There is a large and increasing amount of unwanted traffic on the Internet today, including phishing, spam, and distributed denial-of-service attacks. One way to deal with this problem is to filter unwanted traffic at the routers based on source IP addresses. Because of the limited number of available filters in the routers today, aggregation is used in practice: a single filter describes and blocks an entire range of IP addresses. This results in blocking of all (unwanted and wanted) traffic generated from hosts with IP addresses in that range. In this paper, we develop a family of algorithms that, given a blacklist containing the source IP addresses of unwanted traffic and a constraint on the number of filters, construct a set of filtering rules that optimize the tradeoff between the unwanted and legitimate traffic that is blocked. We show that our algorithms are optimal and also computationally efficient. Furthermore, we demonstrate that they are particularly beneficial when applied to realistic distributions of sources of unwanted traffic, which are known to exhibit spatial and temporal clustering.
[1]
David R. Cheriton,et al.
Active Internet Traffic Filtering: Real-time Response to Denial of Service Attacks
,
2003,
ArXiv.
[2]
Eddie Kohler,et al.
Observed Structure of Addresses in IP Traffic
,
2002,
IEEE/ACM Transactions on Networking.
[3]
K. El Defrawy,et al.
Optimal Allocation of Filters against DDoS Attacks
,
2007,
2007 Information Theory and Applications Workshop.
[4]
Alex C. Snoeren,et al.
PRIMED: community-of-interest-based DDoS mitigation
,
2006,
LSAD '06.
[5]
Joseph B. Kadane,et al.
Using uncleanliness to predict future botnet addresses
,
2007,
IMC '07.
[6]
Chuanyi Ji,et al.
Measuring Network-Aware Worm Spreading Ability
,
2007,
IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.
[7]
Cristian Estan,et al.
On Filtering of DDoS Attacks Based on Source Address Prefixes
,
2006,
2006 Securecomm and Workshops.