Offloading Real-time DDoS Attack Detection to Programmable Data Planes

In recent years, Distributed Denial-of-Service (DDoS) attacks have escalated both in frequency and traffic volume, with outbreaks reaching rates up to the order of terabits per second and compromising the availability of supposedly highly resilient infrastructure (e.g., DNS and cloud-based web hosting). The reality is that existing detection solutions resort to a combination of mechanisms, such as packet sampling and transmission of gathered data to external software, which makes it very difficult (if at all possible) to reach a good compromise for accuracy (higher is better), resource usage footprint, and latency (lower is better). Data plane programmability has emerged as a promising approach to help meeting these requirements as forwarding devices can be configured to execute algorithms and examine traffic at line rate. In this paper, we explore P4 primitives to design a fine-grained, low-footprint, and low-latency traffic inspection mechanism for real-time DDoS attack detection. Our proposal – the first to be fully in-network – contributes to shed light on the challenges to implement sophisticated security logic on forwarding devices given that, to operate at high throughput, the inspection (and overall processing) of packets is subject to a small time budget (dozens of nanoseconds) and limited memory space (in the order of megabytes). We evaluate the proposed mechanism using packet traces from CAIDA. The results show that it can detect DDoS attacks entirely within the data plane with high accuracy (98.2%) and low latency (≈250 ms) while keeping device resource usage low (dozens of kilobytes in SRAM per 1 Gbps link and a few hundred TCAM entries).

[1]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[2]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[3]  Dhruba Kumar Bhattacharyya,et al.  Real-time DDoS attack detection using FPGA , 2017, Comput. Commun..

[4]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[5]  Walter Willinger,et al.  Network Monitoring as a Streaming Analytics Problem , 2016, HotNets.

[6]  Mathieu Bouet,et al.  DDoS protection with stateful software‐defined networking , 2018, Int. J. Netw. Manag..

[7]  Giuseppe Bianchi,et al.  OpenState: programming platform-independent stateful openflow applications inside the switch , 2014, CCRV.

[8]  J. K. Kalita,et al.  Botnet in DDoS Attacks: Trends and Challenges , 2015, IEEE Communications Surveys & Tutorials.

[9]  Moses Charikar,et al.  Finding frequent items in data streams , 2002, Theor. Comput. Sci..

[10]  Georgios Loukas,et al.  A Denial of Service Detector based on Maximum Likelihood Detection and the Random Neural Network , 2007, Comput. J..

[11]  Peter Phaal,et al.  InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks , 2001, RFC.

[12]  George Varghese,et al.  Forwarding metamorphosis: fast programmable match-action processing in hardware for SDN , 2013, SIGCOMM.

[13]  Mathieu Bouet,et al.  Statesec: Stateful monitoring for DDoS protection in software defined networks , 2017, 2017 IEEE Conference on Network Softwarization (NetSoft).

[14]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[15]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[16]  Yang Xu,et al.  DDoS attack detection under SDN context , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[17]  Nick Feamster,et al.  The road to SDN: an intellectual history of programmable networks , 2014, CCRV.

[18]  Vladimir Braverman,et al.  One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon , 2016, SIGCOMM.

[19]  Jugal K. Kalita,et al.  An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection , 2015, Pattern Recognit. Lett..

[20]  David Wetherall,et al.  Towards an active network architecture , 1996, CCRV.

[21]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[22]  Anirudh Sivaraman,et al.  Language-Directed Hardware Design for Network Performance Monitoring , 2017, SIGCOMM.

[23]  G. Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[24]  Yonggang Wen,et al.  “ A Survey of Software Defined Networking , 2020 .

[25]  Peng Liu,et al.  Elastic sketch: adaptive and fast network-wide measurements , 2018, SIGCOMM.

[26]  Yonghong Chen,et al.  DDoS Detection Method Based on Chaos Analysis of Network Traffic Entropy , 2014, IEEE Communications Letters.

[27]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[28]  Florence March,et al.  2016 , 2016, Affair of the Heart.

[29]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[30]  Ramesh Govindan,et al.  Resource/accuracy tradeoffs in software-defined measurement , 2013, HotSDN '13.

[31]  S. Muthukrishnan,et al.  Heavy-Hitter Detection Entirely in the Data Plane , 2016, SOSR.

[32]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[33]  Minlan Yu,et al.  Software Defined Traffic Measurement with OpenSketch , 2013, NSDI.

[34]  S. W. Roberts,et al.  Control Chart Tests Based on Geometric Moving Averages , 2000, Technometrics.