Distributed Denial-of-Service (DDoS) attacks represent a persistent threat to
modern telecommunications networks: detecting and counteracting them is still a
crucial unresolved challenge for network operators. DDoS attack detection is
usually carried out in one or more central nodes that collect significant
amounts of monitoring data from networking devices, potentially creating issues
related to network overload or delay in detection. The dawn of programmable
data planes in Software-Defined Networks can help mitigate this issue, opening
the door to the detection of DDoS attacks directly in the data plane of the
switches. However, the most widely-adopted data plane programming language,
namely P4, lacks supporting many arithmetic operations, therefore, some of the
advanced network monitoring functionalities needed for DDoS detection cannot be
straightforwardly implemented in P4. This work overcomes such a limitation and
presents two novel strategies for flow cardinality and for normalized network
traffic entropy estimation that only use P4-supported operations and guarantee
a low relative error. Additionally, based on these contributions, we propose a
DDoS detection strategy relying on variations of the normalized network traffic
entropy. Results show that it has comparable or higher detection accuracy than
state-of-the-art solutions, yet being simpler and entirely executed in the data
plane.Comment: Accepted by TDSC on 24/09/202