engleski

Hybrid hardware/software datapath for near real- time reconfigurable high-speed packet filtering

The increasing number of volumetric Distributed Denial-of-Service (DDoS) attacks, as well as their intensity and scale, have led many security experts to research and work on solutions to protect against these types of attacks. Although solutions to combat such attacks already exist, they are typically based on expensive and inflexible network equipment or on the (half-true) assumption that software filters running on commodity hardware are incapable of handling high- speed traffic and delivering sufficient throughput. The idea of combining the best of both worlds (hardware speed and software versatility) is found in a number of solutions, but cannot prevail against massive DDoS attacks with millions of attackers, as such solutions often rely on rulesets with a large number of IP prefixes used with a rule-by-rule packet filtering paradigm. This thesis presents and evaluates a hybrid hardware / software packet filter prototype as a method for mitigating volumetric DDoS attacks using a NetFPGA SUME prototyping board and a high- performance, high-speed, reduced feature-set software packet filter. It demonstrates a novel approach to offload the filtering rules (or parts of them) to the hardware by taking advantage of a modern Longest Prefix Matching (LPM) algorithm to utilize allowlists and blocklists for protection against millions of IP prefixes. The results of this work show that this type of filtering can be performed in high-speed network environments using a single CPU core. The system architecture is designed to allow scaling to much higher throughput. The results of this thesis show improvements over software-only filtering of up to nearly 30%, depending on the combination of rulesets used, the offloading methods, and the type of traffic filtered. The components of the hybrid filter can be implemented on commodity hardware and provide an alternative to expensive or less effective filters. Developing a system that combines fast DDoS detection (with low response times) and this type of filtering could provide high-speed protection against volumetric DDoS attacks. Internet Service Providers (ISPs) and datacenters could take advantage of such filtering methods without being harmed by DDoS attacks or having to compromise the privacy of their data by outsourcing filtering to third parties. Due to the low cost of the commodity, off-the-shelf hardware that these filters use, they can also be deployed by small or medium-sized businesses.

hybrid hardware/software datapath ; hybrid filter ; DDoS attacks

nije evidentirano