Distributed Reflected Denial of Service (DRDoS) attacks remain one of the most popular techniques to drain victim's network bandwidth. Despite the goal of disrupting network services of a particular victim, indirectly these attacks affect a large number of benign Internet citizens. In particular, the owners of services vulnerable to amplification have to waste their resources to process incoming requests. Moreover, the voluminous attack traffic generated as a result of the amplification lavishes Internet Service Provider (ISP) resources, bandwidth and money, causing Quality of Service (QoS) degradation and subscription fee increase for the customers.
In this work we demonstrate a Software Defined Networking (SDN) based system to filter out garbage traffic from an ISP network. We employ a special type of a honeypot developed to collect information about ongoing DRDoS attacks. The firewall rules derived from this data are used to block incoming amplification requests from reaching amplifiers located within the provider network rescuing vulnerable services from being abused. In its turn, this prevents garbage traffic generation saving ISP's money and improving QoS.