Modern communication and data networks are vulnerable to a variety of network attacks. To defend against network attacks, networks may implement security measures and control schemes, such as Internet Protocol Security (IPsec). One common network attack that a network may suffer from is a distributed denial-of-service (DDOS) attack. DDOS attacks prevent valid users from accessing and using resources from a network node (e.g. computer or server) and/or the network. One type of DDOS attack may flood the target network node and/or network with data traffic until the data traffic overloads and shuts down the network node and/or network. As a network node and/or a network becomes overburdened with processing invalid DDOS traffic, the network node and/or network is unable to respond to legitimate traffic sent by valid users. As a result, DDOS attacks may temporarily or indefinitely suspend services for a valid user (e.g. a host) connected to the network node and/or network. DDOS attacks may become costly and troublesome when the targets of the DDOS attacks are websites or services hosted on high-profile servers.
IPsec, as described in the Internet Engineering Task Force (IETF) Request for Comments (RFC) 4301, published December 2005, which is incorporated herein as if reproduced in its entirety, is one of the security protocols used for securing Internet Protocol (IP) communications within a network. To deal with DDOS attacks, IPsec implements an anti-replay window that filters data traffic based on sequence numbers encoded in an IPsec packet. Specifically, IPsec uses the anti-replay window to track sequence numbers of received packets and reject packets with sequence numbers that are too old (e.g. below the anti-replay window) or packets that have a duplicated sequence number (e.g. within anti-replay window, but marked as received). Unfortunately, the anti-replay window for the IPsec protocol is unable to filter DDOS attack packets with sequence numbers that are above the anti-replay window (e.g. the sequence number is neither considered too old, nor a duplicate). As such, the IPsec protocol typically rejects DDOS attack packets with sequence numbers above the anti-replay window by performing an Integrity Check Value (ICV) check. However, performing an ICV check may involve utilizing a hashing operation that is rather expensive in terms of resource and time consumption. If enough DDOS attack packets flood the target network node and/or a network, the constant resource and time consumption used to reject DDOS attack packets with the ICV check may cause performance degradation and service interruption for users. Therefore, a solution is needed to efficiently verify and distinguish legitimate user data traffic from DDOS attack traffic for the IPsec protocol.