DDoS Detection in P4 Using HYPERLOGLOG and COUNTMIN Sketches.

Distributed denial-of-service (DDoS) attacks are a growing threat in the Internet. For example, the increasing number of small low-powered devices participating in the Internet of Things can be hijacked by botnets and used to perpetrate powerful DDoS attacks if they are not secured correctly. Different works have already investigated how such attacks may be detected using efficient probabilistic data structures known as “sketches”. Additionally, software-defined networking and data plane programmability have created new opportunities to develop new DDoS attack detection approaches that are performed entirely by the data plane. In this work, we specifically investigate an approach that uses a combination of HYPERLOGLOG and COUNTMIN sketches to detect DDoS attacks in P4-programmable network switches. We present an implementation of this approach for a software-based P4 switch and evaluate its accuracy, achieved detection latencies and its effect on throughput in an emulated environment. Our implementation achieves detection latencies as low as 0.97 s. The impact on switch throughput is limited to approximately 10% if the final detection step is offloaded to the controller. We explore the impact of different sketch sizes on detection accuracy and find a trade-off between accuracy and memory requirements.