BUNGEE: An Adaptive Pushback Mechanism for DDoS Detection and Mitigation in P4 Data Planes

A DDoS attack aims for resource exhaustion and directly impacts the availability of servers in a network infrastructure. Although significant efforts have been made to detect and mitigate DDoS attacks in viable time, this type of attack remains one of the leading security concerns in networking. By leveraging data plane programmability, it becomes possible to implement novel security solutions that do not rely on coordination with external servers, keeping the detection and mitigation local to the data plane, potentially reducing delays and not being subject to usual communication bottlenecks. In this paper we present BUNGEE1, an in-network, collaborative pushback mechanism for DDoS attack mitigation that runs entirely in the data plane. This mechanism is able to, locally at a given switch, identify suspect IP addresses (through the use of continuous IP entropy analysis) and propagate them to other switches. The different switches that are made aware of the suspects enforce a pushback strategy for repelling potential attacks. We implemented our solution using the P4 language. The results reveal that the identification process has high accuracy and that the pushback strategy is effective in minimizing strain to network resources.

[1]  Jun Li,et al.  On Multi-Point, In-Network Filtering of Distributed Denial-of-Service Traffic , 2019, 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[2]  Raj Jain,et al.  A Survey on Distributed Denial of Service (DDoS) Attacks in SDN and Cloud Computing Environments , 2019, IEEE Access.

[3]  Lisandro Zambenedetti Granville,et al.  ATLANTIC: A framework for anomaly traffic detection, classification, and mitigation in SDN , 2016, NOMS.

[4]  F. Civerchia,et al.  P4 Edge node enabling stateful traffic engineering and cyber security , 2018, IEEE/OSA Journal of Optical Communications and Networking.

[5]  Gürkan Gür,et al.  Filtering-Based Defense Mechanisms Against DDoS Attacks: A Survey , 2017, IEEE Systems Journal.

[6]  Vinay Avasthi,et al.  DDoS attacks, new DDoS taxonomy and mitigation solutions — A survey , 2016, 2016 International Conference on Signal Processing, Communication, Power and Embedded System (SCOPES).

[7]  Himanshu Agrawal,et al.  Detection and Mitigation of DDoS in SDN , 2018, 2018 Eleventh International Conference on Contemporary Computing (IC3).

[8]  Basil S. Maglaris,et al.  A Multi-Feature DDoS Detection Schema on P4 Network Hardware , 2020, 2020 23rd Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN).

[9]  Ren-Hung Hwang,et al.  StateFit: A Security Framework for SDN Programmable Data Plane Model , 2018, 2018 15th International Symposium on Pervasive Systems, Algorithms and Networks (I-SPAN).

[10]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[11]  George Varghese,et al.  Programming Protocol-Independent Packet Processors , 2013, ArXiv.

[12]  Rakesh Kumar Sanodiya DoS attacks: A simulation study , 2017, 2017 International Conference on Energy, Communication, Data Analytics and Soft Computing (ICECDS).

[13]  Hannan Xiao,et al.  Distributed SIP DDoS Defense with P4 , 2019, 2019 IEEE Wireless Communications and Networking Conference (WCNC).

[14]  Munesh Chandra Trivedi,et al.  Detection techniques of DDoS attacks: A survey , 2017, 2017 4th IEEE Uttar Pradesh Section International Conference on Electrical, Computer and Electronics (UPCON).

[15]  Narmeen Zakaria Bawany,et al.  DDoS Attack Detection and Mitigation Using SDN: Methods, Practices, and Solutions , 2017, Arabian Journal for Science and Engineering.

[16]  Tooska Dargahi,et al.  A Survey on the Security of Stateful SDN Data Planes , 2017, IEEE Communications Surveys & Tutorials.

[17]  Neha Agrawal,et al.  Defense Mechanisms Against DDoS Attacks in a Cloud Computing Environment: State-of-the-Art and Research Challenges , 2019, IEEE Communications Surveys & Tutorials.

[18]  S. Muthukrishnan,et al.  Heavy-Hitter Detection Entirely in the Data Plane , 2016, SOSR.

[19]  Luciano Paschoal Gaspary,et al.  Offloading Real-time DDoS Attack Detection to Programmable Data Planes , 2019, 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[20]  Guofei Gu,et al.  NETHCF: Enabling Line-rate and Adaptive Spoofed IP Traffic Filtering , 2019, 2019 IEEE 27th International Conference on Network Protocols (ICNP).

[21]  Mathias Fischer,et al.  SDN/NFV-based DDoS Mitigation via Pushback , 2020, ICC 2020 - 2020 IEEE International Conference on Communications (ICC).