TL;DR
This paper introduces a novel in-network DDoS detection method using programmable switches, enabling real-time volumetric attack identification with high accuracy and minimal delay, leveraging a new data structure and hardware implementation.
Contribution
It proposes BACON, a sketch-based data structure for in-network DDoS detection, and demonstrates its implementation on Tofino switches using P4, achieving line-rate processing.
Findings
High F1 score in DDoS victim detection
Line-rate processing maintained during detection
Effective in-network detection reduces response time
Abstract
Volumetric distributed Denial-of-Service (DDoS) attacks have become one of the most significant threats to modern telecommunication networks. However, most existing defense systems require that detection software operates from a centralized monitoring collector, leading to increased traffic load and delayed response. The recent advent of Data Plane Programmability (DPP) enables an alternative solution: threshold-based volumetric DDoS detection can be performed directly in programmable switches to skim only potentially hazardous traffic, to be analyzed in depth at the controller. In this paper, we first introduce the BACON data structure based on sketches, to estimate per-destination flow cardinality, and theoretically analyze it. Then we employ it in a simple in-network DDoS victim identification strategy, INDDoS, to detect the destination IPs for which the number of incoming…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
