Hybrid Multilayer Network Traceback to the Real Sources of Attack Devices

With the advent of the Internet of Things (IoT), there are also major information security risks hidden behind them. There are major information security risks hidden behind them. Attackers can conceal their actual attack locations by spoofing IP addresses to attack IoT devices, law enforcement cannot easily track them. Therefore, a method to trace stealth attacks is required. Conventional IP traceback methods that traceback only attackers on the network layer and cannot infer the path information of a packet traversing the switch. This article proposes a method to simultaneously traceback attack sources at the network layer and the data link layer with only one single packet. Even if the core network contains a switch or if multiple attackers launch attacks from different locations, the method can correctly traceback the true devices responsible for the attacks, and its achievements include a zero false negative rate and a low false positive rate.


I. INTRODUCTION
Many manufacturers have connected applications required in our daily lives to the Internet. Using the cloud to centralize storage and analysis systems, they provide various monitoring and management services to render our lives more comfortable and convenient. However, if a system design is not robust or if consumer habits are poor, threats to information security arise. In particular, attacks on equipment related to security and privacy such as automobile driving control, electronic door locks, and Internet of things (IoT) devices security monitors can have disastrous consequences [1], [2].
Incidents of cyberattacks have increased, both in terms of number and scale, and damage time and effects have also intensified. Due to the anonymity of the Internet, cybercrime is difficult to detect, especially for the common distributed denial of service (DDoS) for IoT systems. Moreover, the major challenges remain in dealing with a DDoS attack is to differentiate between normal and malicious packets [3].
The associate editor coordinating the review of this manuscript and approving it for publication was Tony Thomas.
The attacker can easily conceal or falsify the true source of the attack using technologies such as a proxy, VPN, fake IP, public network or wireless network, or zombie computers, thereby becoming difficult to trace [4]. This has caused the present-day frequent occurrence of cyberattacks and the continuous emergence of cybercrime, especially the advanced persistent threats (APTs) attacks [5]. However, even an APT attack was detected, to effectively curb cybercrime, the development of packet analysis that easily traces the source of an anonymous attack is a key priority for the present-day development of information security and network forensics [6].
Current methods of tracing back anonymous attacks primarily comprise methods such as packet marking, packet logging traceback, and hybrid IP traceback. The packet-marking method can be divided, according to the frequency of packet marking, into the following: deterministic packet marking, which marks all packets passing through the ingress router of a network [7]- [13], and probabilistic packet marking, which marks passing packets probabilistically [14]- [22]. Furthermore, Liu et al. [23] proposed a trust-aware probability marking traceback scheme. The marking rate in is depends VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ on trustable nodes or not. To trace back an attack using a single packet, research has proposed the packet logging traceback [24]- [27] and hybrid IP traceback [28]- [38]. If the IP traceback employs traceback on the network layer, the true location of the attacker is difficult to trace. Praveena et al. [36] proposed a log-based traceback that uses the Unicast Reverse Path Forwarding (RPF) function to detect the source. Ling et al. proposed a method to alter the TCP flow control messages server-side switches of the Software-Defined Networking (SDN) networks to trace the source [39]. Li et al. [40] developed a log-based IP traceback architecture suitable for partial deployment scenario in ISP level. Thus, Baba and Matsuda [41] used the data link layer to trace back the source of attackers. However, this method traces back only to the edge router closest to the attacker and not to the location of the device that launched the attack.
Accordingly, Hazeyama et al. [42] transmitted the following information inside a switch to the edge router: port, network interface identifier, virtual local area network identifier, source Media Access Control (MAC) address, destination MAC address, and packet digests. Once an attack occurs, this information can be used to infer the port and network interface identifier of the attack packet and thereby trace the device location of the attack source. However, because this method stores the information of packets from the upper-layer switch only, once the network architecture of the attack source exists on a switch with more than two layers, locating the true device on the attacking end becomes impossible.
Snow and Park [43] proposed methods for hybrid packet marking and storage that placed information entering a switch, such as the port, switch ID, and packet digests, in the existing packet and then transmitted them to the next switch, repeating until the edge server is reached. Although this method can traceback the true device at the attacking end, implementation is difficult because the packet mark cannot readily be attached to data link layer packets that meet special standard.
