{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,5]],"date-time":"2026-06-05T02:58:53Z","timestamp":1780628333003,"version":"3.54.1"},"reference-count":49,"publisher":"MDPI AG","issue":"17","license":[{"start":{"date-parts":[[2023,9,3]],"date-time":"2023-09-03T00:00:00Z","timestamp":1693699200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100004488","name":"Croatian Science Foundation","doi-asserted-by":"publisher","award":["IP-2019-04-1986"],"award-info":[{"award-number":["IP-2019-04-1986"]}],"id":[{"id":"10.13039\/501100004488","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>The increasing network speeds of today\u2019s Internet require high-performance, high-throughput network devices. However, the lack of affordable, flexible, and readily available devices poses a challenge for packet classification and filtering. This problem is exacerbated by the increase in volumetric Distributed Denial-of-Service (DDoS) attacks, which require efficient packet processing and filtering. To meet the demands of high-speed networks and configurable network processing devices, this paper investigates a hybrid hardware\/software packet filter prototype that combines reconfigurable FPGA technology and high-speed software filtering on commodity hardware. It uses a novel approach that offloads filtering rules to the hardware and employs a Longest Prefix Matching (LPM) algorithm and allowlists\/blocklists based on millions of IP prefixes. The hybrid filter demonstrates improvements over software-only filtering, achieving performance gains of nearly 30%, depending on the rulesets, offloading methods, and traffic types. The significance of this research lies in developing a cost-effective alternative to more-expensive or less-effective filters, providing high-speed DDoS packet filtering for IPv4 traffic, as it still dominates over IPv6. Deploying these filters on commodity hardware at the edge of the network can mitigate the impact of DDoS attacks on protected networks, enhancing the security of all devices on the network, including Internet of Things (IoT) devices.<\/jats:p>","DOI":"10.3390\/s23177636","type":"journal-article","created":{"date-parts":[[2023,9,4]],"date-time":"2023-09-04T02:59:55Z","timestamp":1693796395000},"page":"7636","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["Enhancing Mitigation of Volumetric DDoS Attacks: A Hybrid FPGA\/Software Filtering Datapath"],"prefix":"10.3390","volume":"23","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3434-4923","authenticated-orcid":false,"given":"Denis","family":"Salopek","sequence":"first","affiliation":[{"name":"Faculty of Electrical Engineering and Computing, University of Zagreb, 10000 Zagreb, Croatia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Miljenko","family":"Mikuc","sequence":"additional","affiliation":[{"name":"Faculty of Electrical Engineering and Computing, University of Zagreb, 10000 Zagreb, Croatia"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2023,9,3]]},"reference":[{"key":"ref_1","unstructured":"Google (2023, July 24). Exponential Growth in DDoS Attack Volumes. Available online: https:\/\/cloud.google.com\/blog\/products\/identity-security\/identifying-and-protecting-against-the-largest-ddos-attacks."},{"key":"ref_2","unstructured":"Microsoft (2023, July 24). 2022 in Review: DDoS Attack Trends and Insights. Available online: https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/02\/21\/2022-in-review-ddos-attack-trends-and-insights\/."},{"key":"ref_3","unstructured":"Cloudflare (2023, July 24). DDoS Threat Report for 2023 Q1. Available online: https:\/\/blog.cloudflare.com\/ddos-threat-report-2023-q1\/."},{"key":"ref_4","unstructured":"RIPE Labs (2023, July 24). IPv6 10 Years Out: An Analysis in Users, Tables, and Traffic. Available online: https:\/\/labs.ripe.net\/author\/wilhelm\/ipv6-10-years-out-an-analysis-in-users-tables-and-traffic\/."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"193","DOI":"10.1145\/1090191.1080115","article-title":"Algorithms for advanced packet classification with ternary CAMs","volume":"35","author":"Lakshminarayanan","year":"2005","journal-title":"ACM SIGCOMM Comput. Commun. Rev."