Evaluating Malicious Domain Filtering as a Perimeter Firewall Security Service

Abstract

The growing dependence on internet connectivity has heightened cybersecurity threats, primarily through malicious domains that facilitate malware, phishing, and botnet operations. These threats can have a severe impact on individuals and organizations. An illustration is a 2023 incident where a malicious domain attack resulted in significant banking service downtime and compromised e-customer data. Domain filtering on firewalls is a common defensive strategy against these threats, yet its effectiveness is often underestimated, particularly in large-scale Internet Service Provider (ISP) settings. Previous studies have delved into this issue but have not centered on the security systems typically employed by ISPs, which impedes the practical adoption of effective measures.

This study aims to evaluate the effectiveness of malicious domain filtering within an organization's cybersecurity perimeter. By analyzing network traffic processed through security filters, the research assesses the performance of blacklist-based domain filtering for harmful domains. Two main aspects are examined: 1) the effectiveness of this filtering in protecting users from malicious activities, and 2) the impact on network traffic flows.

The analysis involves several metrics, including total connection flow, byte and packet reduction, bandwidth utilization, and packet rate. Through this method, the study investigates how effectively malicious domain filtering can enhance user security and its ramifications on overall network performance.

The findings indicate malicious domain filtering significantly improves user security by effectively blocking harmful domains. Regarding network performance, a 2.49% increase in total connection flow was noted due to the retry mechanism that occurs when blocked domains are re-attempted. Although this process does not considerably impact overall bandwidth consumption, it results in a notable reduction of 24.5% in total bytes transferred and a 10.5% decrease in total packets sent. Furthermore, there was an average reduction in bandwidth of 22.58%, and the packet rate decreased by 8.81%. The study also identified 1,919 malicious IP addresses blocked out of 1,090 user attempts to access harmful domains. The results illustrate that blacklist-based domain filtering strengthens user security and enhances bandwidth efficiency by mitigating unwanted traffic. This approach is particularly pertinent for contemporary ISP products, providing a cost-effective solution to improve cybersecurity. Lastly, the study underscores the critical role of robust domain filtering in safeguarding digital environments and optimizing network performance, allowing organizations to balance user protection and operational effectiveness. Additionally, it points to the vital expertise required in IT, especially in cybersecurity and personal health, suggesting that this knowledge can enhance both organizational resilience and individual well-being.