BUNGEE: An Adaptive Pushback Mechanism for DDoS Detection and Mitigation in P4 Data Planes

A DDoS attack aims for resource exhaustion and directly impacts the availability of servers in a network infrastructure. Although significant efforts have been made to detect and mitigate DDoS attacks in viable time, this type of attack remains one of the leading security concerns in networking. By leveraging data plane programmability, it becomes possible to implement novel security solutions that do not rely on coordination with external servers, keeping the detection and mitigation local to the data plane, potentially reducing delays and not being subject to usual communication bottlenecks. In this paper we present BUNGEE1, an in-network, collaborative pushback mechanism for DDoS attack mitigation that runs entirely in the data plane. This mechanism is able to, locally at a given switch, identify suspect IP addresses (through the use of continuous IP entropy analysis) and propagate them to other switches. The different switches that are made aware of the suspects enforce a pushback strategy for repelling potential attacks. We implemented our solution using the P4 language. The results reveal that the identification process has high accuracy and that the pushback strategy is effective in minimizing strain to network resources.