Abstract
Distributed Denial-of-Service (DDoS) attacks continue to pose a significant threat to the Internet. While middlebox-based defenses offer high performance, they are costly and lack flexibility. Software-based defenses, on the other hand, provide flexibility but suffer from low performance. Recently, programmable switches have emerged and present an opportunity for efficient in-network defenses against DDoS attacks at line speed. Unfortunately, most existing in-network defenses fail to run on the switch data plane and introduce high latency.
To address these issues, we propose Patronum, an in-network defense system running entirely in the data plane of programmable switches to defend against various volumetric DDoS attacks. We summarize volumetric DDoS attacks into two distinct threat models with thoroughly study: many-to-few (M2F) and few-to-few (F2F). With this basis, we implement two independent approaches to detect M2F and F2F, respectively. For M2F attacks, we devise an entropy-based approach and employ an approximate calculation method to facilitate its execution within the switch data plane. In addressing F2F attacks, we further design a bandwidth monitor with a fine-grained time window management mechanism to detect these types of attacks. We implement Patronum based on an Intel Tofino switch and compare it with the state-of-the-art DDoS defense systems, AccTurbo and Jaqen, under CAIDA and MAWI datasets. The experimental results show that the average impact of Patronum on benign traffic is only 28% of that of AccTurbo, while its mitigation effect on attack traffic is 16% better than that of Jaqen.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Tofino 1 has 12 stages and Tofino 2 has 20 stages.
- 2.
The specific numerical values are considered proprietary information under the non-disclosure agreement (NDA) with the switch vendor.
- 3.
Please refer to Appendix A for the detailed derivation of this formula.
- 4.
TRex website: https://trex-tgn.cisco.com.
References
Akem, A.T.J., Gucciardo, M., Fiore, M.: Flowrest: practical flow-level inference in programmable switches with random forests. In: IEEE INFOCOM 2023 - IEEE Conference on Computer Communications, pp. 1–10 (2023). https://doi.org/10.1109/INFOCOM53939.2023.10229100
Alcoz, A.G., Strohmeier, M., Lenders, V., Vanbever, L.: Aggregate-based congestion control for pulse-wave DDoS defense. In: Proceedings of the ACM SIGCOMM 2022 Conference, SIGCOMM 2022, pp. 693–706. Association for Computing Machinery, New York, NY, USA (2022).https://doi.org/10.1145/3544216.3544263
Antonakakis, M., et al.: Understanding the mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 1093–1110. USENIX Association, Vancouver, BC (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis
Barbette, T., Soldani, C., Mathy, L.: Fast userspace packet processing. In: 2015 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS), pp. 5–16 (2015).https://doi.org/10.1109/ANCS.2015.7110116
Barradas, D., Santos, N., Rodrigues, L., Signorello, S., Ramos, F.M.V., Madeira, A.: FlowLens: enabling efficient flow classification for ml-based network security applications. In: Proceedings of the 28th Network and Distributed System Security Symposium. San Diego, CA, USA (2021).https://doi.org/10.14722/ndss.2021.24067
Bosshart, P., et al.: P4: programming protocol-independent packet processors. SIGCOMM Comput. Commun. Rev. 44(3), 87–95 (2014). https://doi.org/10.1145/2656877.2656890
CAIDA: The CAIDA UCSD anonymized internet traces 2018. (2018). http://www.caida.org/data/passive/passive_2018_dataset.xml
Cloudflare: DDoS attack trends for 2022 q4 (2023). https://radar.cloudflare.com/reports/ddos-2022-q4
Cloudflare: DDoS attack trends for 2023 q1 (2023). https://radar.cloudflare.com/reports/ddos-2023-q1
Cormode, G., Muthukrishnan, S.: An improved data stream summary: the count-min sketch and its applications. J. Algorithms 55(1), 58–75 (2005). https://doi.org/10.1016/j.jalgor.2003.12.001
Corporation, C.: How much will a DDoS attack cost your business? (2021). https://www.cloudbric.com/how-much-will-a-ddos-attack-cost-your-business/
