While network link speeds have become increasingly faster going from 100 Mb/s to Gbps, 10 Gbps, 100 Gbps, the clock rate of microprocessors has increased very little. This has resulted in packet processing being increasingly carried out by multiple processing cores as it is impossible for a single processing core to keep up with the packet arrival rate. Typically the arriving packets are distributed to these multiple cores by sorting arriving packets into many packet flows based on their source addresses, destination addresses, source ports, destination ports, protocol identifier, and VLAN identifier with each packet processing core being responsible for processing a subset of the total packet flows. Using this approach the packet arriving order within each packet flow is maintained. For legitimate applications/users, each packet flow typically consumes a very small fraction of the link bandwidth (for example, an audio call's consumption is on the order of Kb/s while a video call consumes from a fraction of Mb/s to 10s of Mb/s). When many thousands of these packet flows are distributed to multiple processing cores, their processing loads are fairly balanced. Together the multiple packet cores can keep up with the packet arrival rate.
However, processing loads are not fairly balanced in the presence of some service denial of service attacks. If an attacker user/application pumps a “fat” attack packet flow into the packet pipeline filling the unused link bandwidth up with attack packets, then one of the distributed packet processing cores will be overwhelmed, causing input queue congestion and/or packet discards, impacting services to well behaving legitimate applications/users (e.g., applications/users consuming typical amounts of bandwidth).
Some known pipelined packet processing systems include multiple stages wherein each processing stage is performed by a group of processing cores. This approach works well for most applications, including distributed DOS attacks, as traffic (legitimate packet flows or distributed denial of service flows) are fairly evenly distributed among the cores at each processing stage. However, if denial of service attackers users/applications send in packets that constitute one or a few “outsized” DOS packet flow(s), one or more initial or stage 1 processing cores as well as some later stage cores can be overwhelmed causing packet loss that can affect service to normal legitimate users/applications.
It should be appreciated that there is a need for methods and apparatus that can detect single oversized denial of service attack flows in distributed packet processing environments. It should be further appreciated that there is a need for methods and apparatus that can detect multiple oversized denial of service attack flows in distributed packet processing. It should be appreciated that there is a need for detecting or identifying attack packets without incurring too much processing cost. It should be appreciated that there is a need for methods and apparatus that can detect oversized denial of service attack flows in multi-core packet processing environments.
It should be further appreciated that there is a need for methods and apparatus that upon detection of oversized denial of service attack flows in distributed packet processing environments minimize their impact on legitimate packet flows. It should be appreciated that there is a need for methods and apparatus that can without too much processing cost identify and discard packets from an oversized denial of service attack flow.
It should be further appreciated that there is a need for a way to identify when processing congestion in various stages of a multistage packet processing system is caused by an oversized denial of service attack flow at an early stage in processing.
It should also be appreciated that there is a need for a way to identify denial of service attacks by monitoring multi-stage packet processing systems for congestion.