INDDoS+: secure DDoS detection mechanism in programmable switches

Volumetric distributed Denial-of-Service (DDoS) attack is a key issue in modern telecommunication networks since it can exhaust the resources of legitimate users and cripple network services. Recently, with the emergence of high-throughput and low-latency programmable switches, DDoS detection mechanisms have been designed and implemented in an in-network manner, that is, DDoS detection executed directly within programmable switches. State-of-the-art works use advanced data structures to monitor the number of connections targeting destination hosts: if there is sudden increase of connections and the number exceeds a given threshold, the destination host is most likely under DDoS attack. However, while this approach is efficient in DDoS victims identification, it has inherent vulnerabilities in the detection mechanism that may lead to security issues. In this paper, we study two possible vulnerabilities in DDoS detection data structures, showing the possibilities to break DDoS detection mechanisms in programmable switches. To mitigate the constructed attacks, we propose a solution called INDDoS+. The results show that INDDoS+ is robust to attacks and can accurately detect DDoS attempts when limited hardware resources are assigned.