Computer Science – Networking and Internet Architecture
Scientific paper
2008-11-24
Computer Science
Networking and Internet Architecture
submitted to Infocom 09
Scientific paper
How can we protect the network infrastructure from malicious traffic, such as scanning, malicious code propagation, and distributed denial-of-service (DDoS) attacks? One mechanism for blocking malicious traffic is filtering: access control lists (ACLs) can selectively block traffic based on fields of the IP header. Filters (ACLs) are already available in the routers today but are a scarce resource because they are stored in the expensive ternary content addressable memory (TCAM). In this paper, we develop, for the first time, a framework for studying filter selection as a resource allocation problem. Within this framework, we study five practical cases of source address/prefix filtering, which correspond to different attack scenarios and operator's policies. We show that filter selection optimization leads to novel variations of the multidimensional knapsack problem and we design optimal, yet computationally efficient, algorithms to solve them. We also evaluate our approach using data from Dshield.org and demonstrate that it brings significant benefits in practice. Our set of algorithms is a building block that can be immediately used by operators and manufacturers to block malicious traffic in a cost-efficient way.
Argyraki Katerina
Markopoulou Athina
Soldo Fabio
No associations
LandOfFree
Optimal Filtering of Malicious IP Sources does not yet have a rating. At this time, there are no reviews or comments for this scientific paper.
If you have personal experience with Optimal Filtering of Malicious IP Sources, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Optimal Filtering of Malicious IP Sources will most certainly appreciate the feedback.
Profile ID: LFWR-SCP-O-644989