Spee Demonstration: Single Packet Traceback

SPIE, the Source Path Isolation Engine, is a DARPA-funded system for tracing single IP packets back through a network of instrumented routers or tap boxes that are associated with the routers. Historically, tracing individual packets by keeping packet logs at each router has required prohibitive amounts of memory; one of SPIE's key innovations is to reduce the memory requirement (down to 0.5% of link capacity) by storing only packet digests, that is, hashes of the packets rather than the packet itself. SPIE-enhanced routers maintain a cache of packet digests for recently forwarded traffic. If a packet is determined to be offensive by an intrusion detection system (or judged interesting by some other metric), a query is dispatched to the SPIE system that, in turn, queries routers for packet digests of the relevant time periods. ne results of this query are used in a simulated reverse-path flooding algorithm to build a highly reliable and accurate attack graph that identifies the packet's source or sources.