Optimal Filtering of Malicious IP Sources

How can we protect the network infrastructure from malicious traffic, such as scanning, malicious code propagation, and distributed denial-of-service (DDoS) attacks? One mechanism for blocking malicious traffic is filtering: access control lists (ACLs) can selectively block traffic based on fields of the IP header. Filters (ACLs) are already available in the routers today but are a scarce resource because they are stored in the expensive ternary content addressable memory (TCAM). In this paper, we develop, for the first time, a framework for studying filter selection as a resource allocation problem. Within this framework, we study five practical cases of source address/prefix filtering, which correspond to different attack scenarios and operator's policies. We show that filter selection optimization leads to novel variations of the multidimensional knapsack problem and we design optimal, yet computationally efficient, algorithms to solve them. We also evaluate our approach using data from Dshield.org and demonstrate that it brings significant benefits in practice. Our set of algorithms is a building block that can be immediately used by operators and manufacturers to block malicious traffic in a cost-efficient way.

[1]  Joseph B. Kadane,et al.  Using uncleanliness to predict future botnet addresses , 2007, IMC '07.

[2]  Arnaud Fréville,et al.  The multidimensional 0-1 knapsack problem: An overview , 2004, Eur. J. Oper. Res..

[3]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[4]  F. Soldo,et al.  Filtering sources of unwanted traffic , 2008, 2008 Information Theory and Applications Workshop.

[5]  Paul Barford,et al.  Spatial-Temporal Characteristics of Internet Malicious Sources , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[6]  Cristian Estan,et al.  On Filtering of DDoS Attacks Based on Source Address Prefixes , 2006, 2006 Securecomm and Workshops.

[7]  A. Bagchi,et al.  LP relaxation of the two dimensional knapsack problem with box and GUB constraints , 1996 .

[8]  Hans Kellerer,et al.  Approximation algorithms for knapsack problems with cardinality constraints , 2000, Eur. J. Oper. Res..

[9]  Xin Liu,et al.  Passport: Secure and Adoptable Source Authentication , 2008, NSDI.

[10]  Deeparnab Chakrabarty,et al.  Knapsack Problems , 2008 .

[11]  Eddie Kohler,et al.  Observed Structure of Addresses in IP Traffic , 2002, IEEE/ACM Transactions on Networking.

[12]  Robert Beverly,et al.  The Spoofer Project: Inferring the Extent of Internet Source Address Filtering on the Internet , 2005, SRUTI.

[13]  Ralph E. Gomory,et al.  A Linear Programming Approach to the Cutting Stock Problem---Part II , 1963 .

[14]  Nick Feamster,et al.  Accountable internet protocol (aip) , 2008, SIGCOMM '08.

[15]  R. Gomory,et al.  A Linear Programming Approach to the Cutting-Stock Problem , 1961 .

[16]  Eugene Levner,et al.  Computational Complexity of Approximation Algorithms for Combinatorial Problems , 1979, MFCS.

[17]  George Varghese,et al.  Network algorithmics , 2004 .

[18]  Chuanyi Ji,et al.  Measuring Network-Aware Worm Spreading Ability , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[19]  穂鷹 良介 Non-Linear Programming の計算法について , 1963 .

[20]  George L. Nemhauser,et al.  A polyhedral study of the cardinality constrained knapsack problem , 2002, Math. Program..

[21]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[22]  Robert Beverly,et al.  The spoofer project: inferring the extent of source address filtering on the internet , 2005 .

[23]  Eddie Kohler,et al.  Observed structure of addresses in IP traffic , 2006, TNET.

[24]  Stephen P. Boyd,et al.  Convex Optimization , 2004, Algorithms and Theory of Computation Handbook.

[25]  Nimrod Megiddo,et al.  Linear time algorithms for some separable quadratic programming problems , 1993, Oper. Res. Lett..

[26]  Guy L. Curry,et al.  Solving multidimensional knapsack problems with generalized upper bound constraints using critical event tabu search , 2005, Comput. Oper. Res..