A Hardware-Based Stateful Packet Inspection System Design and Implementation

• Main Authors: Bo-Hong Chen, 陳柏宏
• Other Authors: Sheng-De Wang
• Format: Others
• Language: zh-TW
• Published: 2007
• Online Access: http://ndltd.ncl.edu.tw/handle/88435845643128728725

碩士 === 國立臺灣大學 === 電機工程學研究所 === 95 === The security-related deficiencies in the TCP/IP protocol make networks vulnerable to intruders. The denial-of-service (DoS) attacks are such intrusions that saturate the target of victim machine with external communications requests, such that it cannot respond to its intended users. Stateful Packet Inspection (SPI) is a key technology that makes a stateful firewall able to hold in memory significant attributes of connections to prevent DoS attacks, such as SYN flooding, the most common DoS attack on the Internet. In this paper, we first investigate SPI technologies and related session table architectures in order to improve the performance of firewall machines. The PATRICIA tree is good at supporting the expensive match, insert, and delete operations in the session table. In this thesis, we use a kind of PATRICIA tree, called Doubly Link PAT-FM algorithm and improve the delete operations. Finally, we implemented the proposed system in hardware and experimental results show its effectiveness.