Synmon Architecture for Source-based SYN-flooding Defense on Network Processor

Distributed denial-of-service attacks remains to inflict damage to Internet services, after almost five years since its large-scale explosion. The demand for robust and high-speed firewall has led to the advent of hardware-based DDoS defense systems. Network processor is becoming the cornerstone of many new firewall designs due to its programmability and high performance packet processing ability. In this paper, we propose an innovative and practical syn-flooding defense system built on network processor. An embedded architecture, called synmon is proposed. We characterize our solution as a source-based autonomous system which resides in upstream border routers. It detects a wide-range of attacks and blocks a large portion of attack traffic before flooding into the core network. Change-point detection algorithm is employed to detect the occurrence of syn-flooding attack. It performs per-flow attack detection based on SYN and ACK packets exchanged in TCP friendly flow. A fuzzy-based adaptive rate-limiting mechanism is proposed to restrict the intensity of outgoing SYN packets. Under the per-flow mitigation scheme, while the attacker is penalized with limited outgoing connection, the legitimate clients in the same subnet are free from collateral damage. A hardware prototype of synmon embedded router is developed. We demonstrate that the synmon architecture seamlessly integrates with common routing tasks while providing cost-effective service for SYN-flooding defense system on the network processor platform