Distributed Denial-of-Service (DDoS) attacks represent a persistent threat to modern telecommunications networks: detecting and counteracting them is still a crucial unresolved challenge for network operators. DDoS attack detection is usually carried out in one or more central nodes that collect significant amounts of monitoring data from networking devices, potentially creating issues related to network overload or delay in detection. The dawn of programmable data planes in Software-Defined Networks can help mitigate this issue, opening the door to the detection of DDoS attacks directly in the data plane of the switches. However, the most widely-adopted data plane programming language, namely P4, lacks supporting many arithmetic operations, therefore, some of the advanced network monitoring functionalities needed for DDoS detection cannot be straightforwardly implemented in P4. This work overcomes such a limitation and presents two novel strategies for flow cardinality and for normalized network traffic entropy estimation that only use P4-supported operations and guarantee a low relative error. Additionally, based on these contributions, we propose a DDoS detection strategy relying on variations of the normalized network traffic entropy. Results show that it has comparable or higher detection accuracy than state-of-the-art solutions, yet being simpler and entirely executed in the data plane.

Tracking Normalized Network Traffic Entropy to Detect DDoS Attacks in P4

Damu DIng;Marco Savi;Domenico Siracusa
In corso di stampa

Abstract

Distributed Denial-of-Service (DDoS) attacks represent a persistent threat to modern telecommunications networks: detecting and counteracting them is still a crucial unresolved challenge for network operators. DDoS attack detection is usually carried out in one or more central nodes that collect significant amounts of monitoring data from networking devices, potentially creating issues related to network overload or delay in detection. The dawn of programmable data planes in Software-Defined Networks can help mitigate this issue, opening the door to the detection of DDoS attacks directly in the data plane of the switches. However, the most widely-adopted data plane programming language, namely P4, lacks supporting many arithmetic operations, therefore, some of the advanced network monitoring functionalities needed for DDoS detection cannot be straightforwardly implemented in P4. This work overcomes such a limitation and presents two novel strategies for flow cardinality and for normalized network traffic entropy estimation that only use P4-supported operations and guarantee a low relative error. Additionally, based on these contributions, we propose a DDoS detection strategy relying on variations of the normalized network traffic entropy. Results show that it has comparable or higher detection accuracy than state-of-the-art solutions, yet being simpler and entirely executed in the data plane.
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11582/328390
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
social impact