Overhead Analysis

The cost for tracing the source of a single packet heavily relies on the overhead for generating PPD packets which carry partial paths. This overhead can be measured in terms of the number of PPD packets generated. According to our previous description, the number of PPD packets heavily depends on the number of partial paths in a route.

A partial path is formed each time the checksum field is moved to the IP option field (if possible) or is delivered to the destination host via an PPD packet. In the former case, the number of PPD packets can be obtained by dividing the number of partial paths by five, which is the number of partial paths IP option field can accommodate. In the latter case, the number of PPD packets equals to the number of partial paths since each each partial path requires an PPD packet.

It is necessary to estimate the number of partial paths before computing the number of PPD packets. In order to do this, there are several basic assumptions must be presented.

First, the degree of each router is assumed to be independent of each other, and we use α to represent the expected number of bits for a router to encode its links. Here, we first

consider the simplest case, that is, all the routers in the path are EBRR-enable routers.

Let f (L) denote the number of partial paths, where L is the number of routers in the path. Then, f (L) can be expressed as:

f (L) = dL ∗ α/16e

Next, consider general cases such that not all of the routers are EBRR-enabled routers.

To calculate the expected number of partial path of a route containing L routers, we first divide the entire route into k segments, 1 ≤ k ≤ L. The lengths of segments is represented as a sequence of integers and denoted as S^L,k=(S₁^L,k, S₂^L,k, . . . , S_k^L,k) such that S_i^L,k ≥ 1 for

Under the same L, k constraint, there are in total C_k−1^L−1 such sequences and let A^L,k denote the set of those sequences. In addition, we use A^L,k_i to denote an element of A^L,k. Then, consider a path containing L routers. F (L) denotes the expected number of partial paths. F (L) can be computed as:

Next, consider a simple case that each router are administrated independently and that EBRR-enabled routers are randomly distributed on the Internet. In this case, let p denote the probability that an IP packet will arrive at a router that is EBRR-enabled.

F (L) denotes the expected number of partial paths. And, in this simple probabilistic model, F (L) can be expressed as:

F (L) = Consider a more complicated case that Internet routers are managed by serveral ad-ministrators. That is, Internet routers support the proposed scheme in a consistent manner. We assume that routers connecting to each other are likely to reside in the same Autonomous System (AS). Since routers in the same AS tend to be administrated under the same policy, they will support the edge-based record route in a consistent manner.

That is, routers connecting to an EBRR-enabled router tend to be EBRR-enabled routers and vice versa. This assumption can be modeled by a state-transition diagram, as shown in Fig 4.9. In the figure, S₁ denotes the state that the current router is EBRR-enabled,

and S₂ denotes the state that the current router is not EBRR-enabled. A packet is of probability q to remain in the same state when it moves to the next router, and is of probability (1 − q) to transit to the other state. The probability that the first router is an EBRR-enabled router is set to 1/2, and on the other hand the probability for not being an EBRR-enabled router is 1/2.

Figure 4.9: A probability model that reflects the state transition of IP packets.

In the probabilistic model presented above, F (L) can be computed as:

F (L) =

Fig. 4.10 shows how the probability q and the value L affect F (L) when α is fixed at 16. The intuition is that F (L) is linear with respect to L, and q determines the slope. A smaller q results in a greater slope.

Notice that in cases of q > 0.5, F (L) grows greater than 5 when L is about 20.

This indicates that when a packet traverse more than 20 hops, five partial paths are collected. However, this case occurs rarely. It is reported that the average hop count of current network flows is about 15 and only a few network flows traverse more than 20 hops [32, 54]. This observation implies that if the IP option field can be used to store partial paths, the number of PPD packets can be greatly reduced because only a few IP packets would have more than 5 partial paths. In other words, the number of PPD packets tends to be small. On the other aspect, the number of PPD packet would increase by one when the IP packet traverse for more 20 hops. This indicates that IP packets traverse less than 40 hops would have PPD packet less than two.

Next, we examine the value of F (L) on different α values. Fig. 4.11 shows that α does not have a great impact on F (L). According to the figure, α is another factor that can affect the slope. The smaller α is, the lower the slope is. However, the difference is small. This experimental result also shows that, for IP packets that traverse fewer than 20 hops, the number of partial paths is smaller than five. Consequently, no PPD packet will be generated in this case.

Figure 4.10: How L and q affect F (L) when α = 4

2 3

4 5

Figure 4.11: How L and α affect F (L) when q = 0.6

In summary, our experimental results show that, in general cases, an IP packet would arrive at the destination host along with a complete and ordered set of partial paths.

Thus, the overhead for tracing the origin of a single IP packet is small. But in the case that an IP packet is sent with an IP option set, the number of PPD packet will be equal to the number of partial paths in the route. This implies that the attackers would always let an IP option set in the attack packet to increase the cost for back tracing. Nevertheless, this cost is still relatively low when the increased number of PPD packets is compared to the total number of packets in the network.

In addition, readers might also think that the edge-based record route would provide (D)DoS attackers with a form of amplification for their attacks since the number of packets that the victim receives would increase due to the increase of PPD packets. This is correct. However from the perspective of preventing network attacks (including DDoS attacks), our approach can effectively deter these attacks since the origins of the attacks would be discovered easily. From this point of view, even in the case of (D)DoS attacks, it is easy to stop attacks at their sources once the attacks are detected.