Detecting DDoS attacks within milliseconds by using FPGA-based hardware acceleration

Nagy, Balázs; Orosz, Péter; Tóthfalusi, Tamás; Kovâcs, László; Varga, Pál

doi:10.1109/noms.2018.8406299

Cited by 15 publications

(14 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Compared to commodity accelerators and co-processors, systems built with FPGA provide the best trade-off between flexibility and computing power, thus gaining much attention in recent years. Nagy et al [28] implement an FPGA-based DDoS detector consisting of a traffic parsing unit and a behavioral detection unit. Baker et al [4] present an FPGA-based IDS to support complex rules with correlated-content constructions.…”

Section: Related Workmentioning

confidence: 99%

“…• Single-task acceleration: Most existing hardware solutions have focused on accelerating only a specific functionality [4,7,28] , particularly the time-consuming regular expression pattern matching. However, it has been shown that even with an infinitely-fast accelerator, single-task acceleration could not achieve desired throughput speedup over the CPU-based software solution nor support the 100Gbps line rate in a single server footprint [46].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Fidas

Chen

Zhang

Wang

et al. 2022

Proceedings of the 49th Annual International Symposium on Computer Architecture

View full text Add to dashboard Cite

Network intrusion detection systems (IDS) are crucial for secure cloud computing, but they are also severely constrained by CPU computation capacity as the network bandwidth increases. Therefore, hardware offloading is essential for the IDS servers to support the ever-growing throughput demand for packet processing. Based on the experience of large-scale IDS deployment, we find the existing hardware offloading solutions have fundamental limitations that prevent them from being massively deployed in the production environment. In this paper, we present Fidas, an FPGA-based intrusion detection offload system that avoids the limitations of the existing hardware solutions by comprehensively offloading the primary NIC, rule pattern matching, and traffic flow rate classification. The pattern matching module in Fidas uses a multi-level filter-based approach for efficient regex processing, and the flow rate classification module employs a novel dual-stack memory scheme to identify the hot flows under volumetric attacks. Our evaluation shows that Fidas achieves the state-of-the-art throughput in pattern matching and flow rate classification while freeing up processors for other security-related functionalities. Fidas is deployed in the production data center and has been battle-tested for its performance, cost-effectiveness, and DevOps agility.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Fidas

Chen

Zhang

Wang

et al. 2022

Proceedings of the 49th Annual International Symposium on Computer Architecture

View full text Add to dashboard Cite

show abstract

“…Higher latency means the solution takes an unusual amount of time to detect traffic changes and employ means to mitigate an ongoing attack. In general, solutions should attempt to reduce attack detection/mitigation latency to minimize the adverse effects of the attack 121,160 . That latency is often closely related to how a detection/mitigation technique is enforced.…”

Section: Challenges and Shortcomingsmentioning

confidence: 99%

“…The investigations that fall in the intermediate perspective 59,78,103,121,126,156 typically assume a deployment at the network edge, before traffic enters the victim's network. Lapolli et al 142 .…”

Section: Solutions Focused On the Data Planementioning

confidence: 99%

See 1 more Smart Citation

A systematic review on distributed denial of service attack defense mechanisms in programmable networks

Dalmazo¹,

Marques

Costa

et al. 2021

Int J Network Mgmt

View full text Add to dashboard Cite

Summary Design flaws and vulnerabilities inherent to network protocols, devices, and services make Distributed Denial of Service (DDoS) a persisting threat in the cyberspace, despite decades of research efforts in the area. The historical vertical integration of traditional IP networks limited the solution space, forcing researchers to tweak network protocols while maintaining global compatibility and proper service to legitimate flows. The advent of Software‐Defined Networking (SDN) and advances in Programmable Data Planes (PDP) changed the state of affairs and brought novel possibilities to deal with such attacks. In summary, the ability of bringing together network intelligence to a control plane, and offloading flow processing tasks to the forwarding plane, opened up interesting opportunities for network security researchers unlike ever. In this article, we dive into recent research that relies on SDN and PDP to detect, mitigate, and prevent DDoS attacks. Our literature review takes into account the SDN layered view as defined in RFC7426 and focuses on the data, control, and application planes. We follow a systematic methodology to capture related articles and organize them into a taxonomy of DDoS defense mechanisms focusing on three facets: activity level, deployment location, and cooperation degree. From the analysis of existing work, we also highlight key research gaps that may foster future research in the field.

show abstract

Background and State-of-the-Art

Kundel

2024

Springer Theses

View full text Add to dashboard Cite

Detecting DDoS attacks within milliseconds by using FPGA-based hardware acceleration

Cited by 15 publications

References 7 publications

Fidas

Fidas

A systematic review on distributed denial of service attack defense mechanisms in programmable networks

Background and State-of-the-Art

Contact Info

Product

Resources

About