Security researchers show lightweight, host-based access-control scheme that dumps attack packets without overwhelming memory, CPU
Auburn University researchers have developed a software filter that protects computers against distributed denial-of-service (DDoS) attacks without bogging down the computer's CPU and memory. The identity-based privacy-protected access control filter (IPCAF) also wards against session hijacking, dictionary attacks, and man-in-the-middle attacks.
Instead of warding against IP addresses, which can be faked by hijackers, IPCAF sends a user ID and password to computer users and the Web site they are attempting to access. Then the two parties create fake IDs and values for each packet so that each one is double-checked. Computers check the value in each packet and choose whether to accept it or not. Only then are more memory and CPU resources used to deal with them.
The researchers say that IPCAF also is useful because it does not rely on separate and expensive applications that bog down memory. Instead it uses servers and client machines without affecting computer use. IPCAF uses hash-based message authentication code to create the value it will use to confirm every single packet, which saves CPU power.
When testing IPCAF, Security researchers found that the computer network was only stalled by 30 nanoseconds during an attack through a 10Gbps connection.
Refer here to read more details about the research.