Packet Classification for Anti-Distributed Denial of Service (DDoS) Engines – Combining AI/ML with ACL LookupsWednesday December 9, 2020
By Julie DiBene
Director, Marketing Communications, MoSys
Distributed Denial of Service or DDoS. It doesn’t sound like something anyone should be concerned about unless you work in cyber security but the reality is, DDoS threatens to disrupt the average person’s life every single day and in multiple ways. From gaming networks to streaming movies, to simply paying a bill via Paypal and more, DDoS has the ability to disrupt our lives constantly. Remember a few years ago when the entire internet was brought to its knees on the east coast of the United States? That was a DDoS attack on a massive scale.
At its core a denial of service attack, or DoS attack, is a multi-pronged attack targeting a singular target with the goal of disrupting services, network or datacenter/servers. This is accomplished by exhausting the target’s computer resources such as bandwidth, disc space or memory. Think of it like someone syphoning off your gas tank. Your car can’t run without gas.
A DDoS attack involves multiple devices being taken over for the attack. This type of attack uses all of the devices to simultaneously connect to the target and flood it with traffic or server requests. It would be like taking dismantling the electrical system, car battery and gasoline to shut down your car. A DDoS is sometimes accomplished by subverting the obvious targets and going in sideways, via unsecured, connected devices, which can include devices such as smart thermostats, refrigerators, CCTVs, and even baby monitors. This would be like putting your car up on 20-foot-high blocks. Unconventional but you still could not drive it.
So, what is the scope of DDoS attacks? Global estimates of the total number of DDoS attacks are expected to double to 14.5 million by 2022, according to data from the Cisco Visual Networking Index. In addition, DDoS attacks are a persistent threat to the vast majority of service providers with attacks representing up to 25 percent of a country’s total Internet traffic while they are occurring. As worrisome, the number of Internet of Things (IoT) devices that are estimated to exist by 2020 is 20.4 billion, according to Gartner, Inc. Because IoT devices (connected devices such as smart thermostats, refrigerators, and even baby monitors) are easy targets as they often lack any real IT security or cybersecurity measures, they’re vulnerable to hacking, eavesdropping attacks, and being taken over for use in DDoS attacks.
The financial impact is huge with Bulletproof’s 2019 Annual Cyber Security Report indicating that a DoS or DDoS attack could cost up to $120,000 for a small company or more than $2 million for an enterprise organization. And this does not even take into account the on-going adverse impact on a company’s brand or the distrust it breeds with customers and shareholders.
To counter all these trends, DDoS engine complexity has increased dramatically in the last decade – now they often include some form of Artificial Intelligence or Machine Learning Algorithms to spot DDoS attacks, but typically the first and last stages still use Access Control List (ACL) lookups to cull the attacks. Allow/Deny Lists can often contain tens of millions of rules.
As a packet from a new flow is established it is the responsibility for the Anti-DDoS engine to decide whether to grant entry into the network – to do this it can lookup various information to decide if this flow is from a known bad actor – typically one of the first gates to pass through is the Access Control List (ACL) lookup – these can involve very complex multiple tuple lookups that dive deeply into the packet headers – the term Deep Packet Inspection (DHI) is now being applied to such lookups and is a kindred spirit to Deep Packet Inspection (DPI) that examines the payload of the packet.
The MoSys Stellar Packet Classification Platform – High Flexibility/High Complexity ACL & LPM Edition is provided as Intellectual Property (IP) that uses a hardware accelerated Algorithmic TCAM-like approach to help ensure that Anti-DDoS engines can keep up with the huge volume of access control decisions per second that it has to process. The MoSys solution is very high-performance and designed to accelerate one of the main Anti-DDoS bottlenecks – complex multi-tuple access control lookups. It offers a very flexible design where the MoSys IP is easily integrated and it takes advantage of available gates and memory in FPGA or ASIC. Additionally, it helps future proof designs by supporting wide range of key sizes, n+ tuple looks ups, very large number of rules at a very high performance in very efficient logic.
If you are looking for more technical information or need to discuss your technical challenges with an expert, we are happy to help. Email us and we will arrange to have one of our technical specialists speak with you. You can also sign up for updates. Finally, please follow us on social media so we can keep in touch.