A TCAM-based solution for integrated traffic anomaly detection and policy filtering

1. A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher: Computer Communications 2009 Presenter: Hsin-Mao Chen Date:2009/9/30

2. Outline • Introduction • Background • Architecture • Data Structures • Packet Processing • Performance

3. Introduction • Distributed Denial of Service (DDoS) attacks are the major threats to the Internet. • The TCP-base DDoS attacks using spoofed source IP address are detected in the edge router through two-dimensional matching.

4. Background • Two-dimensional(2D) matching A normal TCP flow generated from one end host to another should have a corresponding flow from the other direction.

5. Background

6. Background • TCP Packet Header Header Data (bit)

7. Background • Three Way Handshake Client Server FIN FIN+ACK ACK Time Time

8. Architecture

9. Data Structures • Format of action code (0)Policy Filter Rule (1)Flow Identity (0)Not Pass to the local CPU (1)Pass to the local CPU Forwarding Action Flow index in the flow table located in the local CPU Free bits

10. Data Structures • Format of flow table in the local CPU (00)Empty Entry (01)Unmatched existing flow (10)Excepted flow (11)Matching existing flow Flow location in the TCAM rule table Timer: Talm, Tidl, Trmv FIN and ACK bits are used to terminate a pair of completed flows

11. Packet Processing • Packet in new flow Flow table <1.2.3.4, 5.6.7.8, 80, 1028, 6> TCAM table

12. Packet Processing • Packet in expected flow <5.6.7.8, 1.2.3.4, 1028, 80, 6> TCAM table

13. Packet Processing • Packet in matched flow TCAM table

14. Packet Processing • Packet with FIN and/or ACK bit set ACK FIN+ACK FIN TCAM table

15. Performance • False alarm probability Pfalse=(1-p)n-1p

16. Performance • Average time an attack to be monitored Trace 1 Trace 2

17. Performance • Number of falsely alarmed flows per second