System and method for creating BGP route-based network traffic profiles to detect spoofed traffic

摘要

An inventive system and method for creating source profiles to detect spoofed traffic comprises obtaining a routing path for data to traverse nodes using traffic profiles, each routing path comprising at least a target AS, initializing one or more AS sets with last hop ASes, enhancing the AS sets by connecting the AS sets to routers, for each enhanced AS set, filtering observed traffic flows, and using the filtered flows to associate enhanced AS sets with network monitoring points to create the source profiles. In one aspect, filtering flows comprise TCP session filtering and/or destination bogon filtering. In one aspect, the routers are border gateway protocol routers. In one aspect, the last hop ASes are one hop away from the target AS.

主权项

1. A method in a system for creating source profiles to detect spoofed traffic, the method comprising:
obtaining, by the system, a routing path for data to traverse nodes using traffic profiles, each routing path comprising at least a target Autonomous System (AS); initializing, by the system, one or more AS sets with last hop ASes; enhancing, by the system, the AS set(s) by connecting the AS set(s) to routers; for each enhanced AS set, filtering by the system observed traffic flows, wherein the filtering observed traffic flows comprises established Transmission Control Protocol (TCP) filtering where any TCP traffic flow without SYN, RST and FIN flags set are considered when creating the source profiles and all other traffic flows are ignored; and, using, by the system, the filtered flows to associate enhanced AS set(s) with network monitoring points to create the source profiles.