In this paper, we identify the opportunity of using programmable switches to improve the state of the art in spoofed IP traffic filtering, and propose NetHCF, a line-rate in-network system to filter spoofed traffic. One key challenge in the design of NetHCF is to handle the restrictions stemmed from the limited computational model and memory resources of programmable switches. We address this by decomposing the HCF scheme into two complementary parts, by aggregating the IP-to-Hop-Count (IP2HC) mapping table for efficient memory usage, and by designing adaptive mechanisms to handle routing changes, IP popularity changes, and network activity dynamics. We implement an open-source prototype of NetHCF, and conduct extensive evaluations. The evaluation results demonstrate demonstrate that NetHCF is able to process most legitimate traffic in 1s, filter spoofed IP traffic effectively under network dynamics, with less than 30% of switch resource occupation.
Read or download the complete paper here