Abstract
This paper proposes an architecture of source-end DDoS protection system on IXP2400 network processor, which monitors traffic from the source network and polices traffic at the source without affecting the traffic from other network. The proposed architecture includes usual IPv4 forwarder with additional modules for source filtering, packet classification and flow control, and uses modified non-parametric CUSUM algorithm. We analyze the major shortcomings of previous approaches, and present basic performance analysis. The proposed system can handle 65,000 aggregated flows, and can operate at OC-48 line rate.
This research is supported by the MIC, under the ITRC support program supervised by the IITA (IITA-2006-(C1090-0603-0002)).
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Mirkovic, J., Reiher, P.: A taxonomy of DDoS attacks and defense mechanisms. ACM SIGCOMM Computer Communications Review 34(2), 39–54 (2004)
Wang, H., Zhang, D., Shin, K.G.: Change-point monitoring for detection of DoS attacks. IEEE Transactions on Dependable and Secure Computing 1(4) (December 2004)
Intel IXP2400 Network Processor Hardware Reference Manual, Intel Corporation (October 2004)
Mirkovic, J., Reiher, P.: D-WARD: A source end defense against flooding denial-of-service attacks. IEEE Transactions on Dependable and Secure Computing 2(3), 216–232 (2005)
Peng, T., Leckie, C., Ramamohanarao, K.: Detecting distributed denial of service attacks by sharing distributed beliefs. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, Springer, Heidelberg (2003)
Lim, B., Uddin, M.: Statistical-based SYN-flooding detection using programmable network processor. In: Proceedings of the Third International Conference on Information Technology and Applications, vol. 2, pp. 465–470 (2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Siradjev, D., Ke, Q., Park, J., Kim, YT. (2007). Highspeed and Flexible Source-End DDoS Protection System Using IXP2400 Network Processor. In: Medhi, D., Nogueira, J.M., Pfeifer, T., Wu, S.F. (eds) IP Operations and Management. IPOM 2007. Lecture Notes in Computer Science, vol 4786. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75853-2_16
Download citation
DOI: https://doi.org/10.1007/978-3-540-75853-2_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75852-5
Online ISBN: 978-3-540-75853-2
eBook Packages: Computer ScienceComputer Science (R0)