# Practical Verifiable In-network Filtering for DDoS defense

**Authors:** Deli Gong, Muoi Tran, Shweta Shinde, Hao Jin, Vyas Sekar, Prateek, Saxena, Min Suk Kang

arXiv: 1901.00955 · 2019-01-16

## TL;DR

This paper introduces VIF, a hardware-based trusted execution environment system that enables verifiable in-network filtering to improve DDoS attack mitigation and prevent misuse by transit networks.

## Contribution

VIF provides a practical, scalable, and verifiable in-network filtering solution using commodity hardware TEEs, addressing trust issues in DDoS defense.

## Key findings

- VIF handles 10 Gb/s traffic with 3,000 filter rules on commodity servers.
- VIF scales to 500 Gb/s traffic and 150,000 rules through parallelization.
- VIF can be deployed at IXPs for effective early adoption.

## Abstract

In light of ever-increasing scale and sophistication of modern DDoS attacks, it is time to revisit in-network filtering or the idea of empowering DDoS victims to install in-network traffic filters in the upstream transit networks. Recent proposals show that filtering DDoS traffic at a handful of large transit networks can handle volumetric DDoS attacks effectively. However, the innetwork filtering primitive can also be misused. Transit networks can use the in-network filtering service as an excuse for any arbitrary packet drops made for their own benefit. For example, transit networks may intentionally execute filtering services poorly or unfairly to discriminate their competing neighbor ASes while claiming that they drop packets for the sake of DDoS defense. We argue that it is due to the lack of verifiable filtering - i.e., no one can check if a transit network executes the filter rules correctly as requested by the DDoS victims. To make in-network filtering a more robust defense primitive, in this paper, we propose a verifiable in-network filtering, called VIF, that exploits emerging hardware-based trusted execution environments (TEEs) and offers filtering verifiability to DDoS victims and neighbor ASes. Our proof of concept demonstrates that a VIF filter implementation on commodity servers with TEE support can handle traffic at line rate (e.g., 10 Gb/s) and execute up to 3,000 filter rules. We show that VIF can easily scale to handle larger traffic volume (e.g., 500 Gb/s) and more complex filtering operations (e.g., 150,000 filter rules) by parallelizing the TEE-based filters. As a practical deployment model, we suggest that Internet exchange points (IXPs) are the ideal candidates for the early adopters of our verifiable filters due to their central locations and flexible software-defined architecture.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1901.00955/full.md

## Figures

18 figures with captions in the complete paper: https://tomesphere.com/paper/1901.00955/full.md

## References

77 references — full list in the complete paper: https://tomesphere.com/paper/1901.00955/full.md

---
Source: https://tomesphere.com/paper/1901.00955