Building a Traffic Policer for DDoS Mitigation on Top of Commodity Hardware

Traffic policing is the process of ensuring that network traffic complies with its policies with methods like traffic shaping. As the distribution of sources involved in a DDoS attack differs significantly from the typical distribution of customers for web services, traffic shapers and policers can be used in DDoS mitigation. In the past, software-based middleboxes, like traffic shapers, easily became overloaded and therefore a vulnerability for DDoS attacks. Although recent advances in network stack design on commodity hardware increased the performance, the software on top of the network stack also needs to provide adequate throughput and scalability regarding the number of limited subnets. Therefore, we build a high-performance and scalable traffic policer called MoonPol and evaluated it in a DDoS mitigation scenario. MoonPol runs on any commodity hardware, takes advantage of the underlying framework, DPDK, and combines it with appropriate algorithms and data structures. Data structures for efficient lookups are implemented together with the token bucket algorithm to police a traffic of fine-grained IP address ranges. Benchmarking results show that the single core throughput of the policer running on a 3.2 GHz CPU, is 6.5 Mpps with limiting 1 Million subnets, i.e., 492 CPU cycles per packet. With 250K subnets of all countries in the world, the throughput is 6.66 Mpps.