FPGA-Based Multiple DDoS Countermeasure Mechanisms System Using Partial Dynamic Reconfiguration

In this paper, we propose a novel FPGA-based high-speed DDoS countermeasure system that can flexibly adapt to DDoS attacks while still maintaining system performance. The system includes a packet decoder module and multiple DDoS countermeasure mechanisms. We apply dynamic partial reconfiguration technique in this system so that the countermeasure mechanisms can be flexibly changed or updated on-the-fly. The proposed system architecture separates DDoS protection modules (which implement DDoS countermeasure techniques) from the packet decoder module. By using this approach, one DDoS protection module can be reconfigured without interfering with other modules. The proposed system is implemented on a NetFPGA 10G board. The synthesis results show that the system can work at up to 116.782 MHz while utilizing up to 39.9% Registers and 49.85% BlockRAM of the Xilinx Virtex xcv5tx240t FPGA device on the NetFPGA 10G board. The system achieves the detection rate of 100% with the false negative rate at 0% and false positive rate closed to 0.16%. The prototype system achieves packet decoding throughput at 9.869 Gbps in half-duplex mode and 19.738 Gbps in full-duplex mode.