Abstract-The increase of interconnectivity has given rise to a
huge amount of IoT enabled devices in botnets. These botnets are currently
being used for large scale DDoS attacks. Honeypots have proven to be a vital
tool to keep track of malicious activities. A honeypot is
a computer system set up to act as a bait to attract cyber attackers, to detect, deflect and study attempts made by attackers to gain unauthorized access
to information systems.
traffic is blocked on the Internet via filtering. We consider filtering via
access control lists. ACL filters are available at the routers today, but are
scarce resource since they are stored in the ternary content addressable memory,
which is expensive. Aggregation
(by filtering source prefixes instead of individual IP addresses) helps reduce
the number of filters, but comes also at the cost of blocking legitimate
traffic originating from the filtered prefixes. For a variety of realistic
attack scenarios and operators’ policies, we show how to optimally choose which
source prefixes to filter. In each scenario, we design optimal and efficient
Keywords-DDOS, filtering, Aggregation, ACL,TCAM.
Protecting our network infrastructure from
malicious traffic, including malicious code propagation, spam, scanning, and
DDoS (distributed denial-of-service) attacks is very important. Such activities
cause problems on the networks, from simple annoyance to severe operational,
financial, and political damage to organizations, companies, and critical
infrastructure. These attacks have increased in volume, automation and
sophistication, and are largely enabled by botnets, which are used as the
platform for launching these attacks. Providing protection to a host or
network(victim) from malicious traffic is a hard problem that requires the
coordination of several complementary components, including technical solutions
(at the application and/or network level) and nontechnical (e.g., business and
The most fundamental building block in
blocking malicious traffic is the filtering support provided by the network.
For example, for countering an ongoing DDoS attack , the DDoS traffic is
blocked by the Internet service provider
(ISP) before it reaches its clients by using the method of filtering. ISP(s)
may also proactively identify and block the traffic carrying malicious code
before it reaches and compromises the vulnerable hosts. In both case, filtering
is a essential operation that should be carried out within the network. Routers
today are available with filtering capabilities via the access control lists
(ACLs). The routers are enabled with ACLs to match a packet header against
pre-set rules and conduct predefined actions on the matching packets. This
technique is used for enforcing a
policies of different verities, like infrastructure protection. For the purpose
of blocking malicious traffic, a filter is a simple ACL rule that denies or
allows access to a source IP address or prefix.
Filtering is implemented in hardware, since
modern routers have high forwarding rates. ACLs are stored in ternary content
addressable memory (TCAM), which allows parallel access and reduces the number
of lookups per forwarded packet . TCAM is expensive and consumes more space
than conventional memory. Hence TCAM puts a limit on the number of filters,
which will not change in near future. With many thousands of filters per path,
an ISP alone cannot block the currently witnessed attacks, and attacks from
multimillion-node botnets expected in the near future.
is generated for studying source prefix filtering as a resource allocation
problem. To the best of our knowledge, optimal filter selection has not been
explored so far, as most related work on filtering has focused on protocol and
architectural aspects. In the framework, we generate and solve five practical
source-address filtering problems, depending on the attack scenario and the
operator’s policy and constraints. The framework will exploit the special
structure of each problem and design optimal and computationally efficient algorithms.
Packet filtering helps in enhancing the security of a network by
examining network packets while they pass through a firewall or routers.
Packets filtered based on IP address suffixes and prefixes provide help in
determining which IP address is malicious and which is not, by developing an
The proposed system can be used to protect
the network infra-structure from malicious traffic, such as scanning, malicious
code propagation, spam, and distributed denial-of-service (DDoS) attacks.