Skip to main content

Patronum: In-network Volumetric DDoS Detection and Mitigation with Programmable Switches

  • Conference paper
  • First Online:
Computer Security – ESORICS 2024 (ESORICS 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14985))

Included in the following conference series:

  • 687 Accesses

Abstract

Distributed Denial-of-Service (DDoS) attacks continue to pose a significant threat to the Internet. While middlebox-based defenses offer high performance, they are costly and lack flexibility. Software-based defenses, on the other hand, provide flexibility but suffer from low performance. Recently, programmable switches have emerged and present an opportunity for efficient in-network defenses against DDoS attacks at line speed. Unfortunately, most existing in-network defenses fail to run on the switch data plane and introduce high latency.

To address these issues, we propose Patronum, an in-network defense system running entirely in the data plane of programmable switches to defend against various volumetric DDoS attacks. We summarize volumetric DDoS attacks into two distinct threat models with thoroughly study: many-to-few (M2F) and few-to-few (F2F). With this basis, we implement two independent approaches to detect M2F and F2F, respectively. For M2F attacks, we devise an entropy-based approach and employ an approximate calculation method to facilitate its execution within the switch data plane. In addressing F2F attacks, we further design a bandwidth monitor with a fine-grained time window management mechanism to detect these types of attacks. We implement Patronum based on an Intel Tofino switch and compare it with the state-of-the-art DDoS defense systems, AccTurbo and Jaqen, under CAIDA and MAWI datasets. The experimental results show that the average impact of Patronum on benign traffic is only 28% of that of AccTurbo, while its mitigation effect on attack traffic is 16% better than that of Jaqen.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Tofino 1 has 12 stages and Tofino 2 has 20 stages.

  2. 2.

    The specific numerical values are considered proprietary information under the non-disclosure agreement (NDA) with the switch vendor.

  3. 3.

    Please refer to Appendix A for the detailed derivation of this formula.

  4. 4.

    TRex website: https://trex-tgn.cisco.com.

References

  1. Akem, A.T.J., Gucciardo, M., Fiore, M.: Flowrest: practical flow-level inference in programmable switches with random forests. In: IEEE INFOCOM 2023 - IEEE Conference on Computer Communications, pp. 1–10 (2023). https://doi.org/10.1109/INFOCOM53939.2023.10229100

  2. Alcoz, A.G., Strohmeier, M., Lenders, V., Vanbever, L.: Aggregate-based congestion control for pulse-wave DDoS defense. In: Proceedings of the ACM SIGCOMM 2022 Conference, SIGCOMM 2022, pp. 693–706. Association for Computing Machinery, New York, NY, USA (2022).https://doi.org/10.1145/3544216.3544263

  3. Antonakakis, M., et al.: Understanding the mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 1093–1110. USENIX Association, Vancouver, BC (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis

  4. Barbette, T., Soldani, C., Mathy, L.: Fast userspace packet processing. In: 2015 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS), pp. 5–16 (2015).https://doi.org/10.1109/ANCS.2015.7110116

  5. Barradas, D., Santos, N., Rodrigues, L., Signorello, S., Ramos, F.M.V., Madeira, A.: FlowLens: enabling efficient flow classification for ml-based network security applications. In: Proceedings of the 28th Network and Distributed System Security Symposium. San Diego, CA, USA (2021).https://doi.org/10.14722/ndss.2021.24067

  6. Bosshart, P., et al.: P4: programming protocol-independent packet processors. SIGCOMM Comput. Commun. Rev. 44(3), 87–95 (2014). https://doi.org/10.1145/2656877.2656890

    Article  Google Scholar 

  7. CAIDA: The CAIDA UCSD anonymized internet traces 2018. (2018). http://www.caida.org/data/passive/passive_2018_dataset.xml

  8. Cloudflare: DDoS attack trends for 2022 q4 (2023). https://radar.cloudflare.com/reports/ddos-2022-q4

  9. Cloudflare: DDoS attack trends for 2023 q1 (2023). https://radar.cloudflare.com/reports/ddos-2023-q1

  10. Cormode, G., Muthukrishnan, S.: An improved data stream summary: the count-min sketch and its applications. J. Algorithms 55(1), 58–75 (2005). https://doi.org/10.1016/j.jalgor.2003.12.001

    Article  MathSciNet  Google Scholar 

  11. Corporation, C.: How much will a DDoS attack cost your business? (2021). https://www.cloudbric.com/how-much-will-a-ddos-attack-cost-your-business/

