This paper presents a technique for tracing anonymous packet flooding attacks in the Internet back to their source. The work is motivated by the increasing frequency and sophistication of denial-of-service (DoS) attacks and the difficulty in tracing packets with spoofed source addresses. The proposed solution uses probabilistic packet marking in the network to allow victims to identify the network paths traversed by attack traffic without requiring interactive support from Internet Service Providers (ISPs). This traceback can be performed "post-mortem" – after an attack has completed. The approach is incrementally deployable, mostly backwards compatible, and can be efficiently implemented using conventional technology. The paper describes related work on IP spoofing and existing traceback solutions. It discusses the limitations of current approaches, such as ingress filtering, link testing, and logging, and presents a new probabilistic marking approach. The marking algorithm appends or samples router addresses in packets as they traverse the network, allowing victims to reconstruct the attack path. The algorithm is robust, efficient, and can be implemented with minimal overhead on routers. The paper outlines several marking algorithms, including node append, node sampling, and edge sampling. Node sampling involves probabilistically marking packets with a single router address, while edge sampling encodes edges between routers, allowing for more accurate path reconstruction. The edge sampling algorithm is further optimized by compressing edge data into smaller fragments, reducing per-packet storage requirements while maintaining robustness. The paper also discusses encoding issues, including the use of the IP identification field to store edge fragment data. This approach minimizes impact on existing users and allows for practical deployment. The algorithm is robust against multiple attackers and can handle large distributed attacks. The paper presents experimental results showing the effectiveness of the approach in reconstructing attack paths. The paper concludes that the proposed technique provides a practical solution for tracing DoS attacks, with significant improvements over existing methods. It highlights the challenges of implementing the solution in a heterogeneous Internet environment and discusses potential extensions and limitations. The approach is efficient, robust, and can be implemented with minimal overhead, making it a promising solution for improving Internet security.This paper presents a technique for tracing anonymous packet flooding attacks in the Internet back to their source. The work is motivated by the increasing frequency and sophistication of denial-of-service (DoS) attacks and the difficulty in tracing packets with spoofed source addresses. The proposed solution uses probabilistic packet marking in the network to allow victims to identify the network paths traversed by attack traffic without requiring interactive support from Internet Service Providers (ISPs). This traceback can be performed "post-mortem" – after an attack has completed. The approach is incrementally deployable, mostly backwards compatible, and can be efficiently implemented using conventional technology. The paper describes related work on IP spoofing and existing traceback solutions. It discusses the limitations of current approaches, such as ingress filtering, link testing, and logging, and presents a new probabilistic marking approach. The marking algorithm appends or samples router addresses in packets as they traverse the network, allowing victims to reconstruct the attack path. The algorithm is robust, efficient, and can be implemented with minimal overhead on routers. The paper outlines several marking algorithms, including node append, node sampling, and edge sampling. Node sampling involves probabilistically marking packets with a single router address, while edge sampling encodes edges between routers, allowing for more accurate path reconstruction. The edge sampling algorithm is further optimized by compressing edge data into smaller fragments, reducing per-packet storage requirements while maintaining robustness. The paper also discusses encoding issues, including the use of the IP identification field to store edge fragment data. This approach minimizes impact on existing users and allows for practical deployment. The algorithm is robust against multiple attackers and can handle large distributed attacks. The paper presents experimental results showing the effectiveness of the approach in reconstructing attack paths. The paper concludes that the proposed technique provides a practical solution for tracing DoS attacks, with significant improvements over existing methods. It highlights the challenges of implementing the solution in a heterogeneous Internet environment and discusses potential extensions and limitations. The approach is efficient, robust, and can be implemented with minimal overhead, making it a promising solution for improving Internet security.