Marios et al. [44] therefore established a bloom filter at every port as a log table. When a packet enters a switch through a port, that switch uses a hash function to obtain an index value and set the index of the bloom filter for that port to 1. After an attack, the index must only be individually confirmed to be 1 for the true device on the attacking end to be identified. However, this method is characterized by the disadvantages of large storage space and a false positive rate that increases substantially with time and the number of packets.
Internet service providers often employ an Internet Exchange Point (IXP) to increase transmission efficiency and lower costs. As a result, more switches exist in the core network environment, which prevents the ports between routers from being in a one-to-one relationship. However, most existing tracebacks fail to consider that the core network environment may include switches [45]. Therefore, when a path is reconstructed using the IP traceback method, tracing back to the actual attack source may be impossible due to a one-to-many situation.
Currently, no attack source traceback method can simultaneously perform packet traceback at the network layer and the data link layer. Therefore, directly tracing the actual attack launch device of the hidden source from the victim end is inefficient. Therefore, this study proposes a method to simultaneously trace attack sources at the network layer and data link layer. This method combines tracebacks at the network layer and data link layer and, in the switch, uses a switch port mirroring device (TAP) for logging, and uses the Time to live (TTL) value of the IP headers as a judgment for terminating the traceback, thereby obtaining the number of routers from the attack source. Even if the core network includes switches, the attack source can be accurately traced using a single packet. The primary contributions of this study are as follows: • Hybrid network layer and data link layer traceback method.
• Ability to simultaneously trace several attacks from various sources.
• Inclusion of switches in the core network environment does not decrease the accuracy of attack source tracing.
• Ability to traceback to the true attack source device rather than only to an edge router.
• Zero false negative rate and low false positive rate in tracebacks at the network layer.
Section 2 of this article first defines the attacker's attack model and the environments in which this method is applicable and then details the marking methods and logging mechanisms of the researchers as well as path reconstruction methods following attacks. Next, Section 3 analyzes storage capacity and accuracy and conducts comparisons with other relevant studies. Section 4 introduces the conclusion of this article.

II. HYBRID SINGLE-PACKET TRACING FOR TRUE SOURCE MARKING AND LOGGING
In this article, a single packet traceback is proposed. In comparison to conventional IP tracebacks, this method traces the edge router in front of the attacker and also the true source of the attack or the device that launched the attack. When tracing the true source of the attack, in addition to tracing the attacker's edge router at the network layer, this method further combines tracing technology at the link layer to find the actual source device from which the attacker launched the attack.
In the Internet's routing architecture, the routers of each Internet service provider (ISP) operator will form an autonomous system (AS). An autonomous system is a collection of connected routers on behalf of a single administrative domain that presents a common routing policy. ISPs will exchange packets through the IXP framework, as shown in Figure 1, the core network includes switches, such that one interface of the router may be connected to an edge router of an autonomous system. Many IP tracing methods unable to traceback attack sources when the packets are going through the IXP framework. For example, when an attack packet is sent from an edge router of the autonomous system AS 1 , it traverses the IXP switch, enters the edge router of another autonomous system AS 3 , and then detours to the destination, as shown in Figure 1. When the IP tracing method traces the source of that attack packet to the edge router of AS 3 , it may infer an incorrect source, such as the edge router of AS 2 or AS 4 , due to more than one upstream path or changes in the table of the switch, and therefore be unable to accurately locate the attacker's device. The attack methods may also render tracebacks impossible to trace. Furthermore, attackers also attempt to evade tracing by designing a special mark or using other methods when an attack packet is sent, causing tracing methods to become ineffective. Therefore, prior to detailing the tracing method in this study, the attack model of the attacker must first be defined to determine the attack types that the proposed method can withstand: • Multiple attackers simultaneously launching one or multiple attacks from various locations.
• Attackers simultaneously spoof their IP and MAC addresses.
• Attackers specifically fabricate a spoofed packet mark to mislead the trace direction. We assume that attackers launch multiple exploits of the same victim from multiple locations or from one-to-many Denial-of-Service (DoS) attacks. Therefore, the method proposed in this study must be able to trace multiple attack sources simultaneously. When a router forwards a packet, it uses only the destination address to determine the downstream router that requires forwarding and does not verify the location of the source IP. Therefore, attackers can impersonate the source IP to hide their locations. We also assume that this traceback is public. Therefore, the attacker attempts to fabricate a spoofed packet mark when sending the packet and thereby render the attack source impossible to trace with network layer traceback. Although, during the transmission of the packet, the MAC address is changed to that of the router after the edge router is traversed, the spoofed MAC address nevertheless renders the link layer traceback based on MAC traceback unable to trace the attack source. Therefore, the attack source device must be inferred under the assumption that the MAC address is spoofed or modified by the attacker.
