|Description||Attack Trace Back: Service Providers, Network Operators and Equipment Suppliers should have the processes and/or capabilities to analyze and determine the source of malicious traffic, and then to trace-back and drop the packets at, or closer to, the source. The references provide several different possible techniques. (Malicious traffic is that traffic such as Distributed Denial of Service (DDoS) attacks, smurf and fraggle attacks, designed and transmitted for the purpose of consuming resources of a destination of network to block service or consume resources to overflow state that might cause system crashes).|
|Industry Role(s)||Service Provider; Network Operator|
|Keyword(s)||Cyber Security;Network Operations;Security Systems;|
|Reference/Comments||"Practical Network Support for IP Trace back" by Stefan Savage et.al., Dept. of Computer Science and Engineering, Univ of Washington, Tech Report UW-CSE-2000-02-01 with a version published in the Proceedings of the 2000 ACM SIBCOMM pp256-306 Stockholm, Sweden, August 2000
Hash based as described in "Hash Based IP Traceback" by Alex C Snoeren et.al of BBN published in Proceedings of the 2001 ACM SIBCOMM, San Diego, CA August 2001
A physical network arrangement as described in "CENTERTRACK, An IP Overlay Network" by Robert Stone of UUNET presented at NANOG #17 October 5, 1999.
John Ioannidis and Steven M. Bellovin, "Implementing Pushback: Router-Based Defense Against DDoS Attacks", NDSS, February 2002. http://www.ietf.org/rfc/rfc3882.txt.