  12. Cui, P., et al.: NetFC: enabling accurate floating-point arithmetic on programmable switches. In: 2021 IEEE 29th International Conference on Network Protocols (ICNP), pp. 1–11 (2021).https://doi.org/10.1109/ICNP52444.2021.9651946

  13. Ding, D., Savi, M., Pederzolli, F., Campanella, M., Siracusa, D.: In-network volumetric DDoS victim identification using programmable commodity switches. IEEE Trans. Netw. Serv. Manage. 18(2), 1191–1202 (2021). https://doi.org/10.1109/TNSM.2021.3073597

    Article  Google Scholar 

  14. Ding, D., Savi, M., Siracusa, D.: Estimating logarithmic and exponential functions to track network traffic entropy in p4. In: NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium, pp. 1–9 (2020).https://doi.org/10.1109/NOMS47738.2020.9110257

  15. Ding, D., Savi, M., Siracusa, D.: Tracking normalized network traffic entropy to detect DDoS attacks in p4. IEEE Trans. Dependable Secure Comput. 19(6), 4019–4031 (2022). https://doi.org/10.1109/TDSC.2021.3116345

    Article  Google Scholar 

  16. Fayaz, S.K., Tobioka, Y., Sekar, V., Bailey, M.: Bohatei: flexible and elastic DDoS defense. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 817–832. USENIX Association, Washington, D.C. (2015). https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/fayaz

  17. Fontugne, R., Borgnat, P., Abry, P., Fukuda, K.: Mawilab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking. In: Proceedings of the 6th International Conference. Co-NEXT 2010, Association for Computing Machinery, New York, NY, USA (2010).https://doi.org/10.1145/1921168.1921179

  18. Foundation, L.: Data plane development kit (DPDK) (2015). http://www.dpdk.org

  19. Friday, K., Kfoury, E., Bou-Harb, E., Crichigno, J.: Inc: In-network classification of botnet propagation at line rate. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds.) Computer Security – ESORICS 2022, pp. 551–569. Springer International Publishing, Cham (2022).https://doi.org/10.1007/978-3-031-17140-6_27

  20. Harrison, R., Cai, Q., Gupta, A., Rexford, J.: Network-wide heavy hitter detection with commodity switches. In: Proceedings of the Symposium on SDN Research, SOSR 2018. Association for Computing Machinery, New York, NY, USA (2018).https://doi.org/10.1145/3185467.3185476

  21. Ilha, A.d.S., Lapolli, A.C., Marques, J.A., Gaspary, L.P.: Euclid: A fully in-network, p4-based approach for real-time DDoS attack detection and mitigation. IEEE Trans. Network Serv. Manage. 18(3), 3121–3139 (2021).https://doi.org/10.1109/TNSM.2020.3048265

  22. Intel: Intel tofino (2023). https://www.intel.com/content/www/us/en/products/details/network-io/intelligent-fabric-processors/tofino.html

  23. Kim, C., et al.: In-band network telemetry via programmable dataplanes. In: ACM SIGCOMM, vol. 15, pp. 1–2 (2015)

    Google Scholar 

  24. Kim, S., Jung, C., Jang, R., Mohaisen, D., Nyang, D.: A robust counting sketch for data plane intrusion detection. In: 30th Annual Network and Distributed System Security Symposium, NDSS 2023, San Diego, California, USA, February 27 - March 3, 2023. The Internet Society (2023).https://doi.org/10.14722/ndss.2023.23102

  25. Kottler, S.: February 28th DDoS incident report (2018). https://github.blog/2018-03-01-ddos-incident-report/

  26. Lapolli, A.C., Adilson Marques, J., Gaspary, L.P.: Offloading real-time DDoS attack detection to programmable data planes. In: 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 19–27 (2019)

    Google Scholar 

  27. Liu, Z., Manousis, A., Vorsanger, G., Sekar, V., Braverman, V.: One sketch to rule them all: rethinking network flow monitoring with univmon. In: Proceedings of the 2016 ACM SIGCOMM Conference, SIGCOMM 2016, pp. 101–114. Association for Computing Machinery, New York, NY, USA (2016).https://doi.org/10.1145/2934872.2934906

  28. Liu, Z., et al.: Jaqen: a high-performance switch-native approach for detecting and mitigating volumetric DDoS attacks with programmable switches. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 3829–3846. USENIX Association (2021). https://www.usenix.org/conference/usenixsecurity21/presentation/liu-zaoxing

  29. Mahimkar, A., Dange, J., Shmatikov, V., Vin, H., Zhang, Y.: dFence: transparent network-based denial of service mitigation. In: 4th USENIX Symposium on Networked Systems Design & Implementation (NSDI 07). USENIX Association, Cambridge, MA (2007). https://www.usenix.org/conference/nsdi-07/dfence-transparent-network-based-denial-service-mitigation

