Menghao Zhang (Tsinghua University), Guanyu Li (Tsinghua University), Shicheng Wang (Tsinghua University), Chang Liu (Tsinghua University), Ang Chen (Rice University), Hongxin Hu (Clemson University), Guofei Gu (Texas A&M University), Qi Li (Tsinghua University), Mingwei Xu (Tsinghua University), Jianping Wu (Tsinghua University)
Distributed Denial-of-Service (DDoS) attacks have become a critical threat to the Internet. Due to the increasing number of vulnerable Internet of Things (IoT) devices, attackers can easily compromise a large set of nodes to form botnets and launch high-volume DDoS attacks. State-of-the-art DDoS defenses, however, have not caught up with the fast evolution of the attacks and the requirements of latency-sensitive services in data centers, as most existing defense systems are high in cost and low in agility. In this paper, we propose POSEIDON, a framework that is designed to address those key limitations in today’s DDoS defenses, leveraging emerging programmable switches that can be reconfigured in the field without additional hardware cost. In designing POSEIDON, we address three key challenges in terms of intent expression, resource orchestration, and runtime management. Evaluations using our prototype demonstrate that POSEIDON can potentially defend against ∼Tbps attack traffic, simplify the defense intent expression within tens of lines of code, accommodate to policy changes in seconds, and adapt to dynamic attacks with negligible overheads. Moreover, compared with the state of the art, POSEIDON reduces the defense costs and the end-to-end packet processing latency by two orders of magnitude, making it a promising defense against modern advanced DDoS attacks.