Hardware filtering support for denial-of-service attacks
First Claim
1. A method for a network node, which includes a central processing unit (CPU) configured to execute a router operating system, to filter malicious data packets received at the network node, the method comprising:
- receiving a data packet at the network node;
performing hash-based flow classification on the received data packet to determine whether the received data packet is a malicious data packet; and
discarding the received data packet before the data packet can be forwarded to the CPU for processing by the router operating system, if the received data packet is determined to be a malicious data packet.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method is provided for automatically identifying and removing malicious data packets, such as denial-of-service (DoS) packets, in an intermediate network node before the packets can be forwarded to a central processing unit (CPU) in the node. The CPU'"'"'s processing bandwidth is therefore not consumed identifying and removing the malicious packets from the system memory. As such, processing of the malicious packets is essentially “off-loaded” from the CPU, thereby enabling the CPU to process non-malicious packets in a more efficient manner. Unlike prior implementations, the invention identifies malicious packets having complex encapsulations that can not be identified using traditional techniques, such as ternary content addressable memories (TCAM) or lookup tables.
-
Citations
19 Claims
-
1. A method for a network node, which includes a central processing unit (CPU) configured to execute a router operating system, to filter malicious data packets received at the network node, the method comprising:
-
receiving a data packet at the network node;
performing hash-based flow classification on the received data packet to determine whether the received data packet is a malicious data packet; and
discarding the received data packet before the data packet can be forwarded to the CPU for processing by the router operating system, if the received data packet is determined to be a malicious data packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A network node, comprising:
-
a central processing unit (CPU) configured to execute instructions that implement a router operating system;
a network interface adapted to receive a data packet;
a memory having a plurality of storage locations addressable by the CPU, the storage locations being configured to store;
(i) at least a portion of the router operating system instructions, (ii) one or more data buffers for storing the received data packet, and (iii) a searchable data structure configured to store information associated with the received data packet; and
a system controller coupled to the memory and the CPU, the system controller including a hardware assist (HWA) module configured to discard malicious data packets from the network node before the malicious data packets can be forwarded to the CPU for processing by the router operating system. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A network node including a central processing unit (CPU) configured to execute a router operating system, the network node comprising:
-
means for receiving a data packet at the network node;
means for performing hash-based flow classification on the received data packet to determine whether the received data packet is a malicious data packet; and
means for discarding the received data packet before the data packet can be forwarded to the CPU for processing by the router operating system, if the received data packet is determined to be a malicious data packet.
-
-
19. A computer-readable media including instructions for execution by a processor, the instructions for a method of filtering malicious data packets received at a network node in which a central processing unit (CPU) is configured to execute a router operating system, the method comprising:
-
receiving a data packet at the network node;
performing hash-based flow classification on the received data packet to determine whether the received data packet is a malicious data packet; and
discarding the received data packet before the data packet can be forwarded to the CPU for processing by the router operating system, if the received data packet is determined to be a malicious data packet.
-
Specification