  30. Microsoft: 2022 in review: DDoS attack trends and insights (2022). https://www.microsoft.com/en-us/security/blog/2023/02/21/2022-in-review-ddos-attack-trends-and-insights/

  31. P4lang: P4 behavioral model (bmv2) (2023). https://github.com/p4lang/behavioral-model

  32. Roberts, S.W.: Control chart tests based on geometric moving averages. Technometrics 42(1), 97–101 (2000). https://doi.org/10.1080/00401706.2000.10485986

    Article  Google Scholar 

  33. Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014. The Internet Society (2014).https://doi.org/10.14722/ndss.2014.23233

  34. Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27(3), 379–423 (1948). https://doi.org/10.1002/j.1538-7305.1948.tb01338.x

    Article  MathSciNet  Google Scholar 

  35. Wang, H., Zhang, D., Shin, K.: Change-point monitoring for the detection of dos attacks. IEEE Trans. Dependable Secure Comput. 1(4), 193–208 (2004). https://doi.org/10.1109/TDSC.2004.34

    Article  Google Scholar 

  36. Wikipedia: Netflow (2023). https://en.wikipedia.org/wiki/NetFlow

  37. Wikipedia: sflow (2023). https://en.wikipedia.org/wiki/SFlow

  38. Xie, G., Li, Q., Dong, Y., Duan, G., Jiang, Y., Duan, J.: Mousika: enable general in-network intelligence in programmable switches by knowledge distillation. In: IEEE INFOCOM 2022 - IEEE Conference on Computer Communications, pp. 1938–1947 (2022).https://doi.org/10.1109/INFOCOM48880.2022.9796936

  39. Xing, J., Kang, Q., Chen, A.: NetWarden: mitigating network covert channels while preserving performance. In: 29th USENIX Security Symposium (USENIX Security 20), pp. 2039–2056. USENIX Association (2020). https://www.usenix.org/conference/usenixsecurity20/presentation/xing

  40. Yang, T., et al.: Elastic sketch: adaptive and fast network-wide measurements. In: Proceedings of the 2018 Conference of the ACM Special Interest Group on Data Communication, SIGCOMM 2018, pp. 561–575. Association for Computing Machinery, New York, NY, USA (2018).https://doi.org/10.1145/3230543.3230544

  41. Zhang, M., et al.: Poseidon: mitigating volumetric DDoS attacks with programmable switches. In: 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, California, USA, February 23-26, 2020. The Internet Society (2020).https://doi.org/10.14722/ndss.2020.24007

  42. Zhang, Y., et al.: Cocosketch: high-performance sketch-based measurement over arbitrary partial key query. In: Proceedings of the 2021 ACM SIGCOMM 2021 Conference, SIGCOMM 2021, pp. 207–222. Association for Computing Machinery, New York, NY, USA (2021).https://doi.org/10.1145/3452296.3472892

  43. Zheng, C., Zilberman, N.: Planter: seeding trees within switches. In: Proceedings of the SIGCOMM 2021 Poster and Demo Sessions, pp. 12–14. Association for Computing Machinery, New York, NY, USA (2021).https://doi.org/10.1145/3472716.3472846

  44. Zhou, G., Liu, Z., Fu, C., Li, Q., Xu, K.: An efficient design of intelligent network data plane. In: 32nd USENIX Security Symposium (USENIX Security 23), pp. 6203–6220. USENIX Association, Anaheim, CA (2023). https://www.usenix.org/conference/usenixsecurity23/presentation/zhou-guangmeng

Download references

Acknowledgments

This work is supported in part by the National Key R&D Program of China (Grant No. 2022YFB3103000), and in part by the National Natural Science Foundation of China (Grant No. U20A20180 and Grant No. 62072430). The corresponding author is Heng Pan.

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Jiahao Wu or Heng Pan .

Editor information

Editors and Affiliations

A Derivation of Entropy Reformulation

A Derivation of Entropy Reformulation

figure b

Note that \(\sum _{i=1}^{M_k} f_k(x_i) = N\).

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wu, J. et al. (2024). Patronum: In-network Volumetric DDoS Detection and Mitigation with Programmable Switches. In: Garcia-Alfaro, J., Kozik, R., Choraś, M., Katsikas, S. (eds) Computer Security – ESORICS 2024. ESORICS 2024. Lecture Notes in Computer Science, vol 14985. Springer, Cham. https://doi.org/10.1007/978-3-031-70903-6_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-70903-6_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-70902-9

  • Online ISBN: 978-3-031-70903-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics