Jaqen: A High-Performance Switch-Native Approach for Detecting and Mitigating Volumetric DDoS Attacks with Programmable Switches

The emergence of programmable switches offers a new opportunity to revisit ISP-scale defenses for volumetric DDoS attacks. In theory, these can offer better cost vs. performance vs. flexibility trade-offs relative to proprietary hardware and virtual appliances. However, the ISP setting creates unique challenges in this regard—we need to run a broad spectrum of detection and mitigation functions natively on the programmable switch hardware and respond to dynamic adaptive attacks at scale. Thus, prior efforts in using programmable switches that assume out-of-band detection and/or use switches merely as accelerators for specific tasks are no longer sufficient, and as such, this potential remains unrealized. To tackle these challenges, we design and implement Jaqen, a switch-native approach for volumetric DDoS defense that can run detection and mitigation functions entirely inline on switches, without relying on additional data plane hardware. We design switch-optimized, resource-efficient detection and mitigation building blocks. We design a flexible API to construct a wide spectrum of best-practice (and future) defense strategies that efficiently use switch capabilities. We build a network-wide resource manager that quickly adapts to the attack posture changes. Our experiments show that Jaqen is orders of magnitude more performant than existing systems: Jaqen can handle large-scale hybrid and dynamic attacks within seconds, and mitigate them effectively at high line-rates (380 Gbps).

[1]  W. Buck,et al.  MININET , 1979, Prax. Inf.verarb. Kommun..

[2]  J. Postel Transmission Control Protocol , 1981, RFC.

[3]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[4]  George Varghese,et al.  New directions in traffic measurement and accounting , 2002, SIGCOMM '02.

[5]  George Varghese,et al.  New directions in traffic measurement and accounting , 2002, CCRV.

[6]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[7]  Moses Charikar,et al.  Finding frequent items in data streams , 2002, Theor. Comput. Sci..

[8]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[9]  Luca Trevisan,et al.  Counting Distinct Elements in a Data Stream , 2002, RANDOM.

[10]  André Zúquete,et al.  Improving the functionality of syn cookies , 2002, Communications and Multimedia Security.

[11]  Balachander Krishnamurthy,et al.  Sketch-based change detection: methods, evaluation, and applications , 2003, IMC '03.

[12]  Hong Zhu,et al.  NetBouncer: client-legitimacy-based high-performance DDoS filtering , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[13]  Andrei Broder,et al.  Network Applications of Bloom Filters: A Survey , 2004, Internet Math..

[14]  Zongpeng Li,et al.  sFlow: towards resource-efficient and agile service federation in service overlay networks , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[15]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[16]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[17]  Yan Chen,et al.  Reversible sketches for efficient and accurate change detection over network data streams , 2004, IMC '04.

[18]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[19]  Graham Cormode,et al.  An improved data stream summary: the count-min sketch and its applications , 2004, J. Algorithms.

[20]  George Varghese,et al.  An Improved Construction for Counting Bloom Filters , 2006, ESA.

[21]  Kai Hwang,et al.  Collaborative detection and filtering of shrew DDoS attacks using spectral analysis , 2006, J. Parallel Distributed Comput..

[22]  Vyas Sekar,et al.  Data streaming algorithms for estimating entropy of network traffic , 2006, SIGMETRICS '06/Performance '06.

[23]  Martin May,et al.  Impact of packet sampling on anomaly detection metrics , 2006, IMC '06.

[24]  P. Flajolet,et al.  HyperLogLog: the analysis of a near-optimal cardinality estimation algorithm , 2007 .

[25]  S. Gritzalis,et al.  A Fair Solution to DNS Amplification Attacks , 2007, Second International Workshop on Digital Forensics and Incident Analysis (WDFIA 2007).

[26]  Nick Feamster,et al.  Fast monitoring of traffic subpopulations , 2008, IMC '08.

[27]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[28]  R. Ostrovsky,et al.  Zero-one frequency laws , 2010, STOC '10.

[29]  Graham Cormode,et al.  A near-optimal algorithm for estimating the entropy of a stream , 2010, TALG.

[30]  Matthew Roughan,et al.  The Internet Topology Zoo , 2011, IEEE Journal on Selected Areas in Communications.

[31]  Yu Chen,et al.  A Survey on the Application of FPGAs for Network Infrastructure Security , 2011, IEEE Communications Surveys & Tutorials.

[32]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[33]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[34]  Minlan Yu,et al.  Software Defined Traffic Measurement with OpenSketch , 2013, NSDI.

