Building a Traffic Policer for DDoS Mitigation on Top of Commodity Hardware

Erkin Kirdan, Daniel Raumer, Paul Emmerich, Georg Carle

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

4 Scopus citations

Abstract

Traffic policing is the process of ensuring that network traffic complies with its policies with methods like traffic shaping. As the distribution of sources involved in a DDoS attack differs significantly from the typical distribution of customers for web services, traffic shapers and policers can be used in DDoS mitigation. In the past, software-based middleboxes, like traffic shapers, easily became overloaded and therefore a vulnerability for DDoS attacks. Although recent advances in network stack design on commodity hardware increased the performance, the software on top of the network stack also needs to provide adequate throughput and scalability regarding the number of limited subnets. Therefore, we build a high-performance and scalable traffic policer called MoonPol and evaluated it in a DDoS mitigation scenario. MoonPol runs on any commodity hardware, takes advantage of the underlying framework, DPDK, and combines it with appropriate algorithms and data structures. Data structures for efficient lookups are implemented together with the token bucket algorithm to police a traffic of fine-grained IP address ranges. Benchmarking results show that the single core throughput of the policer running on a 3.2 GHz CPU, is 6.5 Mpps with limiting 1 Million subnets, i.e., 492 CPU cycles per packet. With 250K subnets of all countries in the world, the throughput is 6.66 Mpps.

Original languageEnglish
Title of host publication2018 International Symposium on Networks, Computers and Communications, ISNCC 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781538637784
DOIs
StatePublished - 9 Nov 2018
Event2018 International Symposium on Networks, Computers and Communications, ISNCC 2018 - Rome, Italy
Duration: 19 Jun 201821 Jun 2018

Publication series

Name2018 International Symposium on Networks, Computers and Communications, ISNCC 2018

Conference

Conference2018 International Symposium on Networks, Computers and Communications, ISNCC 2018
Country/TerritoryItaly
CityRome
Period19/06/1821/06/18

Keywords

  • DDoS mitigation
  • DPDK
  • Lua
  • Traffic policing
  • User space networking

Fingerprint

Dive into the research topics of 'Building a Traffic Policer for DDoS Mitigation on Top of Commodity Hardware'. Together they form a unique fingerprint.

Cite this