IP Traceback systems facilitate tracing of IP packets back to their origin, despite possibly forged or overwritten source address data. A common shortcoming of existing proposals is that they identify source network, but not the source host. Our work extends the traceback process to allow tracing of (switched) Ethernet frames. We build on SPIE (which operates at IP routers) to design and implement `switch-SPIE'. Traffic logging is deployed in a `switch-DGA' tap-box at each switch. The (switched) Ethernet traffic visibility issue is resolved with port mirroring, and the MAC address table establishes causality between source MAC address and source switch port. Our solution works for any network topology, as opposed to earlier layer 2 extensions to IP Traceback. We provide an implementation and experimental evaluation to establish the efficacy of our approach, with respect to processing overhead and memory use.
Marios S. Andreou, Aad P. A. van Moorsel