SAFFIRRE: Selective Aggregate Filtering Through Filter Rule Refinement

Volumetric Distributed Denial of Service attacks send unsolicited high-volume traffic to overwhelm network infrastructures and disrupt service availability. To counteract such attacks, we introduce Selective Aggregate Filtering through Filter Rule Refinement. This novel approach monitors traffic aggregates over the IP address hierarchy with hierarchical heavy hitter algorithms. Based on this, it builds effective droplists for upstream filtering to protect network infrastructures. By estimating attack traffic volumes in traffic aggregates with machine learning, filter rule refinement compensates several drawbacks of hierarchical heavy hitters to achieve low false positive and false negative rates. Furthermore, it enables adaptation to dynamic traffic by tracking filter rule precision over time. We evaluate mitigation effectiveness in dynamic situations with challenging mixed legitimate and attack traffic distributions.