Tracking Normalized Network Traffic Entropy to Detect DDoS Attacks in P4

Distributed Denial-of-Service (DDoS) attacks represent a persistent threat to modern telecommunications networks: detecting and counteracting them is still a crucial unresolved challenge for network operators. DDoS attack detection is usually carried out in one or more central nodes that collect significant amounts of monitoring data from networking devices, potentially creating issues related to network overload or delay in detection. The dawn of programmable data planes in Software-Defined Networks can help mitigate this issue, opening the door to the detection of DDoS attacks directly in the data plane of the switches. However, the most widely-adopted data plane programming language, namely P4, lacks supporting many arithmetic operations, therefore, some of the advanced network monitoring functionalities needed for DDoS detection cannot be straightforwardly implemented in P4. This work overcomes such a limitation and presents two novel strategies for flow cardinality and for normalized network traffic entropy estimation that only use P4-supported operations and guarantee a low relative error. Additionally, based on these contributions, we propose a DDoS detection strategy relying on variations of the normalized network traffic entropy. Results show that it has comparable or higher detection accuracy than state-of-the-art solutions, yet being simpler and entirely executed in the data plane.Comment: Accepted by TDSC on 24/09/202

In-Network Volumetric DDoS Victim Identification Using Programmable Commodity Switches

Volumetric distributed Denial-of-Service (DDoS) attacks have become one of the most significant threats to modern telecommunication networks. However, most existing defense systems require that detection software operates from a centralized monitoring collector, leading to increased traffic load and delayed response. The recent advent of Data Plane Programmability (DPP) enables an alternative solution: threshold-based volumetric DDoS detection can be performed directly in programmable switches to skim only potentially hazardous traffic, to be analyzed in depth at the controller. In this paper, we first introduce the BACON data structure based on sketches, to estimate per-destination flow cardinality, and theoretically analyze it. Then we employ it in a simple in-network DDoS victim identification strategy, INDDoS, to detect the destination IPs for which the number of incoming connections exceeds a pre-defined threshold. We describe its hardware implementation on a Tofino-based programmable switch using the domain-specific P4 language, proving that some limitations imposed by real hardware to safeguard processing speed can be overcome to implement relatively complex packet manipulations. Finally, we present some experimental performance measurements, showing that our programmable switch is able to keep processing packets at line-rate while performing volumetric DDoS detection, and also achieves a high F1 score on DDoS victim identification.Comment: Accepted by IEEE Transactions on Network and Service Management Special issue on Latest Developments for Security Management of Networks and Service

Design and Development of Network Monitoring Strategies in P4-enabled Programmable Switches

Network monitoring is of paramount importance for effective network management: it allows to constantly observe the network’s behavior to ensure it is working as intended and can trigger both automated and manual remediation procedures in case of failures and anomalies. The concept of SDN decouples the control logic from legacy network infrastructure to perform centralized control on multiple switches in the network, and in this context, the responsibility of switches is only to forward packets according to the flow control instructions provided by controller. However, as current SDN switches only expose simple per-port and per-flow counters, the controller has to do almost all the processing to determine the network state, which causes significant communication overhead and excessive latency for monitoring purposes. The absence of programmability in the data plane of SDN prompted the advent of programmable switches, which allow developers to customize the data-plane pipeline and implement novel programs operating directly in the switches. This means that we can offload certain monitoring tasks to programmable data planes, to perform fine-grained monitoring even at very high packet processing speeds. Given the central importance of network monitoring exploiting programmable data planes, the goal of this thesis is to enable a wide range of monitoring tasks in programmable switches, with a specific focus on the ones equipped with programmable ASICs. Indeed, most network monitoring solutions available in literature do not take computational and memory constraints of programmable switches into due account, preventing, de facto, their successful implementation in commodity switches. This claims that network monitoring tasks can be executed in programmable switches. Our evaluations show that the contributions in this thesis could be used by network administrators as well as network security engineers, to better understand the network status depending on different monitoring metrics, and thus prevent network infrastructure and service outages

Incremental Deployment of Programmable Switches for Network-wide Heavy-hitter Detection

