1 a tcam-based solution for integrated traffic anomaly detection and policy filtering author: zhijun...
TRANSCRIPT
![Page 1: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/1.jpg)
1
A TCAM-based solution for integrated traffic anomaly detection and policy filtering
Author:Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang
Publisher:Computer Communications 2009
Presenter:Hsin-Mao ChenDate:2009/9/30
![Page 2: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/2.jpg)
2
Outline
IntroductionBackgroundArchitectureData StructuresPacket ProcessingPerformance
![Page 3: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/3.jpg)
3
Introduction
Distributed Denial of Service (DDoS) attacks are the major threats to the Internet.
The TCP-base DDoS attacks using spoofed source IP address are detected in the edge router through two-dimensional matching.
![Page 4: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/4.jpg)
4
Background
Two-dimensional(2D) matching
A normal TCP flow generated from one end host to another should have a corresponding flow from the other direction.
![Page 5: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/5.jpg)
5
Background
![Page 6: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/6.jpg)
6
Background
TCP Packet Header
Source Port Number(16) Destination Port Number(16)
Sequence number(32)
Head len(4)
Unused(6)
URG
ACK
PSH
RST
SYN
FIN
Window Size(16)
Header Data
(bit)
![Page 7: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/7.jpg)
7
Background
Three Way Handshake Client Server
TimeTime
FIN
FIN+ACK
ACK
![Page 8: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/8.jpg)
8
Architecture
![Page 9: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/9.jpg)
9
Data Structures
Format of action code
(0)Policy Filter Rule
(1)Flow Identity
(0)Not Pass to the local CPU
(1)Pass to the local CPU
Forwarding ActionFlow index in the flow table located in the local CPU
Free bits
![Page 10: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/10.jpg)
10
Data Structures
Format of flow table in the local CPU
(00)Empty Entry
(01)Unmatched existing flow
(10)Excepted flow
(11)Matching existing flow
FIN and ACK bits are used to terminate a pair of completed flows
Flow location in the TCAM rule tableTimer: Talm, Tidl, Trmv
![Page 11: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/11.jpg)
11
Packet Processing
Packet in new flow
<1.2.3.4, 5.6.7.8, 80, 1028, 6>
TCAM table
Flow table
![Page 12: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/12.jpg)
12
Packet Processing
Packet in expected flow
TCAM table
<5.6.7.8, 1.2.3.4, 1028, 80, 6>
![Page 13: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/13.jpg)
13
Packet Processing
Packet in matched flow
TCAM table
![Page 14: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/14.jpg)
14
Packet Processing
Packet with FIN and/or ACK bit set
TCAM table
FINFIN+ACKACK
![Page 15: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/15.jpg)
15
Performance
False alarm probability
Pfalse=(1-p)n-1p
![Page 16: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/16.jpg)
16
Performance
Average time an attack to be monitored
Trace 1 Trace 2
![Page 17: 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:](https://reader036.vdocuments.us/reader036/viewer/2022070411/56649cc35503460f9498b9a4/html5/thumbnails/17.jpg)
17
Performance
Number of falsely alarmed flows per second