A Hardware-Based Stateful Packet Inspection System Design and Implementation
Date Issued
2007
Date
2007
Author(s)
Chen, Bo-Hong
DOI
zh-TW
Abstract
The security-related deficiencies in the TCP/IP protocol make networks vulnerable to intruders. The denial-of-service (DoS) attacks are such intrusions that saturate the target of victim machine with external communications requests, such that it cannot respond to its intended users. Stateful Packet Inspection (SPI) is a key technology that makes a stateful firewall able to hold in memory significant attributes of connections to prevent DoS attacks, such as SYN flooding, the most common DoS attack on the Internet. In this paper, we first investigate SPI technologies and related session table architectures in order to improve the performance of firewall machines. The PATRICIA tree is good at supporting the expensive match, insert, and delete operations in the session table. In this thesis, we use a kind of PATRICIA tree, called Doubly Link PAT-FM algorithm and improve the delete operations. Finally, we implemented the proposed system in hardware and experimental results show its effectiveness.
Subjects
封包分類
狀態
連線表
PATRICIA algorithm
packet classification
stateful packet inspection
session table
Type
thesis
File(s)![Thumbnail Image]()
Loading...
Name
ntu-96-J94921060-1.pdf
Size
23.31 KB
Format
Adobe PDF
Checksum
(MD5):cda75c56fe024c2de4be873820879b74