CS536: Reconfigurable System on Chip Design
Final Projects
Prof. Lockwood : Fall 2002

Bloom Filter

The Bloom filter provides an efficient means to detect content in data streams. In this project, a Bloom filter will be implemented that can search for strings in Internet packets. The bloom filter will store the pre-calculated hash vector for a large set of possibly malicious data. The incoming packets will be hashed and searched. Non-matching packets will pass packets will pass through the fireware at line speed, while matching packets will be re-routed for further analysis.
  • Sarang Dharmapurikar:
  • Praveen Krishnamurthy:
  • Todd Sproull:

Content-based Image Filter

Some users may consider certain types of images to be inappropriate . For this project, a content-based image filter will be implemented to determine if an image in a web traffic is appropriate or not. There are two parts in this filter. The first part is to parse the HTTP response header to get the starting point of image. If the packet is a part of image, it will be buffered until analysis is complete. Next, histogram analysis will be used to determine whether or not to block the transmission of the image. In this implementation, the circuit will only process images that are uncompressed 24-bit, true-color BMP files.
  • Huakai Zhang:
  • Hui Zhang:

Control Packet Security

The existing SOC firewall configuration can be remotely changed through Internet. A Malicious user could generate fake control packets to make the firewall perform in the wrong way or get knowledge of our firewall rules. To provide better security, two popular block cryptographic algorithms (3DES and AES) will be implemented in hardware to decrypt control packets. Further, the control packet format will be augmented to support authentication, thus no other user can capture or change the firewall configuration. The decryption block will sit before CAM-based firewall block.
  • Haoyu Song: Control Packet Processor Hardware
  • Jing Lu: Encryption Core Hardware
  • James Moscola: Control Packet Generator Software

DDOS Shield

The project is to implement a module(s) that will provide protection against Denial-Of-Service (DOS) flood attacks (such as ICMP, UDP and Smurf flood attacks) and malformed packets attacks (such as Ping of Death and Tiny Fragment Attacks).

For protection from the UDP flood attack, the source IP address of all the UDP packets sent to firewall`s IP address will be changed. The firewall will detect when a UDP packet reaches the destination and can not be delivered to any application by listening for ICMP port unreachable packets. Once detect, the firewalls CAMs will be updated to block additional packets. Additional UDP packet going to the same destination/port pair will then be dropped.

For protection from the ICMP flood attack, a seperate timer will be maintained for incoming packets as well as for the outgoing packets. If the inter-arrival time between the packets is less than the timer value, the packet is dropped. The timer value can be changed by sending a new control packet.

For protection from Smurf flood attack, CAMs will be maintained with the subnet and masks of networks to be protected. Whenever any ICMP packet(ping packet) is destined for any of the above computed broadcast address, the packet will be dropped.

For protection from ping of death attack, the last segment of any packet that will make the packet longer than 65535 bytes during reassembly will be dropped.

For protection from tiny fragment attack, the first segment of the TCP packet will be compared to check if it is less than TCP header length.
  • Rade Todorovic: TBD
  • Manoj Singla:

DNS Caching

The domain name system (DNS) provides the means for Internet hosts to map human-readable domain names to machine-readable Internet Protocol (IP) addresses. For almost every host-to-host connection, an application on the initiating host (host A) requires an IP address for the domain name of the receiving host (host B). The result is that several packets travel from host A to one or more DNS servers before the connection to host B is even established.

The goal of this project is to reduce the amount of network traffic created by DNS communications by locally caching the domain name to IP address associations. A firewall component monitors incoming traffic (from outside the local network) for DNS server replies. It then stores the IP address in memory with a 32-bit hash value of the associated domain name.

The component also intercepts outgoing DNS requests (from the host within the local network). It performs a hash of the domain name and checks memory for an IP address. If one is found, the firewall component drops the outgoing request and spoofs a DNS server reply containing the association; otherwise, the query packet is untouched.

  • Sean Leather: Muxes, Egress
  • Kirk Ellett: Cache, Hash, Ingress

Denial of Service Classifier

For this project, a circuit will be implemented to protect a network from Denial of Service (DoS) attacks by guarding against TCP SYN flooding. Network throughput will be maintained for other flows by dropping only selected packets deemed to be part of the flood.
  • David Schuehler: utility infielder
  • Vinayak Joshi:
  • Rooparani Pundaleeka:
  • Bharath Madhusudan:

Intelligent SPAM Filter

This project focusses on implementing an Intelligent SPAM filter, that will incorporate a counter based approach towards dropping packets. IP addresses that generate SPAM are identified and are logged on a Block RAM. A counter based sorting is then performed to determine which IP addresses generate maximum SPAM.
  • Arumugam Deivanayagam:
  • Binny T Mathews:

NAT

NAT (Network Address Translation) and PAT (Port Address Translation) allow computers to be connected to the internet without opening up their private IP to the world. Generally a router will provide this function by replacing the source IP in outgoing packets with its own public IP and replacing the source port with a new port. When packets return, the dest. port and IP are looked up based on the public dest. port.

This circuit will use block memory to translate IP and port values. Timers will be maintained to time out connections.

  • Eric Hemmeter:
  • Victor Lai:
  • Jason White:

RSVP Based Bandwidth Allocator

Different streams with varying content (video, audio, image, text) have different QoS requirements. Hence, they need to be allocated differing bandwidths to support their differing QoS requirements. In this project, a RSVP protocol handler will be implemented to enable bandwidth allocation based on the RSVP requests. The circuit will be incorporated into the SoC firewall and manage the packet classifiers and per-flow queuing circuits.
  • Ananda Rangan:
  • Vignesh Nandakumar:

Self-Clocked Fair Queuing (SCFQ)

A Self-Clocked Fair Queuing (SCFQ) circuit will be implemented to schedule packets from the queue memory. Typically, SCFQ requires sorting the packets by the shortest virtual time, which implies using an O(log n) scheduling algorithm. By implementing the SCFQ mechanism with timing wheels, scheduling can be done in O(1) time. For this project, this project will replace the packet scheduler designed in Machine Problem 3, Part 2 with the the SCFQ.
  • Mark Tamola:
  • Ali Fadaei:
  • Samuel Bogale: