Detection of DDoS and IDS Evasion Attacks in a High-Speed Networks Environment

BcN(Broadband convergence Networks) is being deployed in order to support a variety of network applications such as E-Commerce, DMB(Digital Multimedia Broadcasting), Home Network, VoIP(Voice over IP), and other services. As network bandwidth is growing rapidly and services are converged, the opportunity and severity of network intrusions are growing as well. This paper presents a novel Intrusion Detection System (IDS) architecture named 'Security Gateway System (SGS)' designed to perform intrusion detection and prevention on highspeed network links. Among several other features in the system, we focus on the detection of DDoS(Distributed Denial of Service) and IDS evasion attacks. We implemented both the mechanisms for handling the bandwidth consuming attack and the detection engine against IDS evasion attack in FPGA(Field Programmable Gate Array). We present some experimental results in a gigabit test bed. The results show that the real-time detection against both attacks is possible with 2 gigabits throughput in each security board.