Xin Zhe Khooi, Levente Csikor, D. Divakaran, M. Kang
{"title":"DIDA:针对放大反射DDoS攻击的分布式网内防御架构","authors":"Xin Zhe Khooi, Levente Csikor, D. Divakaran, M. Kang","doi":"10.1109/NetSoft48620.2020.9165488","DOIUrl":null,"url":null,"abstract":"With each new DDoS attack potentially becoming a higher intensity attack than the previous ones, current ISP measures of over-provisioning or employing a scrubbing service are becoming ineffective and inefficient. We argue that we need an in-network solution (i.e., entirely in the data plane), to detect DDoS attacks, identify the corresponding traffic and mitigate promptly. In this paper, we propose the first distributed in-network defense architecture, DIDA, to cope with the sophisticated amplified reflection DDoS (AR-DDoS) attacks. We leverage programmable stateful data planes and efficient data structures and show that it is possible to keep track of per-user connections in an automated and distributed manner without overwhelming the network controller. Building on top of this data, DIDA can easily detect if unsolicited attack packets are sent towards a victim within an ISP network. Once an attack is detected, the routers at the network edge automatically block the malicious sources. We prototype DIDA in P4. Our preliminary experiments show that DIDA can detect and mitigate 99.8% of amplification attacks containing 7, 000 different sources while requiring less than 1% of the memory of current programmable switches.","PeriodicalId":239961,"journal":{"name":"2020 6th IEEE Conference on Network Softwarization (NetSoft)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"19","resultStr":"{\"title\":\"DIDA: Distributed In-Network Defense Architecture Against Amplified Reflection DDoS Attacks\",\"authors\":\"Xin Zhe Khooi, Levente Csikor, D. Divakaran, M. Kang\",\"doi\":\"10.1109/NetSoft48620.2020.9165488\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"With each new DDoS attack potentially becoming a higher intensity attack than the previous ones, current ISP measures of over-provisioning or employing a scrubbing service are becoming ineffective and inefficient. We argue that we need an in-network solution (i.e., entirely in the data plane), to detect DDoS attacks, identify the corresponding traffic and mitigate promptly. In this paper, we propose the first distributed in-network defense architecture, DIDA, to cope with the sophisticated amplified reflection DDoS (AR-DDoS) attacks. We leverage programmable stateful data planes and efficient data structures and show that it is possible to keep track of per-user connections in an automated and distributed manner without overwhelming the network controller. Building on top of this data, DIDA can easily detect if unsolicited attack packets are sent towards a victim within an ISP network. Once an attack is detected, the routers at the network edge automatically block the malicious sources. We prototype DIDA in P4. Our preliminary experiments show that DIDA can detect and mitigate 99.8% of amplification attacks containing 7, 000 different sources while requiring less than 1% of the memory of current programmable switches.\",\"PeriodicalId\":239961,\"journal\":{\"name\":\"2020 6th IEEE Conference on Network Softwarization (NetSoft)\",\"volume\":\"1 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-06-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"19\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2020 6th IEEE Conference on Network Softwarization (NetSoft)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/NetSoft48620.2020.9165488\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 6th IEEE Conference on Network Softwarization (NetSoft)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NetSoft48620.2020.9165488","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
DIDA: Distributed In-Network Defense Architecture Against Amplified Reflection DDoS Attacks
With each new DDoS attack potentially becoming a higher intensity attack than the previous ones, current ISP measures of over-provisioning or employing a scrubbing service are becoming ineffective and inefficient. We argue that we need an in-network solution (i.e., entirely in the data plane), to detect DDoS attacks, identify the corresponding traffic and mitigate promptly. In this paper, we propose the first distributed in-network defense architecture, DIDA, to cope with the sophisticated amplified reflection DDoS (AR-DDoS) attacks. We leverage programmable stateful data planes and efficient data structures and show that it is possible to keep track of per-user connections in an automated and distributed manner without overwhelming the network controller. Building on top of this data, DIDA can easily detect if unsolicited attack packets are sent towards a victim within an ISP network. Once an attack is detected, the routers at the network edge automatically block the malicious sources. We prototype DIDA in P4. Our preliminary experiments show that DIDA can detect and mitigate 99.8% of amplification attacks containing 7, 000 different sources while requiring less than 1% of the memory of current programmable switches.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
