A TCP connection establishment filter: symmetric connection detection
Network measurement at 10+Gbps speeds imposes many restrictions on the resource consumption of the measurement application, making any filtering of input data highly desirable. Symmetric Connection Detection (SCD) is a method of filtering TCP sessions, passing only those sessions which become fully established. SCD can benefit network monitoring applications that are only interested fully established TCP connections by reducing processing requirements. Incomplete connection attempts, such as port scanning attempts, simply waste resources in many applications if they are not filtered. SCD filters out unsuccessful connection attempts using a combination of Bloom filters to track the state of connection establishment for every flow passing through a network device. Unsuccessful flows can be filtered out to a very high degree of accuracy, depending on the size of the Bloom filter and traffic rate, 99.5% is typical. Resource consumption, both memory and CPU is low. The core SCD algorithm is designed to work in high-speed routers, in real-time, and at line speed. Using an upper bound of 32k bytes of RAM our experimental results indicate 99+% accuracy with 900,000 active flows.
|Conference||2007 IEEE International Conference on Communications, ICC'07|
Whitehead, B. (Brad), Lung, C.H, & Rabinovitch, P. (Peter). (2007). A TCP connection establishment filter: symmetric connection detection. Presented at the 2007 IEEE International Conference on Communications, ICC'07. doi:10.1109/ICC.2007.49