Distributed Denial of Service (DDoS) attacks have become a serious threat in the Internet. DDoS attacks is a large-scale attack where many malicious users send a lot of packets to a target server (victim) and try to stop the service. One possible way to counter DDoS attacks is to trace the attack source back and penalize the victimizer. However, current Internet design makes such tracing difficult for two reasons. First, there is no field in IP header of a packet to store the source information of packets except for ``Source IP Address'' field, which is to record source IP address. However, ``Source IP Address'' can be spoofed by the attackers. Second, the Internet is stateless, so that one cannot find the path traversed by a packet in a reliable manner. Therefore IP Traceback has been proposed to overcome these problems.

IP Traceback tries to construct the attack path from the victim to the source IP Address instead of the spoofed address. Up to now, two main types of traceback techniques have been proposed in the literature. First is to mark each packet with partial address information probabilistically. By receiving a significant number of packets, the victim can construct the attack paths with the information. This is referred to as a probabilistic packet marking (PPM) scheme. The other is to store the packet digests in the form of bloom filters at each router on the path. This is referred to as a logging scheme. Generally speaking, PPM cannot deal with large-scale DDoS attacks, as the IP header has only 16 bits to store marking information. On the other hand, logging schemes require a lot of storage space in routers.

Therefore Li et al. have proposed a hybrid IP traceback, which combines PPM and a logging scheme. They have shown the low sampling probability, i.e., 3.3%, and have guaranteed accuracy.

In this paper we propose a more efficient traceback scheme than the one of Li et al. Our scheme can improve correlation of packet sampling in DDoS Attacks and thus trace attackers back efficiently.