A Multi-Feature DDoS Detection Schema on P4 Network Hardware

Data plane programmability is a promising technology that enables rapid control loops for the detection and mitigation of cyber-attacks. In this context, we propose an in-network architecture for DDoS attack detection combining important traffic metrics of malicious traffic. These pertain to number of flows and packet symmetry, maintained for protected subnets and utilized to identify anomalies. Appropriate alarms are triggered within time-based epochs and conveyed to external mitigation systems. We assess our DDoS detection schema in P4-enabled SmartNICs in terms of detection accuracy and packet processing performance. As input to our accuracy experiments we use real publicly available traffic traces. Furthermore, performance stress tests were conducted using high speed packet generators. Results exhibit that our approach is applicable in typical enterprise and/or carrier environments, featuring packet rates of 1-2 Mpps for l0G links.