Surgical DDoS Filtering with Fast LPM

Abstract

Can software-based packet filters effectively dampen volumetric distributed denial-of-service (DDoS) streams in an era when 10 Gbps links are considered slow? The potential of longest prefix matching (LPM) for enforcing precise DDoS scrubbing policies seems to be overlooked in contemporary packet filtering datapaths, and in this paper, we argue that this should not be the case by showing that effective whitelist/blacklist LPM-based filtering can be performed with commodity hardware. A showcase datapath we propose can evaluate multiple queries in large separate LPM databases for each forwarded 64-byte packet, while sustaining 10 Gbps line rate on a single CPU core, with a healthy scaling potential due to its lockless architecture and small memory footprint of LPM structures. We demonstrated forwarding 64 million packets per second using only six CPU cores while performing independent lookups for each packet in three large LPM databases created by aggregating malicious IP addresses or by mapping different geolocation identifiers to IPv4 prefixes.