On the use of Enhanced Bogon Lists (EBLs) to detect malicious traffic

Spoofed IP traffic (traffic containing packets with incorrect source IP addresses) is often used by Internet-based attackers for anonymity. This method reduces the risk of trace-back and avoids attack detection by traffic-based sensors. In general, attackers may use randomly or selectively chosen IP address space to serve as source IP addresses on attack packets. The IP address allocation process creates room for bogons as well as other prefix space that is either unallocated or semi-dark, i.e. allocated but not in operational use. In this paper, we detail novel techniques to construct filters that cover unallocated and semi-dark space. We then evaluate the use of such IP source prefix filters using efficient filtering techniques on an enterprise network and the correlations of such source IP addresses with malicious traffic or bad actors. Our initial results indicate that there is a high degree of correlation between dark or semi-dark source IP prefix space and malicious traffic. As such, it may be feasible for network operators to deploy effective filters based on dark or semi-dark source IP prefix space that block malicious traffic with a low degree of false positives. Further, the presence of such traffic can serve as an early warning of DoS or other attacks.