Design And Implementation Of Embedded DDoS Defense System Based On Network Processor

With the rapid development of the Internet,people's lives are increasingly dependent on networking,so that network security have attracted more and more attention in the academic and business.The denial of service attack is one of the most important network attacks,mainly designed to damage services' availability,one of the property of security.DoS have been found many years ago,numerous related work have been studied,but there are no big breakthroughs in DoS/DDoS defense mechanism,due to the limitations of the Internet architecture.With the development of cloud computing technology,more and more services will be deployed in the cloud in the near future,so it seems very important under this background.Today,the defense mechanisms of DoS attacks did not make a breakthrough.Generally,we can classify the traditional defense technology into four categories according to the defense stage: attack prevention,attack detection,attack source tracing and attack response.But when DDoS attack traffic is geographically distributed in large-scale and the traffic is covert,traditional defense technology will not be effective anymore.Hence,the common methods to defense DDoS is offload the traffic to additional Servers to provide the specific services.Besides,with development of network processor and the improvement processing capabilities of NIC(Network Interface Card),related work show that we can offload part or all of the function in the network protocol stacks in the NIC.According to this idea,this paper proposed a system architecture,which presents a DDoS defense technology will be deployed in the network processor,so that we can offload the firewall function,originally running on the host side,to the NIC(performed by network processor).Therefore,the server will have more free CPU capability,memory and bandwidth resources to handle other service requests.This paper is divided into six sections.The first section introduces the background and the main work of this paper;the second section survey variety of DoS attackstechnologies and DoS defense mechanisms from the perspective of the limitation of current network architecture;the third section describes the system architecture and functional of the system,and the optimization of DoS defense method for some DoS attacks,such as smurf;the fourth section present the system implementation with XLS416 platform;In the fifth section,we test the effectiveness of the system with the Intrusion Detection Evaluation Data Set of DARPA in 2000;the sixth section is the summary and outlook of this paper,describes the design of some of the deficiencies and the direction of our work in the future.