View article

With each new DDoS attack potentially becoming a higher intensity attack than the previous ones, current ISP measures of over-provisioning or employing a scrubbing service are becoming ineffective and inefficient. We argue that we need an in-network solution (i.e., entirely in the data plane), to detect DDoS attacks, identify the corresponding traffic and mitigate promptly. In this paper, we propose the first distributed in-network defense architecture, DIDA, to cope with the sophisticated amplified reflection DDoS (AR-DDoS) attacks. We leverage programmable stateful data planes and efficient data structures and show that it is possible to keep track of per-user connections in an automated and distributed manner without overwhelming the network controller. Building on top of this data, DIDA can easily detect if unsolicited attack packets are sent towards a victim within an ISP network. Once an attack is detected, the …