Volumetric distributed Denial-of-Service (DDoS) attacks have become one of
the most significant threats to modern telecommunication networks. However,
most existing defense systems require that detection software operates from a
centralized monitoring collector, leading to increased traffic load and delayed
response. The recent advent of Data Plane Programmability (DPP) enables an
alternative solution: threshold-based volumetric DDoS detection can be
performed directly in programmable switches to skim only potentially hazardous
traffic, to be analyzed in depth at the controller. In this paper, we first
introduce the BACON data structure based on sketches, to estimate
per-destination flow cardinality, and theoretically analyze it. Then we employ
it in a simple in-network DDoS victim identification strategy, INDDoS, to
detect the destination IPs for which the number of incoming connections exceeds
a pre-defined threshold. We describe its hardware implementation on a
Tofino-based programmable switch using the domain-specific P4 language, proving
that some limitations imposed by real hardware to safeguard processing speed
can be overcome to implement relatively complex packet manipulations. Finally,
we present some experimental performance measurements, showing that our
programmable switch is able to keep processing packets at line-rate while
performing volumetric DDoS detection, and also achieves a high F1 score on DDoS
victim identification.Comment: Accepted by IEEE Transactions on Network and Service Management
Special issue on Latest Developments for Security Management of Networks and
Service