A Modular System for FPGA-Based TCP Flow Processing in High-Speed Networks

  • David V. Schuehler
  • John W. Lockwood
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3203)


Field Programmable Gate Arrays (FPGAs) can be used in Intrusion Prevention Systems (IPS) to inspect application data contained within network flows. An IPS operating on high-speed network traffic can be used to stop the propagation of Internet worms and to protect networks from Denial of Services (DoS) attacks. When used in the backbone of a core network, the device will be exposed to millions of active flows simultaneously. In order to protect the data in each connection, network devices will need to track the state of every flow. This must be done at multi-gigabit line rates without introducing significant delays.

This paper describes a high performance TCP processing system called TCP-Processor which supports flow processing in high-speed networks utilizing multiple devices. This circuit provides stateful flow tracking, TCP stream reassembly, context storage, and flow manipulation services for applications which process TCP data streams. A simple client interface eases the complexities associated with processing TCP data streams. In addition, a set of encoding and decoding circuits has been developed which efficiently transports this interface between multiple FPGA devices. The circuit has been implemented in FPGA hardware and tested using live Internet traffic.


Field Programmable Gate Array FPGA Device Ternary Content Addressable Memory Intrusion Prevention System Network Data Packet 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Attig, M., Dharmapurikar, S., Lockwood, J.: Implementation results of bloom filters for string matching. In: IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), Napa, CA (April 2004)Google Scholar
  2. 2.
    Bhargavan, K., Chandra, S., McCann, P.J., Gunter, C.A.: What packets come: automata for network monitoring. In: Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pp. 206–219. ACM Press, New York (2001)CrossRefGoogle Scholar
  3. 3.
    Braun, F., Lockwood, J., Waldvogel, M.: Reconfigurable router modules using network protocol wrappers. In: Proceedings of Field-Programmable Logic and Applications, Belfast, Northern Ireland, August 2001, pp. 254–263 (2001)Google Scholar
  4. 4.
    Braun, F., Lockwood, J.W., Waldvogel, M.: Layered protocol wrappers for Internet packet processing in reconfigurable hardware. In: Proceedings of Symposium on High Performance Interconnects (HotI 2001), Stanford, CA, USA, August 2001, pp. 93–98 (2001)Google Scholar
  5. 5.
    Dharmapurikar, S., Krishnamurthy, P., Sproull, T., Lockwood, J.: Deep packet inspection using parallel bloom filters. In: Proceedings of Symposium on High Performance Interconnects (HotI 2003), Stanford, CA, USA, August 2003, pp. 25–29 (2003)Google Scholar
  6. 6.
    Franklin, R., Carver, D., Hutchings, B.L.: Assisting Network Intrusion Detection with Reconfigurable Hardware. In: IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), Napa, CA, USA (April 2002)Google Scholar
  7. 7.
    Li, S., Toressen, J., Soraasen, O.: Exploiting stateful inspection of network security in reconfigurable hardware. In: Y. K. Cheung, P., Constantinides, G.A. (eds.) FPL 2003. LNCS, vol. 2778, Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Lockwood, J.W., Naufel, N., Turner, J.S., Taylor, D.E.: Reprogrammable Network Packet Processing on the Field Programmable Port Extender (FPX). In: ACM International Symposium on Field Programmable Gate Arrays (FPGA 2001), Monterey, CA, USA, February 2001, pp. 87–93 (2001)Google Scholar
  9. 9.
    Moscola, J., Lockwood, J., Loui, R.P., Pachos, M.: Implementation of a content-scanning module for an internet firewall. In: IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), Napa, CA, USA (April 2003)Google Scholar
  10. 10.
    Necker, M., Contis, D., Schimmel, D.: TCP-Stream Reassembly and State Tracking in Hardware. In: FCCM 2002 Poster (April 2002)Google Scholar
  11. 11.
    Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)CrossRefGoogle Scholar
  12. 12.
    Roesch, M.: SNORT - Lightweight Intrusion Detection for Networks. In: LISA 1999: USENIX 13th Systems Administration Conference (November 1999)Google Scholar
  13. 13.
    Schuehler, D.V., Moscola, J., Lockwood, J.: Architecture for a hardware based, tcp/ip content scanning system. In: Proceedings of Symposium on High Performance Interconnects (HotI 2003), Stanford, CA, USA, August 2003, pp. 89–94 (2003)Google Scholar
  14. 14.
    Sidhu, R., Prasanna, V.K.: Fast regular expression matching using FPGAs. In: IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), Rohnert Park, CA, USA (April 2001)Google Scholar
  15. 15.
    Vigna, G., Robertson, W., Kher, V., Kemmerer, R.: A Stateful Intrusion Detection System for World-Wide Web Servers. In: Omondi, A.R., Sedukhin, S.G. (eds.) ACSAC 2003. LNCS, vol. 2823, pp. 34–43. Springer, Heidelberg (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • David V. Schuehler
    • 1
  • John W. Lockwood
    • 1
  1. 1.Applied Research LaboratoryWashington UniversitySt. LouisUSA

Personalised recommendations