NetHCF: Filtering Spoofed IP Traffic With Programmable Switches

In this paper, we identify the opportunity of using programmable switches to improve the state of the art in spoofed IP traffic filtering, and propose NetHCF, a line-rate in-network system to filter spoofed traffic. One key challenge in the design of NetHCF is to handle the restrictions stemmed from the limited computational model and memory resources of programmable switches. We address this by decomposing the HCF scheme into two complementary parts, by aggregating the IP-to-Hop-Count (IP2HC) mapping table for efficient memory usage, and by designing adaptive mechanisms to handle routing changes, IP popularity changes, and network activity dynamics. We implement an open-source prototype of NetHCF, and conduct extensive evaluations. The evaluation results demonstrate that NetHCF is able to process most legitimate traffic in 1 $\mu$μs, filter spoofed IP traffic effectively under network dynamics, with less than 30% of switch resource occupation.