ALBUS: a Probabilistic Monitoring Algorithm to Counter Burst-Flood Attacks

TL;DR

ALBUS is a novel probabilistic monitoring algorithm designed to accurately detect burst-flood DDoS attacks, outperforming traditional sketch algorithms in recall and precision, and is scalable for high-speed network hardware.

Contribution

ALBUS introduces a new probabilistic monitoring approach that effectively detects burst-flood attacks with high accuracy and scalability, addressing limitations of prior sketch algorithms.

Findings

ALBUS achieves high detection accuracy with low false positives.

ALBUS scales to high traffic rates on FPGA and programmable switches.

Traditional sketch algorithms perform poorly under burst-flood attack patterns.

Abstract

Modern DDoS defense systems rely on probabilistic monitoring algorithms to identify flows that exceed a volume threshold and should thus be penalized. Commonly, classic sketch algorithms are considered sufficiently accurate for usage in DDoS defense. However, as we show in this paper, these algorithms achieve poor detection accuracy under burst-flood attacks, i.e., volumetric DDoS attacks composed of a swarm of medium-rate sub-second traffic bursts. Under this challenging attack pattern, traditional sketch algorithms can only detect a high share of the attack bursts by incurring a large number of false positives. In this paper, we present ALBUS, a probabilistic monitoring algorithm that overcomes the inherent limitations of previous schemes: ALBUS is highly effective at detecting large bursts while reporting no legitimate flows, and therefore improves on prior work regarding both recall and precision. Besides improving accuracy, ALBUS scales to high traffic rates, which we demonstrate with an FPGA implementation, and is suitable for programmable switches, which we showcase with a P4 implementation.