[35]  George Varghese,et al.  Forwarding metamorphosis: fast programmable match-action processing in hardware for SDN , 2013, SIGCOMM.

[36]  Peter Clifford,et al.  A simple sketching algorithm for entropy estimation over streaming data , 2013, AISTATS.

[37]  Mourad Debbabi,et al.  Fingerprinting Internet DNS Amplification DDoS Activities , 2014, 2014 6th International Conference on New Technologies, Mobility and Security (NTMS).

[38]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[39]  Tsutomu Matsumoto,et al.  IoTPOT: Analysing the Rise of IoT Compromises , 2015, WOOT.

[40]  Daniel Raumer,et al.  MoonGen: A Scriptable High-Speed Packet Generator , 2014, Internet Measurement Conference.

[41]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[42]  Anirudh Sivaraman,et al.  In-band Network Telemetry via Programmable Dataplanes , 2015 .

[43]  Rafail Ostrovsky,et al.  Zero-One Laws for Sliding Windows and Universal Sketches , 2015, APPROX-RANDOM.

[44]  Vladimir Braverman,et al.  One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon , 2016, SIGCOMM.

[45]  Cuong Pham-Quoc,et al.  FPGA-based Multicore Architecture for Integrating Multiple DDoS Defense Mechanisms , 2017, CARN.

[46]  Anirudh Sivaraman,et al.  Language-Directed Hardware Design for Network Performance Monitoring , 2017, SIGCOMM.

[47]  Yehuda Afek,et al.  Network anti-spoofing with SDN data plane , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[48]  S. Muthukrishnan,et al.  Heavy-Hitter Detection Entirely in the Data Plane , 2016, SOSR.

[49]  Dhruba Kumar Bhattacharyya,et al.  Real-time DDoS attack detection using FPGA , 2017, Comput. Commun..

[50]  Minlan Yu,et al.  SilkRoad: Making Stateful Layer-4 Load Balancing Fast and Cheap Using Switching ASICs , 2017, SIGCOMM.

[51]  Nate Foster,et al.  NetCache: Balancing Key-Value Stores with Fast In-Network Caching , 2017, SOSP.

[52]  Yaoqing Liu,et al.  LAMP: Prompt Layer 7 Attack Mitigation with Programmable Data Planes , 2018, 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA).

[53]  Ying Zhang,et al.  SENSS Against Volumetric DDoS Attacks , 2018, ACSAC.

[54]  Arpit Gupta,et al.  Network-Wide Heavy Hitter Detection with Commodity Switches , 2018, SOSR.

[55]  Minho Park,et al.  Intentional SYN Drop for mitigation against SYN flooding attacks , 2018 .

[56]  Walter Willinger,et al.  Sonata: query-driven streaming network telemetry , 2018, SIGCOMM.

[57]  Jared M. Smith,et al.  Routing Around Congestion: Defeating DDoS Attacks and Adverse Network Conditions via Reactive BGP Routing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[58]  Lin F. Yang,et al.  Universal Streaming of Subset Norms , 2018, Theory Comput..

[59]  Jun Bi,et al.  Filtering Spoofed IP Traffic Using Switching ASICs , 2018, SIGCOMM Posters and Demos.

[60]  Minlan Yu,et al.  Cheetah: Accelerating Database Queries with Switch Pruning , 2019, SIGCOMM Posters and Demos.

[61]  Roy Friedman,et al.  Nitrosketch: robust and general sketch-based monitoring in software switches , 2019, SIGCOMM.

[62]  Xiaozhou Li,et al.  DistCache: Provable Load Balancing for Large-Scale Storage Systems with Distributed Caching , 2019, FAST.

[63]  Guofei Gu,et al.  NETHCF: Enabling Line-rate and Adaptive Spoofed IP Traffic Filtering , 2019, 2019 IEEE 27th International Conference on Network Protocols (ICNP).

[64]  Nate Foster,et al.  Programmable Network Data Planes (Dagstuhl Seminar 19141) , 2019, Dagstuhl Reports.

[65]  Shigang Chen,et al.  Universal Online Sketch for Tracking Heavy Hitters and Estimating Moments of Data Streams , 2020, IEEE INFOCOM 2020 - IEEE Conference on Computer Communications.

[66]  Vyas Sekar,et al.  Joltik: enabling energy-efficient "future-proof" analytics on low-power wide-area networks , 2020, MobiCom.

[67]  Vladimir Braverman,et al.  Memory-Efficient Performance Monitoring on Programmable Switches with Lean Algorithms , 2019, APOCS.

[68]  Jianping Wu,et al.  Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches , 2020, NDSS.