Wenhao Wu, Zhenyu Li, and Xilai Liu, Institute of Computing Technology, Chinese Academy of Sciences; University of Chinese Academy of Sciences; Zhaohua Wang and Heng Pan, Computer Network Information Center, Chinese Academy of Sciences; Guangxing Zhang, Institute of Computing Technology, Chinese Academy of Sciences; Gaogang Xie, Computer Network Information Center, Chinese Academy of Sciences; University of Chinese Academy of Sciences
Network-wide DDoS (Distributed Denial-of-Service) detection enables early attack detection and mitigates victim losses. However, unpredictable routing of DDoS traffic will invalidate the network administrator's prior knowledge of the network topology, causing existing sketch-based measurement systems to suffer from packet over-counting and processing stage mis-allocating issues. To address this gap, we propose Lemon, a routing-oblivious, resource-friendly, and scalable DDoS detection system that provides accurate detection of DDoS attacks without any assumption on the traffic routing. Specifically, we design a novel data structure (Lemon sketch) that supports over-counting-free and mis-allocating-free measurements in the data plane. Lemon control plane aggregates Lemon sketches from measurement points and leverages per-flow level network-wide measurement results for DDoS attack detection and victim identification. We implement Lemon in both software switch (Bmv2) and programmable switch hardware (Tofino). The evaluation results show that Lemon can achieve consistently high accuracy for DDoS detection in various topology and traffic distribution configurations.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
