FPGA-based Multicore Architecture for Integrating Multiple DDoS Defense Mechanisms

This paper proposes an FPGA-based multicore architecture to integrate multiple DDoS defense mechanisms for DDoS protection. The architecture allows multiple cooperating DDoS mitigation techniques to classify incoming network packets. The proposed architecture consists of two separate partitions static and dynamic. The static partition includes packet pre-processing and post-processing modules while the DDoS filtering techniques are implemented within the dynamic partition. These filtering techniques can be implemented by either hardware custom computing cores or general purpose soft processors or both. In all cases, these DDoS filtering computing cores can be updated or changed at runtime or design time. We implement our first prototype system with the Hop-count filtering and Ingress/Engress filtering techniques using the Xilinx Virtex 5 xc5vtx240t FPGA device. The synthesis results show that the system can work at up to 116.782MHz while utilizing about 41% LUTs, 47% Registers, and 53% Block Memory of the available hardware resources. Experimental results show that our system achieves a 100% detection rate (true positive) with a 0% false negative rate and the maximum 0.74% false positive rate. Moreover, the prototype system obtains packet processing throughput by up to 9.869 Gbps in half-duplex mode and 19.738 Gbps in full-duplex mode.

[1]  C. Rama Krishna,et al.  Defending network system against IP spoofing based distributed DoS attacks using DPHCF-RTT packet filtering technique , 2014, 2014 International Conference on Issues and Challenges in Intelligent Computing Techniques (ICICT).

[2]  Wanlei Zhou,et al.  Classifying DDoS packets in high-speed networks , 2006 .

[3]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[4]  Kenji Toda,et al.  FPGA-Based Intrusion Detection System for 10 Gigabit Ethernet , 2007, IEICE Trans. Inf. Syst..

[5]  Xia Wang,et al.  A scheme of distributed hop-count filtering of traffic , 2009 .

[6]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[7]  Wang Lie,et al.  Dynamic Partial Reconfiguration in FPGAs , 2009, 2009 Third International Symposium on Intelligent Information Technology Application.

[8]  Cheng Jin,et al.  Defense Against Spoofed IP Traffic Using Hop-Count Filtering , 2007, IEEE/ACM Transactions on Networking.

[9]  Michelle Cotton,et al.  Special Use IPv4 Addresses , 2010, RFC.

[10]  KatashitaToshihiro,et al.  FPGA-Based Intrusion Detection System for 10 Gigabit Ethernet , 2007 .

[11]  Ayman I. Kayssi,et al.  IP Spoofing Detection Using Modified Hop Count , 2014, 2014 IEEE 28th International Conference on Advanced Information Networking and Applications.