StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense

Today's Internet hosts are threatened by large scale Distributed Denial-of-Service (DDoS) attacks. The Path Identification (Pi) DDoS defense scheme has been recently proposed as a deterministic packet marking scheme that allows a DDoS victim to filter out attack packets on a per packet basis with high accuracy after only a few attack packets are received. In this paper, the authors propose the StackPi marking, a new packet marking scheme based on Pi, and new filtering mechanisms. The StackPi marking scheme consists of two new marking methods that substantially improve Pi's incremental deployment performance: Stack based marking and Write-ahead marking.