FPGA-Based Multiple DDoS Countermeasure Mechanisms System Using Partial Dynamic Reconfiguration

In this paper, we propose a novel FPGA-based high-speed DDoS countermeasure system that can flexibly adapt to DDoS attacks while still maintaining system performance. The system includes a packet decoder module and multiple DDoS countermeasure mechanisms. We apply dynamic partial reconfiguration technique in this system so that the countermeasure mechanisms can be flexibly changed or updated on-the-fly. The proposed system architecture separates DDoS protection modules (which implement DDoS countermeasure techniques) from the packet decoder module. By using this approach, one DDoS protection module can be reconfigured without interfering with other modules. The proposed system is implemented on a NetFPGA 10G board. The synthesis results show that the system can work at up to 116.782 MHz while utilizing up to 39.9% Registers and 49.85% BlockRAM of the Xilinx Virtex xcv5tx240t FPGA device on the NetFPGA 10G board. The system achieves the detection rate of 100% with the false negative rate at 0% and false positive rate closed to 0.16%. The prototype system achieves packet decoding throughput at 9.869 Gbps in half-duplex mode and 19.738 Gbps in full-duplex mode.

[1]  Wenke Lee,et al.  Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[2]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[3]  C. Rama Krishna,et al.  Defending network system against IP spoofing based distributed DoS attacks using DPHCF-RTT packet filtering technique , 2014, 2014 International Conference on Issues and Challenges in Intelligent Computing Techniques (ICICT).

[4]  Xia Wang,et al.  A scheme of distributed hop-count filtering of traffic , 2009 .

[5]  Kang G. Shin,et al.  Defense Against Spoofed IP Traffic Using Hop-Count Filtering , 2007, IEEE/ACM Transactions on Networking.

[6]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[7]  Wanlei Zhou,et al.  Classifying DDoS packets in high-speed networks , 2006 .

[8]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[9]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[10]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[11]  Jon Postel,et al.  Internet Protocol , 1981, RFC.

[12]  KatashitaToshihiro,et al.  FPGA-Based Intrusion Detection System for 10 Gigabit Ethernet , 2007 .

[13]  Mourad Debbabi,et al.  Fingerprinting Internet DNS Amplification DDoS Activities , 2014, 2014 6th International Conference on New Technologies, Mobility and Security (NTMS).

[14]  Wei Chen,et al.  Defending Against TCP SYN Flooding Attacks Under Different Types of IP Spoofing , 2006, International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06).

[15]  Jim Tørresen,et al.  High Speed Partial Run-Time Reconfiguration Using Enhanced ICAP Hard Macro , 2011, 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and Phd Forum.

[16]  Ayman I. Kayssi,et al.  IP Spoofing Detection Using Modified Hop Count , 2014, 2014 IEEE 28th International Conference on Advanced Information Networking and Applications.