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Frey, D., Raynal, M., Sarkar, S., Shyamasundar, R.K., and Sinha, P. (2013). Distributed Computing and Networking. ICDCN 2013, Springer. Lecture Notes in Computer Science.","DOI":"10.1007\/978-3-642-35668-1"},{"key":"ref_7","unstructured":"Rizzo, L. (2012, January 8\u201310). Netmap: A novel framework for fast packet I\/O. Proceedings of the 21st USENIX Security Symposium (USENIX Security 12), Bellevue, WA, USA."},{"key":"ref_8","unstructured":"Intel (2023, July 24). Data Plane Development Kit (DPDK*). Available online: https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/topic-technology\/networking\/dpdk.html."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Miano, S., Bertrone, M., Risso, F., Tumolo, M., and Bernal, M.V. (2018, January 18\u201320). Creating complex network services with EBPF: Experience and lessons learned. Proceedings of the 2018 IEEE 19th International Conference on High Performance Switching and Routing (HPSR), Bucharest, Romania.","DOI":"10.1109\/HPSR.2018.8850758"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1145\/1355734.1355746","article-title":"OpenFlow: Enabling innovation in campus networks","volume":"38","author":"McKeown","year":"2008","journal-title":"ACM SIGCOMM Comput. Commun. Rev."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Krishnamurthy, B., Wills, C., and Zhang, Y. (2001, January 1\u20132). On the use and performance of content distribution networks. Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, San Francisco, CA, USA.","DOI":"10.1145\/505202.505224"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Moln\u00e1r, L., Pongr\u00e1cz, G., Enyedi, G., Kis, Z.L., Csikor, L., Juh\u00e1sz, F., K\u0151r\u00f6si, A., and R\u00e9tv\u00e1ri, G. (2016, January 22\u201326). Dataplane specialization for high-performance OpenFlow software switching. Proceedings of the 2016 ACM SIGCOMM Conference, Florianopolis, Brazil.","DOI":"10.1145\/2934872.2934887"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Mauricio, L.A., Rubinstein, M.G., and Duarte, O.C. (2016, January 16\u201318). Proposing and evaluating the performance of a firewall implemented as a virtualized network function. Proceedings of the 2016 7th International Conference on the Network of the Future (NOF), B\u00fazios, Brazil.","DOI":"10.1109\/NOF.2016.7810127"},{"key":"ref_14","first-page":"67","article-title":"Ddos mitigation: A review of content delivery network and its ddos defence techniques","volume":"6","author":"Imthiyas","year":"2020","journal-title":"Int. J. Perceptive Cogn. Comput."},{"key":"ref_15","unstructured":"Pac\u00edfico, R.D., Castanho, M.S., Vieira, L.F., Vieira, M.A., Duarte, L.F., and Nacif, J.A. (2021, January 18\u201320). Application layer packet classifier in hardware. Proceedings of the 2021 IFIP\/IEEE International Symposium on Integrated Network Management (IM), Bordeaux, France."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Li, B., Tan, K., Luo, L., Peng, Y., Luo, R., Xu, N., Xiong, Y., Cheng, P., and Chen, E. (2016, January 22\u201326). Clicknp: Highly flexible and high performance network processing with reconfigurable hardware. Proceedings of the 2016 ACM SIGCOMM Conference, Florianopolis, Brazil.","DOI":"10.1145\/2934872.2934897"},{"key":"ref_17","unstructured":"Chen, M.S., Liao, M.Y., Tsai, P.W., Luo, M.Y., Yang, C.S., and Yeh, C.E. (2010, January 12\u201313). Using netfpga to offload linux netfilter firewall. Proceedings of the 2nd North American NetFPGA Developers Workshop, Stanford, CA, USA."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Fiessler, A., Hager, S., Scheuermann, B., and Moore, A.W. (2016, January 17\u201318). HyPaFilter: A versatile hybrid FPGA packet filter. Proceedings of the 2016 Symposium on Architectures for Networking and Communications Systems, Santa Clara, CA, USA.","DOI":"10.1145\/2881025.2881033"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"3655","DOI":"10.1109\/TNET.2017.2749699","article-title":"Hypafilter+: Enhanced hybrid packet filtering using hardware assisted classification and header space analysis","volume":"25","author":"Fiessler","year":"2017","journal-title":"IEEE\/ACM Trans. Netw."