Offloading Real-time DDoS Attack Detection to Programmable Data Planes

In recent years, Distributed Denial-of-Service (DDoS) attacks have escalated both in frequency and traffic volume, with outbreaks reaching rates up to the order of terabits per second and compromising the availability of supposedly highly resilient infrastructure (e.g., DNS and cloud-based web hosting). The reality is that existing detection solutions resort to a combination of mechanisms, such as packet sampling and transmission of gathered data to external software, which makes it very difficult (if at all possible) to reach a good compromise for accuracy (higher is better), resource usage footprint, and latency (lower is better). Data plane programmability has emerged as a promising approach to help meeting these requirements as forwarding devices can be configured to execute algorithms and examine traffic at line rate. In this paper, we explore P4 primitives to design a fine-grained, low-footprint, and low-latency traffic inspection mechanism for real-time DDoS attack detection. Our proposal - the first to be fully in-network - contributes to shed light on the challenges to implement sophisticated security logic on forwarding devices given that, to operate at high throughput, the inspection (and overall processing) of packets is subject to a small time budget (dozens of nanoseconds) and limited memory space (in the order of megabytes). We evaluate the proposed mechanism using packet traces from CAIDA. The results show that it can detect DDoS attacks entirely within the data plane with high accuracy (98.2%) and low latency (≈250 ms) while keeping device resource usage low (dozens of kilobytes in SRAM per 1 Gbps link and a few hundred TCAM entries).