To prevent network infrastructure from malicious traffic, such as DDoS attack and scanning, source filtering is widely used in the network. There are different ways to store the filters, e.g., a blacklist of source addresses. Among them, TCAM-based is used as the de facto, because of its wire speed performance. Unfortunately, TCAM is a scarce resource because it's limited by small capacity, high power consumption and high cost. To save storage space, some TCAM-based solutions even block part of the legitimate traffic for better aggregation. Another choice is software based solutions, which have larger storage space compared to hardware based solutions. However, they require multiple accesses for a single lookup, which causes latency.