Hardware filtering support for denial-of-service attacks
First Claim
1. A method for a network node, which includes a central processing unit (CPU) configured to execute a router operating system, to filter malicious data packets received at the network node, the method comprising:
- receiving a data packet at the network node;
performing hash-based flow classification on the received data packet to determine whether the received data packet is a malicious data packet; and
discarding, by a hardware assist (HWA) module of a system controller that is coupled to the CPU, the received data packet before the data packet can be forwarded to the CPU for processing by the router operating system, if the received data packet is determined to be a malicious data packet.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method is provided for automatically identifying and removing malicious data packets, such as denial-of-service (DoS) packets, in an intermediate network node before the packets can be forwarded to a central processing unit (CPU) in the node. The CPU'"'"'s processing bandwidth is therefore not consumed identifying and removing the malicious packets from the system memory. As such, processing of the malicious packets is essentially “off-loaded” from the CPU, thereby enabling the CPU to process non-malicious packets in a more efficient manner. Unlike prior implementations, the invention identifies malicious packets having complex encapsulations that can not be identified using traditional techniques, such as ternary content addressable memories (TCAM) or lookup tables.
147 Citations
25 Claims
-
1. A method for a network node, which includes a central processing unit (CPU) configured to execute a router operating system, to filter malicious data packets received at the network node, the method comprising:
-
receiving a data packet at the network node; performing hash-based flow classification on the received data packet to determine whether the received data packet is a malicious data packet; and discarding, by a hardware assist (HWA) module of a system controller that is coupled to the CPU, the received data packet before the data packet can be forwarded to the CPU for processing by the router operating system, if the received data packet is determined to be a malicious data packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A network node, comprising:
-
a central processing unit (CPU) configured to execute instructions that implement a router operating system; a network interface adapted to receive a data packet; a memory having a plurality of storage locations addressable by the CPU, the storage locations being configured to store; (i) at least a portion of the router operating system instructions, (ii) one or more data buffers for storing the received data packet, and (iii) a searchable data structure configured to store information associated with the received data packet; and a system controller coupled to the memory and the CPU, the system controller including a hardware assist (HWA) module configured to discard malicious data packets from the network node before the malicious data packets can be forwarded to the CPU for processing by the router operating system. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A network node including a central processing unit (CPU) configured to execute a router operating system, the network node comprising:
-
means for receiving a data packet at the network node; means for performing hash-based flow classification on the received data packet to determine whether the received data packet is a malicious data packet; and means for discarding, at a hardware assist (HWA) module of a system controller that is coupled to the CPU, the received data packet before the data packet can be forwarded to the CPU for processing by the router operating system, if the received data packet is determined to be a malicious data packet.
-
-
19. A computer-readable media including instructions for execution by a processor, the instructions for a method of filtering malicious data packets received at a network node in which a central processing unit (CPU) is configured to execute a router operating system, the method comprising:
-
receiving a data packet at the network node; performing hash-based flow classification on the received data packet to determine whether the received data packet is a malicious data packet; and discarding, by a hardware assist (HWA) module of a system controller that is coupled to the CPU, the received data packet before the data packet can be forwarded to the CPU for processing by the router operating system, if the received data packet is determined to be a malicious data packet.
-
-
20. A method comprising:
-
receiving a data packet; storing the data packet in one or more data buffers referenced by a set of one or more packet descriptors; passing the set of packet descriptors to an ingress descriptor queue at a direct memory access (DMA) controller; performing, by a flow classifier coupled of the DMA controller, hash-based flow classification on the data packet referenced by the set of packet descriptors to associate the data packet with a particular data flow identification (ID) value; passing the set of packet descriptors to an egress descriptor queue; and determining based on the data flow ID value if the data packet is a malicious data packet and, if so, freeing the set of packet descriptors to discard the data packet before the data packet can be processed by a router operating system operating on a CPU coupled to the DMA controller and, if not, allowing the data packet to be processed by the router is operating system operating on the CPU coupled to the DMA controller. - View Dependent Claims (21, 22, 23, 24, 25)
-
Specification