Security on the Internet today is treated mostly as a data plane problem. IDS's, firewalls, and spam filters all operate on the simple principle of detecting malicious data plane behavior and erecting data plane filters. In this paper we explore how breaking down the barrier between the control and data plane can significantly enhance our understanding of how to detect and filter Internet threats like worms and botnets. Our investigation is guided by two specific goals: using information and anomalies detected on the data plane to inform control plane decision support and using anomalies detected on the control plane to inform data plane filtering. We begin by analyzing the source of persistent worms and other persistent malicious and misconfigured data plane traffic to understand the scope of this behavior on the control plane. We then analyze how anomalies on the control plane associated with poorly managed networks and are correlated with the sources of malicious and misconfigured traffic detected on the data plane. Our results show that malicious and misconfigured data plane behavior is widely spread across the control plane suggesting that constructing a few control plane filters to block the most infected organizations will not have a significant impact. We demonstrate that networks with data plane anomalies tend to exhibit more routing misconfigurations. Finally, we discuss how these correlations could be used to reject or filter routes and help stop recurring threats like persistent worms.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Anirudh Ramachandran , Nick Feamster, Understanding the network-level behavior of spammers, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, September 11-15, 2006, Pisa, Italy
	2	P. Barford, R. Nowak, R. Willett, and V. Yegneswaran, Toward a Model for Sources of Internet Background Radiation," in Proc. of the Passive and Active Measurement Conference (PAM '06), March 2006.
	3	Ruoming Pang , Vinod Yegneswaran , Paul Barford , Vern Paxson , Larry Peterson, Characteristics of internet background radiation, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy  [doi>10.1145/1028788.1028794]
	4	Matthew Braverman, MSRT - Progress Made Lessons Learned." http://www.microsoft.com/, 2006.
	5	Michael Bailey , Evan Cooke , Farnam Jahanian , David Watson , Jose Nazario, The Blaster Worm: Then and Now, IEEE Security and Privacy, v.3 n.4, p.26-31, July 2005  [doi>10.1109/MSP.2005.106]
	6	University of Oregon Route Views Archive Project." www.routeviews.org.
	7	Ripe NCC." http://www.ripe.net.
	8	M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson, The Internet Motion Sensor: A distributed blackhole monitoring system," in Proceedings of Network and Distributed System Security Symposium (NDSS '05) (San Diego, CA), February 2005.
	9	D. Moore, G. Voelker, and S. Savage, Inferring Internet Denial of Service Activity," in Proc. USENIX Security Symposium, August 2001.
	10	L. Subramanian, S. Agarwal, J. Rexford, and R. H. Katz, Characterizing the Internet hierarchy from multiple vantage points," in Proc. IEEE INFOCOM, 2002.
	11	Ratul Mahajan , David Wetherall , Tom Anderson, Understanding BGP misconfiguration, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
	12	Xiaoliang Zhao , Dan Pei , Lan Wang , Dan Massey , Allison Mankin , S. Felix Wu , Lixia Zhang, An analysis of BGP multiple origin AS (MOAS) conflicts, Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, November 01-02, 2001, San Francisco, California, USA  [doi>10.1145/505202.505207]
	13	P. Boothe, J. Hiebert, and R. Bush, How Prevalent is Prefix Hijacking on the Internet." NANOG36 Talk, February 2006.
	14	Jennifer Rexford , Jia Wang , Zhen Xiao , Yin Zhang, BGP routing stability of popular destinations, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France  [doi>10.1145/637201.637232]
	15	G. Huston, CIDR REPORT." http://www.cidr-report.org/.
	16	J. Karlin, Pretty Good BGP and the Internet Alert Registry." Nanog 37, June 2006, http://www.nanog.org/mtg-0606/karlin.html.