[jedberg]

I worked on the eBay DDOS prevention system in the early 2000's. My coworkers filed a patent on part of the system.

https://patents.google.com/patent/US7992192

Once the traffic was detected, the signature was sent to a second system that was a series of hardware optimized for layer 7 packet inspection. The devices were updated with signatures of current attacks, and then checked every incoming packet for that signature. Any packet that matched was parsed for where it was coming from, and then the router was updated to drop traffic from that source for a period of time.

As far as I know, today's techniques are fairly similar, along with just having a whole lot of computers that can absorb the traffic.

[grepthisab]

What does a "signature" look like specifically, or generally if you can't be specific? Would love to hear about what is actually getting sent to the L7 optimized hardware.

[tptacek]

In the early 2000s you could get a long way with just the 5-tuple, some basic aggregation inference, and a RRD histogram. The tricky parts were having the ability to divert and process the traffic once characterized. The actual processing wasn’t that complicated; it just needed way bigger rules than could be fit in a switch TCAM.

[colanderman]

Not the GP though I've also worked in the DDoS space. Think fancy regexps (augmented with e.g. fast string search engines, counters, etc.), running inside a protocol-specific interpreter.

At least in the product I worked on, L7 processing was done purely in software. You could probably make hardware to do that but there's not a ton of benefit as you're pretty much constrained by memory bandwidth, not CPU power, once you start looking at anything past fixed headers.

(Our product also performed deep-packet inspection – in fact that was its original function – so the L7 processing was probably a bit more general than DDoS-only products.)

[jedberg]

It would look at the http request and break it down by uri, host, parameters, cookies, etc. A signature was some combo of those.

It also did layer 2 and 3 detection and looked for the stuff mentioned below like IP and port and if the 3 way handshake was “normal”. Stuff like that.

[bogomipz]

>"Once the traffic was detected, the signature was sent to a second system that was a series of hardware optimized for layer 7 packet inspection."

Was this custom DPI hardware or something from a vendor?

[jedberg]

It was off the shelf hardware but then the software was customized by my coworker. He had to write some C and assembly for it.

[exikyut]

I wonder if someone with more industry knowledge might be able to hazard a guess what kind of off the shelf hardware.

You didn't say VHDL (or maybe this was irrelevant for switching circa 2000?), so I'm really curious what architecture was in use. (That's really all my question is; CPU architecture / system design)