Visible to the public NETHCF: Enabling Line-rate and Adaptive Spoofed IP Traffic Filtering

TitleNETHCF: Enabling Line-rate and Adaptive Spoofed IP Traffic Filtering
Publication TypeConference Paper
Year of Publication2019
AuthorsLi, Guanyu, Zhang, Menghao, Liu, Chang, Kong, Xiao, Chen, Ang, Gu, Guofei, Duan, Haixin
Conference Name2019 IEEE 27th International Conference on Network Protocols (ICNP)
Keywordsadaptive filtering, adaptive filters, adaptive spoofed IP traffic filtering, Bandwidth, computer network security, design adaptive mechanisms, end-to-end routing, HCF system, in-network system, Internet, IP networks, IP popularity, IP-to-Hop-Count mapping table, IP2HC, Kernel, memory resources, memory usage, Metrics, NETHCF, Pipelines, programmable switches, pubcrawl, Resiliency, Scalability, Servers, Switches, telecommunication network routing, telecommunication switching, telecommunication traffic, Tofino switch
AbstractIn this paper, we design NETHCF, a line-rate in-network system for filtering spoofed traffic. NETHCF leverages the opportunity provided by programmable switches to design a novel defense against spoofed IP traffic, and it is highly efficient and adaptive. One key challenge stems from the restrictions of the computational model and memory resources of programmable switches. We address this by decomposing the HCF system into two complementary components-one component for the data plane and another for the control plane. We also aggregate the IP-to-Hop-Count (IP2HC) mapping table for efficient memory usage, and design adaptive mechanisms to handle end-to-end routing changes, IP popularity changes, and network activity dynamics. We have built a prototype on a hardware Tofino switch, and our evaluation demonstrates that NETHCF can achieve line-rate and adaptive traffic filtering with low overheads.
Citation Keyli_nethcf_2019