1 / 17

A TCAM-based solution for integrated traffic anomaly detection and policy filtering

A TCAM-based solution for integrated traffic anomaly detection and policy filtering. Author : Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher: Computer Communications 2009 Presenter: Hsin-Mao Chen Date: 2009/9/30. Outline. Introduction Background Architecture

inez-kirk
Download Presentation

A TCAM-based solution for integrated traffic anomaly detection and policy filtering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher: Computer Communications 2009 Presenter: Hsin-Mao Chen Date:2009/9/30

  2. Outline • Introduction • Background • Architecture • Data Structures • Packet Processing • Performance

  3. Introduction • Distributed Denial of Service (DDoS) attacks are the major threats to the Internet. • The TCP-base DDoS attacks using spoofed source IP address are detected in the edge router through two-dimensional matching.

  4. Background • Two-dimensional(2D) matching A normal TCP flow generated from one end host to another should have a corresponding flow from the other direction.

  5. Background

  6. Background • TCP Packet Header Header Data (bit)

  7. Background • Three Way Handshake Client Server FIN FIN+ACK ACK Time Time

  8. Architecture

  9. Data Structures • Format of action code (0)Policy Filter Rule (1)Flow Identity (0)Not Pass to the local CPU (1)Pass to the local CPU Forwarding Action Flow index in the flow table located in the local CPU Free bits

  10. Data Structures • Format of flow table in the local CPU (00)Empty Entry (01)Unmatched existing flow (10)Excepted flow (11)Matching existing flow Flow location in the TCAM rule table Timer: Talm, Tidl, Trmv FIN and ACK bits are used to terminate a pair of completed flows

  11. Packet Processing • Packet in new flow Flow table <1.2.3.4, 5.6.7.8, 80, 1028, 6> TCAM table

  12. Packet Processing • Packet in expected flow <5.6.7.8, 1.2.3.4, 1028, 80, 6> TCAM table

  13. Packet Processing • Packet in matched flow TCAM table

  14. Packet Processing • Packet with FIN and/or ACK bit set ACK FIN+ACK FIN TCAM table

  15. Performance • False alarm probability Pfalse=(1-p)n-1p

  16. Performance • Average time an attack to be monitored Trace 1 Trace 2

  17. Performance • Number of falsely alarmed flows per second

More Related