RotoRouter: Router Support for Endpoint-Authorized Decentralized Traffic Filtering to Prevent DoS Attacks
Albert Kwon, Kaiyu Zhang,
Perk Lun Lim, Yuchen Pan,
Jonathan M. Smith, and André DeHon
Proceedings of the IEEE International Conference on Field-Programmable Technology,
(FPT, December 10--12, 2014)
RotoRouter addresses Denial-of-Service (DoS) attacks on networks with
a novel protocol and router implementation. Sets of RotoRouters
cooperate in detecting and filtering out invalid network traffic
before it reaches network endpoints; a new router-enforceable
connection protocol queries destination endpoints
to authorize traffic flows
and uses per-packet
digital signatures to distinguish allowed from disallowed connections.
A RotoRouter prototype was implemented on a four-port 1000BASE-T
NetFPGA-10G platform and supports 1024 simultaneous active connections
using 74 BRAMs (less than one quarter of the available NetFPGA-10G
BRAMs). It is able to sustain 800Mbps per port throughputs for 1500B packets
with less than 0.3 microsecond latency, even during a DoS attack. With
additional logic and memory resources, the required validation and
switching operations scale to port speeds in excess of 10Gbps and
links with more than 10,000 active flows.
© 2014 IEEE. Personal use of this material is
permitted. However, permission to reprint/republish this material
for advertising or promotional purposes or for creating new
collective works for resale or redistribution to servers or lists,
or to reuse any copyrighted component of this work in other works
must be obtained from the IEEE.
This material is presented to ensure timely
dissemination of scholarly and technical work. Copyright and all
rights therein are retained by authors or by other copyright
holders. All persons copying this information are expected to
adhere to the terms and constraints invoked by each author's
copyright. In most cases, these works may not be reposted without
the explicit permission of the copyright holder.
(IEEE Copyright)
|
