Skip to main content

Pi (Path Identifier) Packet Marking Scheme

Researcher: Adrian Perrig

Abstract

Pi (Path Identifier) Packet Marking Scheme to Defend Against Internet DDoS Attacks

Distributed Denial of Service (DDoS) attacks continue to plague the Internet. Defending against DDoS attacks is complicated by spoofed IP source addresses (which disguise the true packet origin). We propose Pi (short for Path Identifier), a new packet marking approach that enables a victim to identify the approximate path that a packet took, and hence filter attack packets on a per packet basis even when the IP source address is spoofed.

Pi features many unique properties. Pi is a per-packet deterministic mechanism: each packet traveling along the same path carries the same identifier. The victim can take a proactive role in defending against a DDoS attack by using the Pi mark to filter out malicious packets on a per packet basis. Our scheme performs well even under large-scale DDoS attacks, consisting of thousands of attackers. Pi is extremely lightweight on the routers for marking and the victim for decoding, both marking and decoding can be implemented in a few machine instructions or gates in hardware.

Pi can also be used to enhance the effectiveness of other DDoS countermeasures. For example, Pi can greatly enhance the power of the Pushback framework.