DDoS on Sketch: Spoofed DDoS attack defense with programmable data plans using sketches in SDN

Distributed Denial of Service (DDoS) attacks continues to be a major issue in todays Internet. Over the last few years, we have observed a dramatic escalation in the number, scale, and diversity of these attacks. Among the various types, spoofed TCP SYN Flood is one of the most common forms of volumetric DDoS attacks. Several works explored the flexible management control provided by the new network paradigm called Software Defined Networking (SDN) to produce a flexible and powerful defense system. Among them, data plane based solutions combined with the recent flexibility of programmable switches aims to leverage the hardware speed and defend against Spoofed Flooding attacks. Usually, they implement anti-spoofing mechanisms that rely on performing client authentication on the data plane using techniques such as TCP Proxy, TCP Reset, and Safe Reset. However, these mechanisms present several limitations. First, due to the required interaction to authenticate the client, they penalize all clients connection time even without an ongoing attack. Second, they use a limited version of TCP cookies to detect a valid client ACK or RST, and finally, they are vulnerable to a buffer saturation attack due to limited data plane resources that stores the whitelist of authenticated users. In this work, we propose the use of sketch-based solutions to improve the data plane Safe Reset anti-spoofing defense mechanism. We implemented our solution in P4, a high-level language for programmable data planes, and evaluate our solution against a data plane Safe Reset technique on an emulated environment using Mininet.