes it difficult to determine the original sender of a packet, it is very easy for malicious users to fake a originating IP address, thereby making attacks very hard to trace. This paper proposes a better IP-traceback system called the Source Path Isolation Engine (SPIE).
Attempts to address the problem in previous works are not conclusive because of either too much overhead or dependence on the time interval of the flow. SPIE is an improvement because it reduces the overhead by storing 32-bit packet digests rather than the packet itself during auditing. SPIE also makes the following assumptions of "the worst" that can happen:
Here are the three major ideas of contribution for this paper:
I think this paper has a very clever idea of storing information available for a traceback. I give this paper a rating of 4 for significant contribution.
There are problems with this approach. First, packet transformations are very hard to deal with, and I don't think the authors have done an adequate job of addressing that issue. What if the malicious user has control of a router and segments packets in such a way that makes the first segment different from the rest? Second, I think the malicious users in the worst case can engineer packets that provide worst case scenarios for the Bloom Filter hash scheme, which can be problematic.