This paper introduces a technique for tracing anonymous packet flooding attacks in the Internet back to their source. The authors address the challenges posed by the increasing frequency and sophistication of denial-of-service (DoS) attacks, particularly those that use spoofed source addresses. They propose a general-purpose traceback mechanism based on probabilistic packet marking in the network, which allows victims to identify the network paths traversed by attack traffic without requiring interactive support from Internet Service Providers (ISPs). The traceback can be performed after an attack has completed, and the approach is incrementally deployable, mostly backward compatible, and efficient using conventional technology. The paper outlines the problem of IP spoofing and reviews existing traceback techniques, including ingress filtering, link testing (input debugging and controlled flooding), logging, and ICMP traceback. Each technique is evaluated based on management cost, additional network load, overhead on routers, ability to trace multiple simultaneous attacks, and effectiveness in tracing attacks after they have completed. The authors then present their proposed solution, which involves probabilistically marking packets with partial path information as they arrive at routers. This approach leverages the fact that attacks typically consist of large numbers of packets, allowing victims to reconstruct the entire path by combining a modest number of marked packets. They describe several abstract algorithms for implementing this approach, including node append, node sampling, and edge sampling. The edge sampling algorithm is chosen for its efficiency and robustness, but it requires additional space in the IP packet header, making it non-backwards compatible. To address this issue, the authors propose a modified version of edge sampling that reduces the space requirement at the cost of increased convergence time and reduced robustness against multiple attackers. They detail the encoding strategy for this scheme, which overloads the 16-bit IP identification field to store edge fragment data. The paper also discusses the practical implementation issues and experimental results demonstrating the effectiveness of the proposed solution. Finally, the authors discuss the limitations and potential extensions of their proposal, emphasizing the need for further research to address challenges such as multiple attackers and the robustness of the algorithm in distributed attacks.This paper introduces a technique for tracing anonymous packet flooding attacks in the Internet back to their source. The authors address the challenges posed by the increasing frequency and sophistication of denial-of-service (DoS) attacks, particularly those that use spoofed source addresses. They propose a general-purpose traceback mechanism based on probabilistic packet marking in the network, which allows victims to identify the network paths traversed by attack traffic without requiring interactive support from Internet Service Providers (ISPs). The traceback can be performed after an attack has completed, and the approach is incrementally deployable, mostly backward compatible, and efficient using conventional technology. The paper outlines the problem of IP spoofing and reviews existing traceback techniques, including ingress filtering, link testing (input debugging and controlled flooding), logging, and ICMP traceback. Each technique is evaluated based on management cost, additional network load, overhead on routers, ability to trace multiple simultaneous attacks, and effectiveness in tracing attacks after they have completed. The authors then present their proposed solution, which involves probabilistically marking packets with partial path information as they arrive at routers. This approach leverages the fact that attacks typically consist of large numbers of packets, allowing victims to reconstruct the entire path by combining a modest number of marked packets. They describe several abstract algorithms for implementing this approach, including node append, node sampling, and edge sampling. The edge sampling algorithm is chosen for its efficiency and robustness, but it requires additional space in the IP packet header, making it non-backwards compatible. To address this issue, the authors propose a modified version of edge sampling that reduces the space requirement at the cost of increased convergence time and reduced robustness against multiple attackers. They detail the encoding strategy for this scheme, which overloads the 16-bit IP identification field to store edge fragment data. The paper also discusses the practical implementation issues and experimental results demonstrating the effectiveness of the proposed solution. Finally, the authors discuss the limitations and potential extensions of their proposal, emphasizing the need for further research to address challenges such as multiple attackers and the robustness of the algorithm in distributed attacks.