Euclid: A Fully In-Network, P4-Based Approach for Real-Time DDoS Attack Detection and Mitigation

Distributed Denial-of-Service (DDoS) attacks have been steadily escalating in frequency, scale, and disruptiveness - with outbreaks reaching multiple terabits per second and compromising the availability of highly-resilient networked systems. Existing defenses require frequent interaction between forwarding and control planes, making it difficult to reach a satisfactory trade-off between accuracy (higher is better), resource usage, and defense response delay (lower is better). Recently, high-performance programmable data planes have made it possible to develop a new generation of mechanisms to analyze and manage traffic at line rate. In this article, we explore P4 language constructs and primitives to design Euclid, a fully in-network fine-grained, low-footprint, and low-delay traffic analysis mechanism for DDoS attack detection and mitigation. Euclid utilizes information-theoretic and statistical analysis to detect attacks and classify packets as either legitimate or malicious, thus enabling the enforcement of policies (e.g., discarding, inspection, or throttling) to prevent attack traffic from disrupting the operation of its victims. We experimentally evaluate our proposed mechanism using packet traces from CAIDA. The results indicate that Euclid can detect attacks with high accuracy (98.2%) and low delay (≈250 ms), and correctly identify most of the attack packets (>96%) without affecting more than 1% of the legitimate traffic. Furthermore, our approach operates under a small resource usage footprint (tens of kilobytes of static random-access memory per 1 Gbps link and a few hundred ternary content-addressable memory entries), thus enabling its deployability on high-throughput, high-volume scenarios.