The advent of Software-Defined Networking with OpenFlow first, and subsequently the emergence of programmable data planes, has boosted lot of research around many networking aspects: monitoring, security, traffic engineering. In the context of network monitoring, most of the proposed solutions show the benefits of data plane programmability by simplifying the complexity of the network with a one big-switch abstraction. Only few papers look at network-wide solutions, but consider the network as non heterogeneous: only composed by programmable devices. In this paper, we argue that the primary challenge for a successful adoption of those solutions is the deployment problem: how to compose and monitor a network consisting of both legacy and programmable switches? We propose an approach for incrementally deploy programmable devices in an ISP network with the goal of monitoring as many distinct network flows as possible. While assessing the benefits of our solution, we realized that proposed network-wide monitoring algorithms might not be optimized for a partial deployment scenario. We then also developed a novel strategy capable of detecting network-wide heavy flows with the same accuracy of state-of-the-art solutions but by relying on less information from the data plane

INVEST: Flow-Based Traffic Volume Estimation in Data-Plane Programmable Networks

The emergence of programmable data planes in Software-Defined Networks enables the execution of various monitoring tasks directly in network devices, overcoming the need to deliver huge amounts of information to a controller that must then process it at scale. In this paper, we aim to solve a fundamental problem arising when exploiting programmable data planes for network-wide monitoring: how to estimate the overall number of packets in the network (i.e., the traffic volume), and the related number and size of flows, while avoiding packet double counting. Most existing works solve this problem by ensuring that each packet is counted only once on its path, which limits routing or requires coordination among devices. We propose a different approach, INVEST, a flow-based traffic volume estimator for P4-based switches, that relies on and can reuse commonly employed data structures while naturally solving the double-counting problem. We theoretically analyze and experimentally evaluate our solution, which we implemented in a real P4 carrier-grade switch, finding that it is accurate, memory-efficient, and can process packets at line rate

In-Network Volumetric DDoS Victim Identification Using Programmable Commodity Switches

Volumetric distributed Denial-of-Service (DDoS) attacks have become one of the most significant threats to modern telecommunication networks. However, most existing defense systems require that detection software operates from a centralized monitoring collector, leading to increased traffic load and delayed response. The recent advent of Data Plane Programmability (DPP) enables an alternative solution: threshold-based volumetric DDoS detection can be performed directly in programmable switches to skim only potentially hazardous traffic, to be analyzed in depth at the controller. In this paper, we first introduce the BACON data structure based on sketches, to estimate per-destination flow cardinality, and theoretically analyze it. Then we employ it in a simple in-network DDoS victim identification strategy, INDDoS, to detect the destination IPs for which the number of incoming connections exceeds a pre-defined threshold. We describe its hardware implementation on a Tofino-based programmable switch using the domain-specific P4 language, proving that some limitations imposed by real hardware to safeguard processing speed can be overcome to implement relatively complex packet manipulations. Finally, we present some experimental performance measurements, showing that our programmable switch is able to keep processing packets at line-rate while performing volumetric DDoS detection, and also achieves a high F1 score on DDoS victim identification

Antioxidant properties in vitro and total phenolic contents in methanol extracts from medicinal plants

In order to find out new sources of safe and inexpensive antioxidants, the antioxidant capacities of 45 selected medicinal plants were evaluated using ferric reducing antioxidant power (FRAP) and Trolox equivalent antioxidant capacity (TEAC) assays, respectively, and the total phenolic contents of these plants were measured by the Folin-Ciocalteu method. Most of these plants were analyzed for the first time for their antioxidant activities. It was found that the plants Sargentodoxa cuneata Rehd. Et Wils, Fraxinus rhynchophylla Hance, Paeonia lactiflora Pall, Paeonia suffruticosa Andr and Scutellaria baicalensis Ceorgi possessed the highest antioxidant capacities and thus could be potential rich sources of natural antioxidants. A strong correlation between TEAC values and those obtained from FRAP assay implied that antioxidants in these plants were capable of scavenging free radicals and reducing oxidants. A high correlation between antioxidant capacities and their total phenolic contents indicated that phenolic compounds were a major contributor of antioxidant activity of these plants. © 2007 Swiss Society of Food Science and Technology.link_to_subscribed_fulltex