Filtering of Malicious Traffic Based on Optimal Source

We have considered the problem of blocking malicious traffic on the Internet via optimal source-based filtering. In particular, we can consider filtering via access control lists (ACLs): These are already available at the routers, but they are a scarce resource because they are stored in the expensive ternary content addressable memory (TCAM). Aggregation (by filtering source prefixes instead of individual IP addresses) helps the less number of filters, but also at the cost of blocking legitimate traffic originating from the filtered prefixes. We have show how to optimally choose which source prefixes to filter for a variety of realistic attack scenarios and operators policies. In each scenario, we have design optimal, yet to be computationally efficient, algorithms. Using logs from the Dshield. org, We evaluate the algorithms and demonstrate that they bring significant benefit in practice.