Improving the precision and efficiency of log-based IP packet traceback

Egon Hilgenstieler*, Elias P. Duarte, Glenn Mansfield-Keeni, Norio Shiratori

*Corresponding author for this work

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    5 Citations (Scopus)


    As the Internet Protocol (IP) does not ensure the authenticity of packets, it is sometimes necessary to discover or to confirm the real source of a packet received from the Internet Examples of these situations include tracking down the host from which an attack was launched. In this work we propose a new architecture for IPPT (IP Packet Tracing) based on the traditional concept of keeping traffic logs stored in Bloom filters. The proposed architecture returns an attack graph that precisely identifies the route traversed by a given packet allowing the correct identification of the attacker. We show that previously published approaches may return misleading attack graphs in some particular situations, which may even avoid the determination of the real attacker. The proposed architecture has two other features that improve the efficiency of the returned attack graph: separate logs are kept for each router interface improving the distributed search procedure; an efficient dynamic log paging strategy is proposed. The communication among the system's components preserves the confidentiality of the packet's information. The architecture was implemented and experimental results are presented.

    Original languageEnglish
    Title of host publicationGLOBECOM - IEEE Global Telecommunications Conference
    Number of pages5
    Publication statusPublished - 2007
    Event50th Annual IEEE Global Telecommunications Conference, GLOBECOM 2007 - Washington, DC
    Duration: 2007 Nov 262007 Nov 30


    Other50th Annual IEEE Global Telecommunications Conference, GLOBECOM 2007
    CityWashington, DC

    ASJC Scopus subject areas

    • Engineering(all)


    Dive into the research topics of 'Improving the precision and efficiency of log-based IP packet traceback'. Together they form a unique fingerprint.

    Cite this