Naslov
Surgical DDoS Filtering With Fast LPM

Autori
Salopek, Denis ; Zec, Marko ; Mikuc, Miljenko ; Vasic, Valter

Izvornik
IEEE Access (2169-3536) 10 (2022); 4200-4208

Vrsta, podvrsta i kategorija rada
Radovi u časopisima, članak, znanstveni

Ključne riječi
Firewalls , network security , packet lookup and classification , software routers

Sažetak
Can software-based packet filters effectively dampen volumetric distributed denial-of-service (DDoS) streams in an era when 10 Gbps links are considered slow? The potential of longest prefix matching (LPM) for enforcing precise DDoS scrubbing policies seems to be overlooked in contemporary packet filtering datapaths, and in this paper, we argue that this should not be the case by showing that effective whitelist / blacklist LPM-based filtering can be performed with commodity hardware. A showcase datapath we propose can evaluate multiple queries in large separate LPM databases for each forwarded 64-byte packet, while sustaining 10 Gbps line rate on a single CPU core, with a healthy scaling potential due to its lockless architecture and small memory footprint of LPM structures. We demonstrated forwarding 64 million packets per second using only six CPU cores while performing independent lookups for each packet in three large LPM databases created by aggregating malicious IP addresses or by mapping different geolocation identifiers to IPv4 prefixes.

Izvorni jezik
Engleski

Znanstvena područja
Računarstvo

POVEZANOST RADA