FAPM: A Fake Amplification Phenomenon Monitor to Filter DRDoS Attacks With P4 Data Plane

• Published in: IEEE eTransactions on network and service management Vol. 21; no. 6; pp. 6703 - 6715
• Main Authors: Tang, Dan, Wang, Xiaocai, Li, Keqin, Yin, Chao, Liang, Wei, Zhang, Jiliang
• Format: Journal Article
• Language: English
• Published: New York IEEE 01.12.2024; The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
• Subjects: Attack mitigation; Communications traffic; Denial of service attacks; distributed reflection denial-of-service; fake amplification phenomenon; IP networks; Light reflection; Logic; Luminous intensity; Pipelines; Prevention and mitigation; Protocols; Servers; Switches
• ISSN: 1932-4537; 1932-4537
• DOI: 10.1109/TNSM.2024.3449889

Distributed Reflection Denial-of-Service (DRDoS) attacks have caused significant destructive effects by virtue of emerging protocol vulnerabilities and amplification advantages, and their intensity is increasing. The emergence of programmable data plane supporting line-rate forwarding provides a new opportunity for fine-grained and efficient attack detection. This paper proposed a light-weight DRDoS attack detection and mitigation system called FAPM, which is deployed at the victim end with the intention of detecting the amplification behavior caused by the attack. It places the work of collecting and calculating reflection features on the data plane operated by "latter window assisting former window" mechanism, and arranges complex identification and regulation logic on the control plane. This approach avoids the hardware constraints of the programmable switch while leveraging their per-packet processing capability. Also, it reduces communication traffic significantly through feature compression and state transitions. Experiments show that FAPM has (1) fast response capability within seconds (2) a memory footprint at the KB level and communication overhead of 1 Kbps, and (3) good robustness.