To trace the source locations of attackers that meet the aforementioned conditions and to define the applicability of this method, the traceback of this study must fulfil the following conditions: • Routers and switches are secure and can resist intrusion by attackers.
• Routers know whether a packet is from the local area network (LAN) or a core network.
• The network topology does not change frequently.
The proposed algorithm marks packets as they traverse the router and performs logging as they traverse the switch. To correctly traceback the attack source, as in other studies, the routers and switches were assumed to be secure and would not be intruded to ensure that attackers would not intrude into these network devices and modify or destroy the contents of the mark and log table, which would render the attack source impossible to trace with the traceback.
The security of the routers and switches was assumed to be reasonable because, if attackers possess the ability to compromise these network devices, they possess the ability to perform more advanced attacks than we expected to prevent. Because the time used for a packet to pass through a network device, arrive at the destination end, and be detected as an attack packet is usually merely a few seconds, the researchers believed that, in most situations, the network topology would not change in such a short period of time and therefore would not cause the original network device port to differ from the upstream device. The researchers investigated methods to traceback the source of the attacker, primarily, and assumed that the victim end could detect attacks; methods to detect intrusions are not discussed in this section. However, to trace the attacker, space is required for marking. The researchers employed the IP header, as shown in the identification field, flag, and fragment offset in Figure 2, which was a total of 32 bits of space to mark path information. When a packet enters the LAN or IXP service range, in comparison to the recording of attack information on the packet in the network layer, the link-layer packet header has no similar methods for recording path information and does not affect the space for packet transmission.
Therefore, for the packet transmission path information of the link layer, packet logging was employed to generate a digest as the index of a table using the 20 bytes of the IP packet header in the link-layer data and the 12 bytes that included the source MAC address and destination MAC address.
This digest was used to record a packet's traversing of a switch, and the packet log table also recorded the port from which the packet entered this switch. Because the researchers recorded two types of information, an n * m two-dimensional packet log table was required, as shown in Figure 3, where n is equal to the number of ports of this switch and m refers to the size of the bloom filter. When a packet enters from port number r, the index value calculated by its packet header content is x, and the location of the r-th column and x-th row of the packet log table is set to 1. For example, if a packet enters from port 3 and the calculated index of that packet is 6, as shown in the gray field in Figure 3, the value of the field in the log table is set to 1 to record that packet entry from port 3.The proposed traceback comprises two main stages. The first stage is the mark/log stage, and the second is the path reconstruction stage.

A. MARKING AND LOGGING MECHANISMS
To trace the true source from which an attacker launched an attack and to solve the dilemma of IXP services in the core network, which may render the stealth IP traceback method ineffective, the researchers proposed a novel hybrid multilayer, multisource stealth forensic traceback method for attack sources that combines network-layer IP tracing and link-layer MAC tracing.
To resolve the complication whereby these devices process only the link-layer packet header, link-layer tracing technology was employed in this study. TAP was used for packet mirroring for the switch, and the packet log table, and the bloom filter was used to record the port of the switch from which the packet had entered to traceback the packet source in the link layer [44], [46] [47]. To efficiently identify the movement path of attack packets traversing the entire Internet and entering the LAN, the researchers proposed a packet traceback that integrates the network layer and link layer to trace the attacker device sending attack packets. Table 1 is the table of symbols required for the proposed method.
To save the marking space required to encode a path and also take into account the accuracy of the traceback source, the proposed IP tracing method combines use of router-level and AS-level IP tracebacks. Because an attacker may launch an attack from a device in the source's autonomous system (AS) to a victim device in the destination AS, router-level tracebacks must be implemented at the source AS and the destination AS to ensure that the attack-launching device can be accurately located even if the attacker or victim does not traverse the gateway router of the AS. Excluding the two AS of the source and destination, the packet begins only from the gateway router of the source, traverses the gateway routers of all the intermediate AS, and enters the gateway router of the destination. Therefore, when the packet traverses other AS between the routers, an AS-level traceback is employed 201090 VOLUME 8, 2020 in which marking is required only on the gateway router of the AS to save marking space required for encoding routers. When the packet traverses the IXP service and LAN of the core network location, because these network segments use switches to forward this packet, network-layer technology can no longer be used to process the packet.
