TY - GEN
T1 - Building a Traffic Policer for DDoS Mitigation on Top of Commodity Hardware
AU - Kirdan, Erkin
AU - Raumer, Daniel
AU - Emmerich, Paul
AU - Carle, Georg
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/11/9
Y1 - 2018/11/9
N2 - Traffic policing is the process of ensuring that network traffic complies with its policies with methods like traffic shaping. As the distribution of sources involved in a DDoS attack differs significantly from the typical distribution of customers for web services, traffic shapers and policers can be used in DDoS mitigation. In the past, software-based middleboxes, like traffic shapers, easily became overloaded and therefore a vulnerability for DDoS attacks. Although recent advances in network stack design on commodity hardware increased the performance, the software on top of the network stack also needs to provide adequate throughput and scalability regarding the number of limited subnets. Therefore, we build a high-performance and scalable traffic policer called MoonPol and evaluated it in a DDoS mitigation scenario. MoonPol runs on any commodity hardware, takes advantage of the underlying framework, DPDK, and combines it with appropriate algorithms and data structures. Data structures for efficient lookups are implemented together with the token bucket algorithm to police a traffic of fine-grained IP address ranges. Benchmarking results show that the single core throughput of the policer running on a 3.2 GHz CPU, is 6.5 Mpps with limiting 1 Million subnets, i.e., 492 CPU cycles per packet. With 250K subnets of all countries in the world, the throughput is 6.66 Mpps.
AB - Traffic policing is the process of ensuring that network traffic complies with its policies with methods like traffic shaping. As the distribution of sources involved in a DDoS attack differs significantly from the typical distribution of customers for web services, traffic shapers and policers can be used in DDoS mitigation. In the past, software-based middleboxes, like traffic shapers, easily became overloaded and therefore a vulnerability for DDoS attacks. Although recent advances in network stack design on commodity hardware increased the performance, the software on top of the network stack also needs to provide adequate throughput and scalability regarding the number of limited subnets. Therefore, we build a high-performance and scalable traffic policer called MoonPol and evaluated it in a DDoS mitigation scenario. MoonPol runs on any commodity hardware, takes advantage of the underlying framework, DPDK, and combines it with appropriate algorithms and data structures. Data structures for efficient lookups are implemented together with the token bucket algorithm to police a traffic of fine-grained IP address ranges. Benchmarking results show that the single core throughput of the policer running on a 3.2 GHz CPU, is 6.5 Mpps with limiting 1 Million subnets, i.e., 492 CPU cycles per packet. With 250K subnets of all countries in the world, the throughput is 6.66 Mpps.
KW - DDoS mitigation
KW - DPDK
KW - Lua
KW - Traffic policing
KW - User space networking
UR - http://www.scopus.com/inward/record.url?scp=85058442059&partnerID=8YFLogxK
U2 - 10.1109/ISNCC.2018.8531043
DO - 10.1109/ISNCC.2018.8531043
M3 - Conference contribution
AN - SCOPUS:85058442059
T3 - 2018 International Symposium on Networks, Computers and Communications, ISNCC 2018
BT - 2018 International Symposium on Networks, Computers and Communications, ISNCC 2018
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2018 International Symposium on Networks, Computers and Communications, ISNCC 2018
Y2 - 19 June 2018 through 21 June 2018
ER -