1. 1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher: Computer Communications 2009 Presenter: Hsin-Mao Chen Date:2009/9/30

2. 2 Outline Introduction Background Architecture Data Structures Packet Processing Performance

3. 3 Introduction Distributed Denial of Service (DDoS) attacks are the major threats to the Internet. The TCP-base DDoS attacks using spoofed source IP address are detected in the edge router through two-dimensional matching.

4. 4 Background Two-dimensional(2D) matching A normal TCP flow generated from one end host to another should have a corresponding flow from the other direction.

5. 5 Background

6. 6 TCP Packet Header Source Port Number(16)Destination Port Number(16) Sequence number(32) Head len(4) Unused (6) URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Size(16) HeaderData (bit)

7. 7 Background Three Way Handshake ClientServer Time FIN FIN+ACK ACK

8. 8 Architecture

9. 9 Data Structures Format of action code (0)Policy Filter Rule (1)Flow Identity (0)Not Pass to the local CPU (1)Pass to the local CPU Forwarding ActionFlow index in the flow table located in the local CPU Free bits

10. 10 Data Structures Format of flow table in the local CPU (00)Empty Entry (01)Unmatched existing flow (10)Excepted flow (11)Matching existing flow FIN and ACK bits are used to terminate a pair of completed flows Flow location in the TCAM rule table Timer: T alm, T idl, T rmv

11. 11 Packet Processing Packet in new flow TCAM table Flow table

12. 12 Packet Processing Packet in expected flow TCAM table

13. 13 Packet Processing Packet in matched flow TCAM table

14. 14 Packet Processing Packet with FIN and/or ACK bit set TCAM table FIN FIN+ACK ACK

15. 15 Performance False alarm probability P false =(1-p) n-1 p

16. 16 Performance Average time an attack to be monitored Trace 1Trace 2

17. 17 Performance Number of falsely alarmed flows per second