The network-layer marking algorithm is composed of two types of tracebacks: AS-level packet marking and router-level packet marking. AS-level packet marking uses the hash value generated by the AS number passing through the hash function to perform XOR with the packet mark (initial value 0) contained in the received packet and then performs a circular left shift on the XOR result. The circular left shift is performed to prevent elimination of two identical packet mark values on the same path due to XOR. To save space for encoding marks, router-level packet marking is performed only on the source AS and the destination AS: After the packet leaves the source AS, other AS does not calculate router-level marks between routers until the packet reaches the destination AS.
When router R i receives a packet P, it first determines whether the packet is from the LAN. If it is, R i is the first router the packet has encountered. The router first initializes the packet mark; namely, it sets the router-level packet mark and AS-level packet mark as 0 and the TTL of the packet as the maximum value to avoid the attacker carefully designing a packet mark value when sending the packet. The purpose of this initial setting was to cause this nonzero packet mark to enter the network and fail to correctly determine the trace stop time and trace the incorrect attacker device, as well as the dilemma of different TTL initial values generated by different operating systems, which render it difficult to determine the accurate hop count that a packet has traversed.
When R i receives a packet P that is not from the LAN, as shown in the algorithm in Figure 4, the router uses the router-level mark in the packet to first perform division and then add the identifier value of the port by which that packet entered, thereby obtaining a new mark. This mark is then  written into the packet, and the packet is sent to the next router.
If the packet P traverses the ingress router of any AS, as shown in Figure 5, that router uses the AS-level mark line in the packet to perform a circular left shift and then perform an XOR using the ASN of the current AS and the value obtained using the hash function.
When a packet enters the IXP service area, namely, when a packet encounters the switch in the core network, the switch mirrors the packet into the TAP by means of the monitoring port. Next, after the link layer of the packet is calculated, logging in the packet log table is completed. After receiving the packet, the switch first retrieves the link-layer digest in the packet and the source MAC address. The former is used for recording, whereas the latter is used to obtain the port from the MAC address table. The switch hashes the layer 2 header and the first 20 bytes of payload of the received packet to determine the index, and the location of the packet log index value of the port is set to 1, as shown in Figure 6.
Finally, if the packet arrives at a new AS and the upstream is an IXP service area, the digest value of the packet is first generated, and a packet log table is used to record the source of this packet as the IXP service area. During traceback, this is used as a criterion for determining whether to switch the link-layer traceback.
For example, Figure 7 is an example of four senders sending to the same destination via eight routers. Four AS are distributed in between, where the hash values of AS 1 , AS 2 , AS 3 , and AS 4 are 1, 12, 21, and 23, respectively. Attacker1 reveals that the sent packet enters the network from router R 1 and-after traversing the R 2 , R 3 , IXP service area, R 6 , and R 7 -it reaches the destination. TTL sets the value to 255 when the packet first enters R 1 and saves the current TTL when leaving the source AS to enable judgment of the distance from the attack source during path reconstruction. After the packet reaches the destination AS (AS 4 ), the TTL is again set to 255.
The packet sent by Attacker1 is sent to the ingress router of AS 1 . Because the packet comes from the LAN, the router first initializes the router-level and AS-level marks and then uses the current AS-level packet mark to perform XOR with ASN 1 00001 passed through the hash function, yielding a value of 00001. Because AS 1 is the source AS of the packet, operations of the router-level mark are performed. When the packet is located at R 1 , the packet mark and the upstream router's interface number are calculated together to obtain [1/(M + 2)] + UI +1 = [1/(0+2)]+7 + 1 = 8.5, and the packet is then sent to R 2 . Arriving at R 2 also means arriving at a new AS. The AS-level mark is calculated to obtain 01110, and, because the router-level mark is not located at the source AS or destination AS, the original value is maintained, and calculation is not performed. Until the packet reaches the destination AS, the TTL value in the packet is first set to 255, then the AS-level mark is calculated to yield a new value, and finally the router-level mark is calculated. Because the router does not distinguish between benign or malicious packets when marking packets, the destination also receives marked, benign packets, as shown in Figure 7. The victim receives packets sent by normal users with M_AS = 01011, M = 11.0898204, and M_AS = 01111, M = 11.089655, respectively. In AS 1 there is one benign user and one malicious user send packets to R 1 , the router calculates the index of these two packets using the algorithm in Figure 6 and write the TTL = 4 values into the table.
