SDN-inspired, real-time botnet detection and flow-blocking at ISP and enterprise-level

Infected machines pose threats to not only their users, but also their network owners (ISPs and enterprises). To neutralize the effect of these infected machines, common solutions span two ends of an architectural spectrum; either fully distributed solutions that are host-based, or completely centralized appliances at the network core. We present NetworkRadar, inspired by an SDN-enabled ISP framework, that operates in between these extremes and contains the benefits of both these approaches. We perform data-plane intensive event monitoring at aggregation points close to customers, and maintain a centralized control plane for correlating and high-granularity blocking of malicious bot activity. Here we present the architecture of our solution and evaluate a prototype deployment over an isolated slice of an ISP network, showing its viability due to a negligible (<1%) impact on customer throughput and its control plane scaling linearly to the customer base.