Abstract
Can software-based packet filters effectively dampen volumetric distributed denial-of-service (DDoS) streams in an era when 10 Gbps links are considered slow? The potential of longest prefix matching (LPM) for enforcing precise DDoS scrubbing policies seems to be overlooked in contemporary packet filtering datapaths, and in this paper, we argue that this should not be the case by showing that effective whitelist / blacklist LPM-based filtering can be performed with commodity hardware. A showcase datapath we propose can evaluate multiple queries in large separate LPM databases for each forwarded 64-byte packet, while sustaining 10 Gbps line rate on a single CPU core, with a healthy scaling potential due to its lockless architecture and small memory footprint of LPM structures. We demonstrated forwarding 64 million packets per second using only six CPU cores while performing independent lookups for each packet in three large LPM databases created by aggregating malicious IP addresses or by mapping different geolocation identifiers to IPv4 prefixes.
Highlights
The proliferation of still predominantly IPv4-based volumetric/flooding distributed denial-of-service (DDoS) attacks [1], which are exploiting the openness and simplicity of the Internet’s addressing and routing architecture, is placing an increasing burden on Internet service providers (ISP) and datacenter operators
Our goal is to enable filtering at such speeds that instead of blackholing the victim’s address, providers could precisely filter out vast maps of identified or suspected compromised hosts that serve as the originators of the attack
The spectrum of contemporary DDoS firefighting practices spans from declaring defeat and blackholing victims’ addresses via BGP in order to reduce disruptions to other parts of the datacenter infrastructure, to filtering in end hosts before packets enter the network stack, which is where much of the current XDP-based development is taking place
Summary
The proliferation of still predominantly IPv4-based volumetric/flooding distributed denial-of-service (DDoS) attacks [1], which are exploiting the openness and simplicity of the Internet’s addressing and routing architecture, is placing an increasing burden on Internet service providers (ISP) and datacenter operators. More recently proposed mechanisms for fast (pre)processing of packets before they get encapsulated and consumed by complex data structures and function call paths in an OS kernel are currently enjoying gigantic momentum: eBPF/XDP [6], [7], are re-exploring the paradigm of safe justin-time (JIT) translation of packet filtering programs from bytecode form to native machine code [8] within a running. Encouraged by reports of other successful user space network function specializations for speed, such as [3], [13], we designed and implemented our own JIT-compiled user space datapath, which we used as a testbed for tuning and evaluating a handful of recent LPM schemes while having them bombarded with synthetic DDoS-type traffic. We defy the currently prevailing view which favors placing high-speed packet filtering functions as JIT-compiled modules in an OS kernel by demonstrating that efficient user space filtering datapaths can be constructed with fewer constraints.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
