Optimal Source-Based Filtering of Malicious Traffic

In this paper, we consider the problem of blocking malicious traffic on the Internet via source-based filtering. In particular, we consider filtering via access control lists (ACLs): These are already available at the routers today, but are a scarce resource because they are stored in the expensive ternary content addressable memory (TCAM). Aggregation (by filtering source prefixes instead of individual IP addresses) helps reduce the number of filters, but comes also at the cost of blocking legitimate traffic originating from the filtered prefixes. We show how to optimally choose which source prefixes to filter for a variety of realistic attack scenarios and operators' policies. In each scenario, we design optimal, yet computationally efficient, algorithms. Using logs from Dshield.org, we evaluate the algorithms and demonstrate that they bring significant benefit in practice.

[1]  Deeparnab Chakrabarty,et al.  Knapsack Problems , 2008 .

[2]  Cristian Estan,et al.  On Filtering of DDoS Attacks Based on Source Address Prefixes , 2006, 2006 Securecomm and Workshops.

[3]  Hans Kellerer,et al.  Approximation algorithms for knapsack problems with cardinality constraints , 2000, Eur. J. Oper. Res..

[4]  D.M. Mount,et al.  An Efficient k-Means Clustering Algorithm: Analysis and Implementation , 2002, IEEE Trans. Pattern Anal. Mach. Intell..

[5]  George L. Nemhauser,et al.  A Polyhedral Study of the Cardinality Constrained Knapsack Problem , 2002, IPCO.

[6]  Ralph E. Gomory,et al.  A Linear Programming Approach to the Cutting Stock Problem---Part II , 1963 .

[7]  Stephen P. Boyd,et al.  Convex Optimization , 2004, Algorithms and Theory of Computation Handbook.

[8]  Katerina J. Argyraki,et al.  Optimal Filtering of Source Address Prefixes: Models and Algorithms , 2009, IEEE INFOCOM 2009.

[9]  Nick Feamster,et al.  Accountable internet protocol (aip) , 2008, SIGCOMM '08.

[10]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[11]  Guy L. Curry,et al.  Solving multidimensional knapsack problems with generalized upper bound constraints using critical event tabu search , 2005, Comput. Oper. Res..

[12]  Eddie Kohler,et al.  Observed Structure of Addresses in IP Traffic , 2002, IEEE/ACM Transactions on Networking.

[13]  Vyas Sekar,et al.  Analyzing large DDoS attacks using multiple data sources , 2006, LSAD '06.

[14]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[15]  Robert Beverly,et al.  The spoofer project: inferring the extent of source address filtering on the internet , 2005 .

[16]  George L. Nemhauser,et al.  A polyhedral study of the cardinality constrained knapsack problem , 2002, Math. Program..

[17]  Divesh Srivastava,et al.  Diamond in the rough: finding Hierarchical Heavy Hitters in multi-dimensional data , 2004, SIGMOD '04.

[18]  Katerina J. Argyraki,et al.  Scalable network-layer defense against internet bandwidth-flooding attacks , 2003, TNET.

[19]  Paul Barford,et al.  Spatial-Temporal Characteristics of Internet Malicious Sources , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[20]  Lior Rokach,et al.  A survey of Clustering Algorithms , 2010, Data Mining and Knowledge Discovery Handbook.

[21]  Chuanyi Ji,et al.  Measuring Network-Aware Worm Spreading Ability , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[22]  Edward W. Spitznagel High Performance Packet Classification , 2004 .

[23]  F. Soldo,et al.  Filtering sources of unwanted traffic , 2008, 2008 Information Theory and Applications Workshop.

[24]  Joseph B. Kadane,et al.  Using uncleanliness to predict future botnet addresses , 2007, IMC '07.

[25]  Carsten Lund,et al.  Online identification of hierarchical heavy hitters: algorithms, evaluation, and applications , 2004, IMC '04.

[26]  Dawn Xiaodong Song,et al.  Exploiting Network Structure for Proactive Spam Mitigation , 2007, USENIX Security Symposium.

[27]  Rui Xu,et al.  Survey of clustering algorithms , 2005, IEEE Transactions on Neural Networks.

[28]  A. Bagchi,et al.  LP relaxation of the two dimensional knapsack problem with box and GUB constraints , 1996 .

[29]  Xin Liu,et al.  Passport: Secure and Adoptable Source Authentication , 2008, NSDI.

[30]  Katerina J. Argyraki,et al.  Scalable Network-Layer Defense Against Internet Bandwidth-Flooding Attacks , 2009, IEEE/ACM Transactions on Networking.

[31]  Phillip A. Porras,et al.  Highly Predictive Blacklisting , 2008, USENIX Security Symposium.

[32]  Dawn Xiaodong Song,et al.  Tracking Dynamic Sources of Malicious Activity at Internet Scale , 2009, NIPS.

[33]  Fang Yu,et al.  How dynamic are IP addresses? , 2007, SIGCOMM '07.

[34]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[35]  George Varghese,et al.  Network Algorithmics-An Interdisciplinary Approach to Designing Fast Networked Devices , 2004 .

[36]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[37]  George Varghese,et al.  Automatically inferring patterns of resource consumption in network traffic , 2003, SIGCOMM '03.