This paper presents a way to counter DDoS attacks by creating an attack tree to
find the source.  It does this without as much overhead of previous attempts.
Rather than sampling 100% of packets, it gets by with only sampling 3.3%.  
However, they can't use trajectory sampling to get this 3.3%, because attackers can
evade the sampling.  Only sampling 3.3% of the packets also introduces the problem
of correlating packets between routers.

To increase correlation, when a packet is sampled at a router, it is marked before heading
on.  The next router will then also sample the marked packet, and unmark the packet.  Any unmarked
packets are sampled with a certain probability.  This continues on to the target.  This makes it 
hard for an attacker to avoid sampling, because the first router will always sample at least p/2 
of the attacker's packets.

When doing the traceback, the target queries it's neighbors with a set of attack packets, called
Lv. If at least one packet in the querying set matches, the neighbor is marked as being on the
attack tree.  The convicted neighbor then takes all packets in it's digest that
match Lv and creates a set Ls.  It then continues the process with Ls, convicting neighbors 
as required.  This process continues until a router has no convicted neighbors.

Questions:
In section 3.11, they mention that if they used trajectory sampling, an attacker could
generate packets that could be easily evaded.  How?

If the sampling is more or less random between routers, what prevents the set of matching packets
from reaching nil to fast?

Why don't false positives mess up the scheme?  Wouldn't branches that don't lead to an attacker
be a problem for finding an attacker?

In section 3.1.2, they mention the attacker manipulating the marking field.  Why would this be a problem, 
since packets are sampled randomly if unmarked and always sampled if marked?

Why does increasing Np increase the number of false positives?  Wouldn't more attack packets make it easier
to positively and correctly identify attackers? (section 5.2 and 5.3)

Pros: Reduces the amount of sampling and storage needed, deployable, their information-theoretic framework 
simulations and theory match

Cons: Hard to read, no assumptions given or examples of what to do when you have the result, not clear on 
what an 'attacker' really is, won't work if not fully deployed

Additional Comments: Though space is reduced, this technique still requires too much space to be useable.  
Additionally, a compromised router could mess everything up.  Another problem with the technique is if 
anything is done about an attack, due to the distributed nature of the internet, the 'fix' can be routed 
around.  Another non-technical issue is even if the source is found, the ISP may not want to do anything 
about it, since consuming more bandwidth = more profit, and shutting off a compromised computer could annoy 
customers.  In the end, we decided this technique just isn't practical.

Voting Results: Strong Accept - 0, Weak Accept - 2, Strong Reject - 0, Weak Reject - 8