Euclid: A Fully In-Network, P4-Based Approach for Real-Time DDoS Attack Detection and Mitigation

Distributed Denial-of-Service (DDoS) attacks have been steadily escalating in frequency, scale, and disruptiveness—with outbreaks reaching multiple terabits per second and compromising the availability of highly-resilient networked systems. Existing defenses require frequent interaction between forwarding and control planes, making it difficult to reach a satisfactory trade-off between accuracy (higher is better), resource usage, and defense response delay (lower is better). Recently, high-performance programmable data planes have made it possible to develop a new generation of mechanisms to analyze and manage traffic at line rate. In this article, we explore P4 language constructs and primitives to design Euclid, a fully in-network fine-grained, low-footprint, and low-delay traffic analysis mechanism for DDoS attack detection and mitigation. Euclid utilizes information-theoretic and statistical analysis to detect attacks and classify packets as either legitimate or malicious, thus enabling the enforcement of policies (e.g., discarding, inspection, or throttling) to prevent attack traffic from disrupting the operation of its victims. We experimentally evaluate our proposed mechanism using packet traces from CAIDA. The results indicate that Euclid can detect attacks with high accuracy (98.2%) and low delay (≈250 ms), and correctly identify most of the attack packets (>96%) without affecting more than 1% of the legitimate traffic. Furthermore, our approach operates under a small resource usage footprint (tens of kilobytes of static random-access memory per 1 Gbps link and a few hundred ternary content-addressable memory entries), thus enabling its deployability on high-throughput, high-volume scenarios.

[1]  S. Muthukrishnan,et al.  Heavy-Hitter Detection Entirely in the Data Plane , 2016, SOSR.

[2]  Wanlei Zhou,et al.  Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics , 2011, IEEE Transactions on Information Forensics and Security.

[3]  Vladimir Braverman,et al.  One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon , 2016, SIGCOMM.

[4]  Kairo Tavares,et al.  DDoS on Sketch: Spoofed DDoS attack defense with programmable data planes using sketches in SDN , 2019, SBRC.

[5]  Ariel Orda,et al.  dRMT: Disaggregated Programmable Switching , 2017, SIGCOMM.

[6]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[7]  Damu Ding,et al.  Estimating Logarithmic and Exponential Functions to Track Network Traffic Entropy in P4 , 2020, NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium.

[8]  Giuseppe Bianchi,et al.  OpenState: programming platform-independent stateful openflow applications inside the switch , 2014, CCRV.

[9]  Luciano Paschoal Gaspary,et al.  Offloading Real-time DDoS Attack Detection to Programmable Data Planes , 2019, 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[10]  Graham Cormode,et al.  Sketch Techniques for Approximate Query Processing , 2010 .

[11]  Jugal K. Kalita,et al.  An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection , 2015, Pattern Recognit. Lett..

[12]  Anirudh Sivaraman,et al.  Language-Directed Hardware Design for Network Performance Monitoring , 2017, SIGCOMM.

[13]  Peter Phaal,et al.  InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks , 2001, RFC.

[14]  George Varghese,et al.  Forwarding metamorphosis: fast programmable match-action processing in hardware for SDN , 2013, SIGCOMM.

[15]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[16]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[17]  B. Janet,et al.  Behaviour analysis of HTTP based slow denial of service attack , 2017, 2017 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET).

[18]  Nick Feamster,et al.  The road to SDN: an intellectual history of programmable networks , 2014, CCRV.

[19]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[20]  Anthony Chadd DDoS attacks: past, present and future , 2018, Netw. Secur..

[21]  J. K. Kalita,et al.  Botnet in DDoS Attacks: Trends and Challenges , 2015, IEEE Communications Surveys & Tutorials.

[22]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[23]  Peng Liu,et al.  Elastic sketch: adaptive and fast network-wide measurements , 2018, SIGCOMM.

[24]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[25]  Walter Willinger,et al.  Network Monitoring as a Streaming Analytics Problem , 2016, HotNets.

[26]  Mayank Dave,et al.  Software-defined Networking-based DDoS Defense Mechanisms , 2019, ACM Comput. Surv..

[27]  Xiapu Luo,et al.  SkyShield: A Sketch-Based Defense System Against Application Layer DDoS Attacks , 2018, IEEE Transactions on Information Forensics and Security.

[28]  Graham Cormode,et al.  An improved data stream summary: the count-min sketch and its applications , 2004, J. Algorithms.

[29]  Michel Bonfim,et al.  A real‐time attack defense framework for 5G network slicing , 2020, Softw. Pract. Exp..

[30]  Moses Charikar,et al.  Finding frequent items in data streams , 2002, Theor. Comput. Sci..

[31]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[32]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[33]  Mathieu Bouet,et al.  Statesec: Stateful monitoring for DDoS protection in software defined networks , 2017, 2017 IEEE Conference on Network Softwarization (NetSoft).

[34]  Yehuda Afek,et al.  Network anti-spoofing with SDN data plane , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[35]  Yang Xu,et al.  DDoS attack detection under SDN context , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[36]  Minlan Yu,et al.  Software Defined Traffic Measurement with OpenSketch , 2013, NSDI.

[37]  Ramesh Govindan,et al.  Resource/accuracy tradeoffs in software-defined measurement , 2013, HotSDN '13.

[38]  Balachander Krishnamurthy,et al.  Sketch-based change detection: methods, evaluation, and applications , 2003, IMC '03.

[39]  Jugal K. Kalita,et al.  Network attacks: Taxonomy, tools and systems , 2014, J. Netw. Comput. Appl..

[40]  Jianping Wu,et al.  Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches , 2020, NDSS.

[41]  Alberto Dainotti,et al.  Millions of targets under attack: a macroscopic characterization of the DoS ecosystem , 2017, Internet Measurement Conference.

[42]  S. W. Roberts,et al.  Control Chart Tests Based on Geometric Moving Averages , 2000, Technometrics.

[43]  Wenqing Wu,et al.  Architecting Programmable Data Plane Defenses into the Network with FastFlex , 2019, HotNets.