One mechanism for blocking malicious traffic is filtering: access control lists (ACLs) can selectively block traffic based on fields of the IP header. Filters (ACLs) are already available in the routers today but are a scarce resource because they are stored in the expensive ternary content addressable memory (TCAM). Aggregation is used in practice: a single filter blocks an entire range of IP addresses, thus reducing the number of filters at the cost of blocking legitimate traffic from that range. We present a framework for studying filter selection as a resource allocation problem and we develop several filtering algorithms, depending on the attack scenario and operator's policy, which are optimal yet computational efficient. We also demonstrate that these algorithms exploit the spatial and temporal correlation of malicious sources exhibited in real data.
Back to Workshop II: Applications of Internet MRA to Cyber-Security