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Weaver, N., Paxson, V., and Gonzalez, J.M. (2007, January 18\u201320). The shunt: An FPGA-based accelerator for network intrusion prevention. Proceedings of the 2007 ACM\/SIGDA 15th international symposium on Field Programmable Gate Arrays, Monterey, CA, USA.","DOI":"10.1145\/1216919.1216952"},{"key":"ref_21","unstructured":"Kalia, A., Zhou, D., Kaminsky, M., and Andersen, D.G. (2015, January 4\u20136). Raising the Bar for Using GPUs in Software Packet Processing. Proceedings of the 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15), Oakland, CA, USA."},{"key":"ref_22","unstructured":"Go, Y., Jamshed, M.A., Moon, Y., Hwang, C., and Park, K. (2017, January 27\u201329). APUNet: Revitalizing GPU as packet processing accelerator. Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI 17), Boston, MA, USA."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Sun, W., and Ricci, R. (2013, January 21\u201322). Fast and flexible: Parallel packet processing with GPUs and click. Proceedings of the IEEE Architectures for Networking and Communications Systems, San Jose, CA, USA.","DOI":"10.1109\/ANCS.2013.6665173"},{"key":"ref_24","unstructured":"Vasiliadis, G., Koromilas, L., Polychronakis, M., and Ioannidis, S. (2014, January 19\u201320). GASPP: A GPU-Accelerated stateful packet processing framework. Proceedings of the 2014 USENIX Annual Technical Conference (USENIX ATC 14), Philadelphia, PA, USA."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"195","DOI":"10.1145\/1851275.1851207","article-title":"PacketShader: A GPU-accelerated software router","volume":"40","author":"Han","year":"2010","journal-title":"ACM SIGCOMM Comput. Commun. Rev."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"107161","DOI":"10.1109\/ACCESS.2019.2933491","article-title":"Introducing smartnics in server-based data plane processing: The ddos mitigation use case","volume":"7","author":"Miano","year":"2019","journal-title":"IEEE Access"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Kaufmann, A., Peter, S., Sharma, N.K., Anderson, T., and Krishnamurthy, A. (2016, January 2\u20136). High performance packet processing with flexnic. Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems, Atlanta, GA, USA.","DOI":"10.1145\/2872362.2872367"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Li, B., Ruan, Z., Xiao, W., Lu, Y., Xiong, Y., Putnam, A., Chen, E., and Zhang, L. (2017, January 28\u201331). Kv-direct: High-performance in-memory key-value store with programmable NIC. Proceedings of the 26th Symposium on Operating Systems Principles, Shanghai, China.","DOI":"10.1145\/3132747.3132756"},{"key":"ref_29","first-page":"1","article-title":"XDP in practice: Integrating XDP into our DDoS mitigation pipeline","volume":"Volume 2","author":"Bertin","year":"2017","journal-title":"Proceedings of the Technical Conference on Linux Networking, NetDev, Le Westin Montr\u00e9al, Canada, 6\u20138 April 2017"},{"key":"ref_30","unstructured":"Deepak, A., Huang, R., and Mehra, P. (2018, January 13\u201315). eBPF\/XDP based firewall and packet filtering. Proceedings of the Linux Plumbers Conference, Vancouver, BC, Canada."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Kirdan, E., Raumer, D., Emmerich, P., and Carle, G. (2018, January 19\u201321). Building a traffic policer for ddos mitigation on top of commodity hardware. Proceedings of the IEEE 2018 International Symposium on Networks, Computers and Communications (ISNCC), Rome, Italy.","DOI":"10.1109\/ISNCC.2018.8531043"},{"key":"ref_32","first-page":"101","article-title":"Mitigating DoS\/DDoS attacks using iptables","volume":"12","year":"2012","journal-title":"Int. J. Eng. Technol."},{"key":"ref_33","unstructured":"Kaspersky (2023, July 24). How to Not Break the Internet. Available online: https:\/\/www.kaspersky.com\/blog\/attack-on-dyn-explained\/13325\/."},{"key":"ref_34","unstructured":"Red Button (2023, July 24). Dyn (DynDNS) DDoS Attack Analysis. Available online: https:\/\/www.red-button.net\/blog\/dyn-dyndns-ddos-attack\/."},{"key":"ref_35","unstructured":"CNBC (2023, July 24). Massive Cyber Attack \u2018Sophisticated, Highly Distributed\u2019, Involving Millions of IP Addresses. Available online: https:\/\/www.cnbc.com\/2016\/10\/22\/ddos-attack-sophisticated-highly-distributed-involved-millions-of-ip-addresses-dyn.html."},{"key":"ref_36","unstructured":"Salopek, D. (2022). Hybrid Hardware\/Software Datapath for Near Real-Time Reconfigurable High-Speed Packet Filtering. [Ph.D. Thesis, Department of Telecommunications, Faculty of Electrical Engineering and Computing, University of Zagreb]."