Towards a Unified In-Network DDoS Detection and Mitigation Strategy

Distributed Denial of Service (DDoS) attacks have terrorized our networks for decades, and with attacks now reaching 1.7 Tbps, even the slightest latency in detection and subsequent remediation is enough to bring an entire network down. Though strides have been made to address such maliciousness within the context of Software Defined Networking (SDN), they have ultimately proven ineffective. Fortunately, P4 has recently emerged as a platform-agnostic language for programming the data plane and in turn allowing for customized protocols and packet processing. To this end, we propose a first-of-a-kind P4-based detection and mitigation scheme that will not only function as intended regardless of the size of the attack, but will also overcome the vulnerabilities of SDN that have characteristically been exploited by DDoS. Moreover, it successfully defends against the broad spectrum of currently relevant attacks while concurrently emphasizing the Quality of Service (QoS) of legitimate end-users and overall SDN functionality. We demonstrate the effectiveness of the proposed scheme using a software programmable P4-switch, namely, the Behavorial Model version 2 (BMv2), showing its ability to withstand a variety of DDoS attacks in real-time via three use cases that can be generalized to most contemporary attack vectors. Specifically, the results substantiate that the mechanism herein is orders of magnitude faster than traditional polling techniques (e.g., NetFlow or sFlow) while minimizing the impact on benign traffic. We concur that the approach's design particularities facilitate seamless and scalable deployments in high-speed networks requiring line-rate functionality, in addition to being generic enough to be integrated into viable network topologies.