When the packet leaves the source AS, a table is first set in the egress router. This table primarily logs the TTL value of the packet. During the traceback process, when tracing reaches the source AS, TTL is extracted from this table to obtain the distance from the attack source. Before the attack packet leaves AS 1 and AS 3 , as in the example Figure 7 provides, it sets a table at the respective egress routers R 1 and R 5 . The packet digest values are used to pass through a hash function and calculate an index value, and the TTL value is placed into the table to which that index value corresponds.
When the packet reaches the IXP service, logging is used for the packet. The source MAC address is first used to identify the port from which the packet reached the switch (the port is 2). Next, the link-layer digest value in the packet   is calculated, and the hash function is used on this digest value to obtain an index value (as Figure 7 depicts). The index value field in the packet log table corresponding to port 2 is then set to 1.

B. PATH RECONSTRUCTION
When a victim suffers an intrusion, the victim terminal searches for an attack source and activates a traceback. The traceback reconstructs the path according to the log table in the switch and the mark and TTL in the packet. First, the router-level traceback is shown in Figure 8. The mark is used with the floor() function to obtain the interface number of the upstream router, the UI obtained is substituted into an inverse function to calculate the previous router-level mark, and -from the UI -the traceback continues further into the previous layer. When the TTL is equal to 255 and the AS-level mark is equal to 0, this indicates that the attack path has been found, and the network-layer traceback is stopped.
The router-level algorithm performs only calculations at the source AS and the destination AS. In other environments, an AS-level traceback is employed. Its algorithm is shown in Figure 9. The researchers first use the current ASN for the hash function and then perform XOR with M_AS. Next, a circular left shift is performed to obtain the mark made by the previous AS. When the router-level mark is calculated to the destination AS edge router, it sends a traceback request to all upstream AS until an M_AS is equal to 0, revealing the correct AS traceback path. Figure 11 shows the paths of two attackers during reconstruction. When the victim terminal detects an attack, it activates a traceback to trace the attack source. The victim terminal first performs calculations for the packet marks of the two attack packets (M = 11.0901288, M_AS = 01011) and (M = 11.089915, M_AS = 11100) according to the formula of the algorithm. The two router-level packet marks are passed through the floor() function, revealing that the interface numbers of the upstream routers are all 10 and that the packet marks marked by the previous router are (M = 9.095238) and (M = 9.121621). After this information is obtained, the calculated marks can be sent to the upstream device using the upstream routers' interface numbers and calculation continued for devices that are further upstream. The AS-level packet mark undergoes XOR and a circular left shift to obtain (M_AS = 01110) and (M_AS = 10101). The router-level mark traces back to R 6 , which means it has reached the AS 4 edge router. After the router-level mark is calculated, the packet digest value is used to determine whether the upstream is an IXP service area. If it is, it switches to a link-layer traceback. If it is not, a traceback message is sent to each upstream AS.
According to the figure, because the calculation result is derived from a packet from the IXP service area, a switch is performed to a link-layer traceback to continue traceback. After entering the IXP service area, the link-layer digest value in the packet passes through the hash function for the index value to be calculated, and the packet log table corresponding to every port in the switch is searched to obtain the upstream router's interface number. A traceback at the network layer is then continued.
After the packet of Attacker1 leaves the IXP service area, it first arrives at an AS. After an AS-level mark is calculated to obtain the value 01110, a request is sent to all AS upstream of the AS until one of the AS calculates an AS-level mark value of 0; this indicates that the traceback has reached the source AS. The subsequent traceback continues as a router-level traceback.

III. ANALYSIS OF STORAGE CAPACITY AND ACCURACY
In this section, the accuracy of the algorithm is discussed. First, the experimental environment of this method is introduced. VOLUME 8, 2020

A. EXPERIMENTAL ENVIRONMENT
To analyze the storage requirements for the router, CAIDA's Ark ITDK was used to generate a network topology. The Ark data set was composed of multiple IP paths generated by traceroute. Because some routers may not respond to pings, some path data were incomplete. Therefore, only 3,804 complete paths were taken from the data to establish the network topology required. The analysis results of Ark data path length are shown in Figure 12. These data had a total of 10,222 routers, 661 AS, an average path length of 17.74, and 16 IXP in the topology.

