A novel high-speed architecture for integrating multiple DDoS countermeasure mechanisms using reconfigurable hardware

In this paper, we proposed a novel high-speed architecture to incorporate multiple stand-alone DDoS countering mechanisms. The architecture separates DDoS filtering mechanisms, which are algorithms, out of packet decoder, which is the basement. The architecture not only helps developers to give more concentration on optimizing algorithms but also integrate multiple algorithms to achieve more efficient DDoS defense mechanism. The architecture is implemented on reconfigurable hardware, which helps algorithms to be flexibly changed or updated. We implemented and experimented the system using NetFPGA 10G board with incorporation of Port Ingress/Egress Filtering and Hop-Count Filtering to classify IP spoofing packets. The synthesis results show that the system runs at 118.907 MHz, utilizes 38.99% Registers, and 44.75% BlockRAMs/FIFOs of the NetFPGA 10G board. The system achieves the detection rate of 100% with false negative rate at 0%, and false positive rate closed to 0.16%. The experimental results prove that the system achieves packet decoding throughput at 9.869 Gbps in half-duplex mode and 19.738 Gbps in full-duplex mode.