Purpose: Site-specific Customization and Rate Limiting of Unexpected Packets

The Firewall abstracts the concerns of each site - essentially representing the plurality of host computers and services peculiar to each site. In addition to setting site-specific parameters for a DDoS defense which can be used to determine when an attack is under way, the firewall is equipped to request its upstream neighbors to limit the rate of traffic with specific paths. The MANAnet Firewall works most effectively with the MANAnet Router to provide a systemic defense against incoming DDoS attacks.

Description: Filtering and Scheduling Incoming Packets

A MANAnet Firewall has all the functionality of a traditional firewall. In addition, it incorporates features necessary to detect and defend against DDoS attacks. Some of the novel capabilities of the MANAnet Firewall include:

• Ability to encode and decode packets based on Path-Enhanced IP (PEIP) and to filter or schedule packets based upon their incoming paths (PLFQ).
  
  
• Ability to track incoming packets that are "unexpected" - namely those that are not replies to packets in the other direction. Such packets are not dropped, they are scheduled at a slower rate. This ensures that packets with established conversations (i.e., "expected" packets) are served faster than unexpected packets. This defends against many DDoS attacks.
  
  
• Implements Historical Places Based Queuing (HPLFQ) - tracking the paths for data packets that have been served over some time interval, and ensuring that new requests are handled fairly with respect to the recent history of service for their paths.

Who Needs the Firewall: Any Site Vulnerable to Incoming DDoS Attacks

With the capabilities described above, the MANAnet Firewall, by itself, provides some incremental defense against incoming DDoS attacks. However, the Firewall works most effectively with neighboring MANAnet Routers to provide a working, systemic DDoS defense. Any site interested in having a working defense against incoming DDoS attacks can use the MANAnet Firewall.

Benefits of the Firewall: Better than Fair Service to Customers

MANAnet Routers provide fair forwarding service to data packets based on their paths. In the absence of better knowledge, this is the best that routers can accomplish. Unfortunately, this means that some of the attackers' packets will be served in proportion to the number of places the attacker has taken over. With the aid of the MANAnet Firewall, one can do much better than fair service for the customers. At the firewall one can detect that packets from certain paths are being dropped, and the Firewall can request its neighboring routers to limit the rate of traffic from the offending paths. In this manner, more of the bandwidth is provided to the customer than would be made available through simple fair service.