1

A TCAM-based solution for integrated traffic anomaly detection and policy filtering

Author:Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang

Publisher:Computer Communications 2009

Presenter:Hsin-Mao ChenDate:2009/9/30

2

Outline

IntroductionBackgroundArchitectureData StructuresPacket ProcessingPerformance

3

Introduction

Distributed Denial of Service (DDoS) attacks are the major threats to the Internet.

The TCP-base DDoS attacks using spoofed source IP address are detected in the edge router through two-dimensional matching.

4

Background

Two-dimensional(2D) matching

A normal TCP flow generated from one end host to another should have a corresponding flow from the other direction.

5

Background

6

Background

TCP Packet Header

Source Port Number(16) Destination Port Number(16)

Sequence number(32)

Head len(4)

Unused(6)

URG

ACK

PSH

RST

SYN

FIN

Window Size(16)

Header Data

(bit)

7

Background

Three Way Handshake Client Server

TimeTime

FIN

FIN+ACK

ACK

8

Architecture

9

Data Structures

Format of action code

(0)Policy Filter Rule

(1)Flow Identity

(0)Not Pass to the local CPU

(1)Pass to the local CPU

Forwarding ActionFlow index in the flow table located in the local CPU

Free bits

10

Data Structures

Format of flow table in the local CPU

(00)Empty Entry

(01)Unmatched existing flow

(10)Excepted flow

(11)Matching existing flow

FIN and ACK bits are used to terminate a pair of completed flows

Flow location in the TCAM rule tableTimer: Talm, Tidl, Trmv

11

Packet Processing

Packet in new flow

<1.2.3.4, 5.6.7.8, 80, 1028, 6>

TCAM table

Flow table

12

Packet Processing

Packet in expected flow

TCAM table

<5.6.7.8, 1.2.3.4, 1028, 80, 6>

13

Packet Processing

Packet in matched flow

TCAM table

14

Packet Processing

Packet with FIN and/or ACK bit set

TCAM table

FINFIN+ACKACK

15

Performance

False alarm probability

Pfalse=(1-p)n-1p

16

Performance

Average time an attack to be monitored

Trace 1 Trace 2

17

Performance

Number of falsely alarmed flows per second