Presentation on theme: "1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:"— Presentation transcript:
1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher: Computer Communications 2009 Presenter: Hsin-Mao Chen Date:2009/9/30
3 Introduction Distributed Denial of Service (DDoS) attacks are the major threats to the Internet. The TCP-base DDoS attacks using spoofed source IP address are detected in the edge router through two-dimensional matching.
4 Background Two-dimensional(2D) matching A normal TCP flow generated from one end host to another should have a corresponding flow from the other direction.
6 TCP Packet Header Source Port Number(16)Destination Port Number(16) Sequence number(32) Head len(4) Unused (6) URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Size(16) HeaderData (bit)
7 Background Three Way Handshake ClientServer Time FIN FIN+ACK ACK
9 Data Structures Format of action code (0)Policy Filter Rule (1)Flow Identity (0)Not Pass to the local CPU (1)Pass to the local CPU Forwarding ActionFlow index in the flow table located in the local CPU Free bits
10 Data Structures Format of flow table in the local CPU (00)Empty Entry (01)Unmatched existing flow (10)Excepted flow (11)Matching existing flow FIN and ACK bits are used to terminate a pair of completed flows Flow location in the TCAM rule table Timer: T alm, T idl, T rmv
11 Packet Processing Packet in new flow TCAM table Flow table
12 Packet Processing Packet in expected flow TCAM table
13 Packet Processing Packet in matched flow TCAM table
14 Packet Processing Packet with FIN and/or ACK bit set TCAM table FIN FIN+ACK ACK
15 Performance False alarm probability P false =(1-p) n-1 p
16 Performance Average time an attack to be monitored Trace 1Trace 2
17 Performance Number of falsely alarmed flows per second