ReAct: Reflection Attack Mitigation For Asymmetric Routing

TL;DR

ReAct is a novel in-network defense mechanism against amplification reflection DDoS attacks that effectively handles asymmetric routing by using programmable data planes and request-response correlation across multiple switches.

Contribution

ReAct introduces a data-plane-based, cross-switch collaboration approach for AR-DDoS mitigation that is robust to asymmetric routing and adaptable to dynamic network changes.

Findings

Filters nearly all attack traffic without dropping legitimate responses.

Achieves significantly lower false positives compared to existing methods.

Demonstrates applicability on multiple hardware platforms.

Abstract

Amplification Reflection Distributed Denial-of-Service (AR-DDoS) attacks remain a formidable threat, exploiting stateless protocols to flood victims with illegitimate traffic. Recent advances have enabled data-plane defenses against such attacks, but existing solutions typically assume symmetric routing and are limited to a single switch. These assumptions fail in modern networks where asymmetry is common, resulting in dropped legitimate responses and persistent connectivity issues. This paper presents ReAct, an in-network defense for AR-DDoS that is robust to asymmetry. ReAct performs request-response correlation across switches using programmable data planes and a sliding-window of Bloom filters. To handle asymmetric traffic, ReAct introduces a data-plane-based request forwarding mechanism, enabling switches to validate responses even when paths differ. ReAct can automatically adapt to routing changes with minimal intervention, ensuring continued protection even in dynamic network environments. We implemented ReAct on both a P4 interpreter and NVIDIAs Bluefield-3, demonstrating its applicability across multiple platforms. Evaluation results show that ReAct filters nearly all attack traffic without dropping legitimate responses-even under high-volume attacks and asymmetry. Compared to state-of-the-art approaches, ReAct achieves significantly lower false positives. To our knowledge, ReAct is the first data-plane AR-DDoS defense that supports dynamic, cross-switch collaboration, making it uniquely suitable for deployment in networks with asymmetry.