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"4200","DOI":"10.1109\/ACCESS.2022.3140522","article-title":"Surgical DDoS Filtering with Fast LPM","volume":"10","author":"Salopek","year":"2022","journal-title":"IEEE Access"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Zec, M., and Mikuc, M. (2017, January 21\u201323). Pushing the envelope: Beyond two billion IP routing lookups per second on commodity CPUs. Proceedings of the IEEE 2017 25th International Conference on Software, Telecommunications and Computer Networks (SoftCOM), Split, Croatia.","DOI":"10.23919\/SOFTCOM.2017.8115575"},{"key":"ref_39","unstructured":"Zec, M. (2019). Improving Performance in Software Internet Routers through Compact Lookup Structures and Efficient Datapaths. [Ph.D. Thesis, Department of Telecommunications, Faculty of Electrical Engineering and Computing, University of Zagreb]."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Magyari, A., and Chen, Y. (2022). Review of state-of-the-art FPGA applications in IoT Networks. Sensors, 22.","DOI":"10.3390\/s22197496"},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"32","DOI":"10.1109\/MM.2014.61","article-title":"NetFPGA SUME: Toward 100 Gbps as research commodity","volume":"34","author":"Zilberman","year":"2014","journal-title":"IEEE Micro"},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"363","DOI":"10.1145\/2829988.2790029","article-title":"NetFPGA: Rapid prototyping of networking devices in open source","volume":"45","author":"Zilberman","year":"2015","journal-title":"ACM SIGCOMM Comput. Commun. Rev."},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Zilberman, N., Audzevich, Y., Kalogeridou, G., Bojan, N.M., Zhang, J., and Moore, A.W. (2015, January 2\u20134). NetFPGA-rapid prototyping of high bandwidth devices in open source. Proceedings of the IEEE 2015 25th International Conference on Field Programmable Logic and Applications (FPL), London, UK.","DOI":"10.1109\/FPL.2015.7293966"},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Su, T., You, L., Wang, Q., and Hou, C. (2016, January 23\u201325). The high speed switching experiment based on NetFPGA SUME. Proceedings of the IEEE 2016 11th International Conference on Computer Science & Education (ICCSE), Nagoya, Japan.","DOI":"10.1109\/ICCSE.2016.7581657"},{"key":"ref_45","unstructured":"Lai, Y.K., Huang, P.Y., Lee, H.P., Tsai, C.L., Chang, C.S., Nguyen, M.H., Lin, Y.J., Liu, T.L., and Chen, J.H. (2020, January 7\u201310). Real-time ddos attack detection using sketch-based entropy estimation on the netfpga sume platform. Proceedings of the IEEE 2020 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), Auckland, New Zealand."},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Gondaliya, H., Sankaran, G.C., and Sivalingam, K.M. (2020, January 1). Comparative evaluation of IP address anti-spoofing mechanisms using a P4\/NetFPGA-based switch. Proceedings of the 3rd P4 Workshop in Europe, Barcelona, Spain.","DOI":"10.1145\/3426744.3431320"},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"1","DOI":"10.29292\/jics.v16i2.329","article-title":"Virtualization of programmable forwarding planes with p4vbox","volume":"16","author":"Rodrigues","year":"2021","journal-title":"J. Integr. Circuits Syst."},{"key":"ref_48","unstructured":"Github (2023, July 24). NetFPGA SUME Reference NIC. Available online: https:\/\/github.com\/NetFPGA\/NetFPGA-SUME-public\/wiki\/NetFPGA-SUME-Reference-NIC."},{"key":"ref_49","unstructured":"Intel (2023, July 24). Intel 64 and IA-32 Architectures Software Developer\u2019s Manual. Available online: https:\/\/www.intel.com\/content\/dam\/www\/public\/us\/en\/documents\/manuals\/64-ia-32-architectures-software-developer-vol-2b-manual.pdf."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/23\/17\/7636\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T20:45:45Z","timestamp":1760129145000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/23\/17\/7636"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,9,3]]},"references-count":49,"journal-issue":{"issue":"17","published-online":{"date-parts":[[2023,9]]}},"alternative-id":["s23177636"],"URL":"https:\/\/doi.org\/10.3390\/s23177636","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,9,3]]}}}