Cui, P., et al.: NetFC: enabling accurate floating-point arithmetic on programmable switches. In: 2021 IEEE 29th International Conference on Network Protocols (ICNP), pp. 1–11 (2021).https://doi.org/10.1109/ICNP52444.2021.9651946
Ding, D., Savi, M., Pederzolli, F., Campanella, M., Siracusa, D.: In-network volumetric DDoS victim identification using programmable commodity switches. IEEE Trans. Netw. Serv. Manage. 18(2), 1191–1202 (2021). https://doi.org/10.1109/TNSM.2021.3073597
Ding, D., Savi, M., Siracusa, D.: Estimating logarithmic and exponential functions to track network traffic entropy in p4. In: NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium, pp. 1–9 (2020).https://doi.org/10.1109/NOMS47738.2020.9110257
Ding, D., Savi, M., Siracusa, D.: Tracking normalized network traffic entropy to detect DDoS attacks in p4. IEEE Trans. Dependable Secure Comput. 19(6), 4019–4031 (2022). https://doi.org/10.1109/TDSC.2021.3116345
Fayaz, S.K., Tobioka, Y., Sekar, V., Bailey, M.: Bohatei: flexible and elastic DDoS defense. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 817–832. USENIX Association, Washington, D.C. (2015). https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/fayaz
Fontugne, R., Borgnat, P., Abry, P., Fukuda, K.: Mawilab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking. In: Proceedings of the 6th International Conference. Co-NEXT 2010, Association for Computing Machinery, New York, NY, USA (2010).https://doi.org/10.1145/1921168.1921179
Foundation, L.: Data plane development kit (DPDK) (2015). http://www.dpdk.org
Friday, K., Kfoury, E., Bou-Harb, E., Crichigno, J.: Inc: In-network classification of botnet propagation at line rate. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds.) Computer Security – ESORICS 2022, pp. 551–569. Springer International Publishing, Cham (2022).https://doi.org/10.1007/978-3-031-17140-6_27
Harrison, R., Cai, Q., Gupta, A., Rexford, J.: Network-wide heavy hitter detection with commodity switches. In: Proceedings of the Symposium on SDN Research, SOSR 2018. Association for Computing Machinery, New York, NY, USA (2018).https://doi.org/10.1145/3185467.3185476
Ilha, A.d.S., Lapolli, A.C., Marques, J.A., Gaspary, L.P.: Euclid: A fully in-network, p4-based approach for real-time DDoS attack detection and mitigation. IEEE Trans. Network Serv. Manage. 18(3), 3121–3139 (2021).https://doi.org/10.1109/TNSM.2020.3048265
Intel: Intel tofino (2023). https://www.intel.com/content/www/us/en/products/details/network-io/intelligent-fabric-processors/tofino.html
Kim, C., et al.: In-band network telemetry via programmable dataplanes. In: ACM SIGCOMM, vol. 15, pp. 1–2 (2015)
Kim, S., Jung, C., Jang, R., Mohaisen, D., Nyang, D.: A robust counting sketch for data plane intrusion detection. In: 30th Annual Network and Distributed System Security Symposium, NDSS 2023, San Diego, California, USA, February 27 - March 3, 2023. The Internet Society (2023).https://doi.org/10.14722/ndss.2023.23102
Kottler, S.: February 28th DDoS incident report (2018). https://github.blog/2018-03-01-ddos-incident-report/
Lapolli, A.C., Adilson Marques, J., Gaspary, L.P.: Offloading real-time DDoS attack detection to programmable data planes. In: 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 19–27 (2019)
Liu, Z., Manousis, A., Vorsanger, G., Sekar, V., Braverman, V.: One sketch to rule them all: rethinking network flow monitoring with univmon. In: Proceedings of the 2016 ACM SIGCOMM Conference, SIGCOMM 2016, pp. 101–114. Association for Computing Machinery, New York, NY, USA (2016).https://doi.org/10.1145/2934872.2934906
Liu, Z., et al.: Jaqen: a high-performance switch-native approach for detecting and mitigating volumetric DDoS attacks with programmable switches. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 3829–3846. USENIX Association (2021). https://www.usenix.org/conference/usenixsecurity21/presentation/liu-zaoxing
Mahimkar, A., Dange, J., Shmatikov, V., Vin, H., Zhang, Y.: dFence: transparent network-based denial of service mitigation. In: 4th USENIX Symposium on Networked Systems Design & Implementation (NSDI 07). USENIX Association, Cambridge, MA (2007). https://www.usenix.org/conference/nsdi-07/dfence-transparent-network-based-denial-service-mitigation