B. ANALYSIS OF STORAGE CAPACITY
For this method, a log table is set at the edge router of the source AS to store the digest value and TTL value of a packet. Its primary purpose is to enable the traceback to use the TTL value when tracing the source, allowing it to more accurately find the true attack source. The space expended by logging increases as the number of packets increases. Immediately after a packet had exited IXP services, the index value represented by the digest value of that packet was also recorded, and space required for logging was evaluated according to the actual network topology.
In our system, a n * m two-dimensional bloom filter was used for logging, where n is equal to the number of ports of this switch and m refers to the size of the bloom filter. Figure 13 is a diagram of the relationship for log table size and the number of paths. In the experiment, a path was randomly taken and 3804, 10000, 30000, 50000, 70000, and 100000 were repeated. Since the packets from same path carry the same digest, the storage is path specific and not based on the number of packets passing through it. Figure 13 indicates that more paths required more logging space. The storage space required for 100,000 paths was 201094 VOLUME 8, 2020  approximately 576 KB. In addition, in an environment containing a switch, a 2-dimensional bloom filter was used for logging. The size selected for each bloom filter was twice the number of paths. Figure 14 is a diagram of the relationship between the size of the logging space required by the router and the space consumed by a 2-dimensional bloom filter and its path tree in a switch environment. Because the design of the 2-dimensional bloom filter required much of logging space, the logging space required at 100,000 paths was approximately 148 MB.

C. ANALYSIS OF ACCURACY
This section compares the researchers' method with the SPITRI technique of Vijayalakshmi et al. [48] in two types of network environments: one that does not include IXP services and one that does. To analyze the accuracies of the two methods in attack source traceback in conditions of different encoding space sizes, the mark lengths in each method were also modified to different lengths for comparison. Figure 15 shows the accuracy of various mark lengths in a network environment without IXP services for the method in the present study and for the SPITRI method of Vijayalakshmi [48]. When the mark length was 32 bits, the accuracy of the two methods was relatively low primarily due to the precision error of the floating-point number. After the mark length was uniformly increased to 256 bits, accuracy increased significantly. Because the method of the present study combines the AS-level and router-level, at the same path length, fewer division operations cause errors than for the SPITRI method proposed by Vijayalakshmi. Therefore, the attack source can be identified more efficiently. When the encoding space was less than 256 bits, compared to the path length in the CAIDA data, the method proposed in the present study exhibited limited advantages due to insufficient space. However, when the space exceeded 256 bits, even if the core network contains IXP services, the method proposed in the present study continued to exhibit higher accuracy.
When a network environment contains IXP services, Vijayalakshmi's SPITRI method results in a relationship between routers that is not one-to-one. This is because of switches in the network environment-meaning that it is unable to accurately identify the true attack source. Figure 16 shows the accuracy of various mark lengths for Vijayalakshmi's SPITRI method [48] and the method proposed in the present study in a network environment containing IXP services. In the IXP services, we use the two-dimensional bloom filters to log the packet, and it does not affect on the accuracy of the IP marking scheme. The amplitude of the accuracy curve reveals that the method proposed in the present study is not substantially changed by the inclusion of IXP services in a network environment. Nevertheless, when mark length was at 256 bits, due to the sufficiently large encoding space, the accuracy of the method proposed in the present study exhibited a distinct advantage over that of Vijayalakshmi's method.

IV. CONCLUSION
This article proposes a single-packet traceback combining network-layer and data link-layer tracebacks. In the switch, TAP mirroring packets are employed for logging, and TTL is used to determine the termination of the traceback. The number of routers from the attack source can thus be obtained. Even if a core network includes a switch, a single packet can be used to accurately traceback the attack source.
Although some space is sacrificed to log packet information, the traceback is no longer unable to find the true attack source due to a core network containing switches. The method proposed in this study is compared to that proposed by Vijayalakshmi. At the same mark length, the method VOLUME 8, 2020 proposed in this study can reduce the number of operations and decrease the error probability caused by division operations. In a network environment with IXP services, the method proposed in this study nevertheless correctly identifies the attack source.
However, the method proposed in this study cannot prevent disadvantages such as excessive information stored in the log table, which causes resource exhaustion or collision. Because the IP packet header's mark length was only 32 bits, to substantially increase traceback accuracy, the mark could be cut into pieces to be placed in different packets.