High-Speed Legitimacy-Based DDoS Packet Filtering with Network Processors [chapter]

Roshan K. Thomas, Brian L. Mark, Tommy O. Johnson, James B. Croall
2004 Network Processor Design  
We present an interesting application of network processors in the field of network security. Specifically, we report on the design and implementation of a highspeed prototype to provide packet-filtering functions to mitigate distributed denial of service (DDoS) attacks that target network resources. The effects of DDoS attacks are felt when network or host resources are used illegitimately at the expense of legitimate services. Our approach thus relies on administering a variety of legitimacy
more » ... ests in real-time to incoming packets so as to determine their degree of legitimacy followed by appropriate filtering and traffic management. To be practical, such tests and filtering have to be done in a manner that can sustain high throughputs and this presents a variety of technical and research challenges. We collectively refer to our approach and set of technologies as "NetBouncer". NetBouncer represents an interesting case study for the application of network processors as it presents much more complex functionality when compared to traditional packet processing applications and devices such as routers and firewalls. Our implementation experience thus far has given us important insights into the possibilities as well as the limitations of network processors for building applications that go beyond simple IP packet forwarding.
doi:10.1016/b978-012198157-0/50014-3 fatcat:qpxd7kejsjgzfkcyxzdwnzliiu