Microsoft: 2022 in review: DDoS attack trends and insights (2022). https://www.microsoft.com/en-us/security/blog/2023/02/21/2022-in-review-ddos-attack-trends-and-insights/
P4lang: P4 behavioral model (bmv2) (2023). https://github.com/p4lang/behavioral-model
Roberts, S.W.: Control chart tests based on geometric moving averages. Technometrics 42(1), 97–101 (2000). https://doi.org/10.1080/00401706.2000.10485986
Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014. The Internet Society (2014).https://doi.org/10.14722/ndss.2014.23233
Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27(3), 379–423 (1948). https://doi.org/10.1002/j.1538-7305.1948.tb01338.x
Wang, H., Zhang, D., Shin, K.: Change-point monitoring for the detection of dos attacks. IEEE Trans. Dependable Secure Comput. 1(4), 193–208 (2004). https://doi.org/10.1109/TDSC.2004.34
Wikipedia: Netflow (2023). https://en.wikipedia.org/wiki/NetFlow
Wikipedia: sflow (2023). https://en.wikipedia.org/wiki/SFlow
Xie, G., Li, Q., Dong, Y., Duan, G., Jiang, Y., Duan, J.: Mousika: enable general in-network intelligence in programmable switches by knowledge distillation. In: IEEE INFOCOM 2022 - IEEE Conference on Computer Communications, pp. 1938–1947 (2022).https://doi.org/10.1109/INFOCOM48880.2022.9796936
Xing, J., Kang, Q., Chen, A.: NetWarden: mitigating network covert channels while preserving performance. In: 29th USENIX Security Symposium (USENIX Security 20), pp. 2039–2056. USENIX Association (2020). https://www.usenix.org/conference/usenixsecurity20/presentation/xing
Yang, T., et al.: Elastic sketch: adaptive and fast network-wide measurements. In: Proceedings of the 2018 Conference of the ACM Special Interest Group on Data Communication, SIGCOMM 2018, pp. 561–575. Association for Computing Machinery, New York, NY, USA (2018).https://doi.org/10.1145/3230543.3230544
Zhang, M., et al.: Poseidon: mitigating volumetric DDoS attacks with programmable switches. In: 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, California, USA, February 23-26, 2020. The Internet Society (2020).https://doi.org/10.14722/ndss.2020.24007
Zhang, Y., et al.: Cocosketch: high-performance sketch-based measurement over arbitrary partial key query. In: Proceedings of the 2021 ACM SIGCOMM 2021 Conference, SIGCOMM 2021, pp. 207–222. Association for Computing Machinery, New York, NY, USA (2021).https://doi.org/10.1145/3452296.3472892
Zheng, C., Zilberman, N.: Planter: seeding trees within switches. In: Proceedings of the SIGCOMM 2021 Poster and Demo Sessions, pp. 12–14. Association for Computing Machinery, New York, NY, USA (2021).https://doi.org/10.1145/3472716.3472846
Zhou, G., Liu, Z., Fu, C., Li, Q., Xu, K.: An efficient design of intelligent network data plane. In: 32nd USENIX Security Symposium (USENIX Security 23), pp. 6203–6220. USENIX Association, Anaheim, CA (2023). https://www.usenix.org/conference/usenixsecurity23/presentation/zhou-guangmeng
Acknowledgments
This work is supported in part by the National Key R&D Program of China (Grant No. 2022YFB3103000), and in part by the National Natural Science Foundation of China (Grant No. U20A20180 and Grant No. 62072430). The corresponding author is Heng Pan.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A Derivation of Entropy Reformulation
A Derivation of Entropy Reformulation
![figure b](http://media.springernature.com/lw685/springer-static/image/chp%3A10.1007%2F978-3-031-70903-6_10/MediaObjects/637049_1_En_10_Figb_HTML.png)
Note that \(\sum _{i=1}^{M_k} f_k(x_i) = N\).
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Wu, J. et al. (2024). Patronum: In-network Volumetric DDoS Detection and Mitigation with Programmable Switches. In: Garcia-Alfaro, J., Kozik, R., Choraś, M., Katsikas, S. (eds) Computer Security – ESORICS 2024. ESORICS 2024. Lecture Notes in Computer Science, vol 14985. Springer, Cham. https://doi.org/10.1007/978-3-031-70903-6_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-70903-6_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-70902-9
Online ISBN: 978-3-031-70903-6
eBook Packages: Computer ScienceComputer Science (R0)