a tcam-based solution for integrated traffic anomaly detection and policy filtering

Report

Post on 03-Jan-2016

15 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

DESCRIPTION

A TCAM-based solution for integrated traffic anomaly detection and policy filtering. Author : Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher: Computer Communications 2009 Presenter: Hsin-Mao Chen Date: 2009/9/30. Outline. Introduction Background Architecture - PowerPoint PPT Presentation

TRANSCRIPT

1

A TCAM-based solution for integrated traffic anomaly detection and policy filtering

Author:Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang

Publisher:Computer Communications 2009

Presenter:Hsin-Mao ChenDate:2009/9/30

2

Outline

IntroductionBackgroundArchitectureData StructuresPacket ProcessingPerformance

3

Introduction

Distributed Denial of Service (DDoS) attacks are the major threats to the Internet.

The TCP-base DDoS attacks using spoofed source IP address are detected in the edge router through two-dimensional matching.

4

Background

Two-dimensional(2D) matching

A normal TCP flow generated from one end host to another should have a corresponding flow from the other direction.

5

Background

6

Background

TCP Packet Header

Source Port Number(16) Destination Port Number(16)

Sequence number(32)

Head len(4)

Unused(6)

URG

ACK

PSH

RST

SYN

FIN

Window Size(16)

Header Data

(bit)

7

Background

Three Way Handshake Client Server

TimeTime

FIN

FIN+ACK

ACK

8

Architecture

9

Data Structures

Format of action code

(0)Policy Filter Rule

(1)Flow Identity

(0)Not Pass to the local CPU

(1)Pass to the local CPU

Forwarding ActionFlow index in the flow table located in the local CPU

Free bits

10

Data Structures

Format of flow table in the local CPU

(00)Empty Entry

(01)Unmatched existing flow

(10)Excepted flow

(11)Matching existing flow

FIN and ACK bits are used to terminate a pair of completed flows

Flow location in the TCAM rule tableTimer: Talm, Tidl, Trmv

11

Packet Processing

Packet in new flow

<1.2.3.4, 5.6.7.8, 80, 1028, 6>

TCAM table

Flow table

12

Packet Processing

Packet in expected flow

TCAM table

<5.6.7.8, 1.2.3.4, 1028, 80, 6>

13

Packet Processing

Packet in matched flow

TCAM table

14

Packet Processing

Packet with FIN and/or ACK bit set

TCAM table

FINFIN+ACKACK

15

Performance

False alarm probability

Pfalse=(1-p)n-1p

16

Performance

Average time an attack to be monitored

Trace 1 Trace 2

17

Performance

Number of falsely alarmed flows per second

top related

abu dhabi tcam conference: from the field to the pharmacy -...
Science
enhancing scalability in anomaly-based email spam filtering...
Technology
bombas hermetic _ informação técnica: tcn / tcam
Engineering
tcam ppp 210510
Documents
tcam practitioners.pdf
Documents
power-efficient tcam partitioning for ip lookups with...
Documents
1 information filtering rong jin. 2 outline brief...
Documents
cisco nexus 9000 series nx-os fcoe npv configuration guide...
Documents
topological transformation approaches to optimizing tcam...
Documents
preferential filtering for gravity anomaly separationgravity...
Documents
median filtering andmedian filtering and...
Documents
ternary content addressable memory (tcam) search … ·...
Documents
aboutaccess control lists · commandoraction purpose...
Documents
median filtering and median filtering and morphological...
Documents
tcam architecture for ip lookup using prefix properties
Documents
on the study of anomaly-based spam filtering using spam as...
Technology
1 a tcam-based solution for integrated traffic anomaly...
Documents
block permutations in boolean space to minimize tcam for...
Documents
efficient multi-match packet classification with tcam
Documents
gigabit rate packet pattern-matching using tcam
Documents