On the Benefits of Early Filtering of Botnet Unwanted Traffic

Unwanted traffic has become a worsening problem for the availability and reliability of the Internet. Today most unwanted traffic can be attributed to botnets, which can generate massive unwanted traffic to the victim using a huge number of bots. Although there exist techniques to filter and discard the unwanted packets at the destinations, these packets are still allowed to traverse the backbone of the Internet to cause severe traffic burdens and waste bandwidth resource of the Internet. In this paper, we propose a novel approach called Dynamic Early Filtering of Internet Traffic (DEFT). DEFT encodes unwanted traffic filtering rules as routing information using the flow specification (Flow-Spec) NLRI field in BGP Update messages, so that BGP routers not only can incorporate the filtering rules into their routing decision, but can also forward the rules to their neighboring routers, in order to reach routers that are closer to the sources and achieve early filtering of the offending traffic. We implement a prototype based on the Quagga routing software, and use the Deterlab testbed to conduct various experiments to evaluate the performance of DEFT on different degrees of attacking source distribution and different degrees of filtering rule dissemination. The experimental results show that with small overhead DEFT can effectively reduce the average transmission latency and increase the average throughput of legitimate traffic.