Network Intrusion Detection Systems (NIDS) are one of the key defense mechanisms employed to detect and mitigate network-based threats. Several works explored the ability to offload NIDS pre-filtering capabilities to hardware platforms in order to reduce resource usage saturation and improve detection accuracy. Among them, network data plane solutions in SDN aim to leverage the hardware speed and the recent flexibility of programmable switches. However, those solutions are designed without considering a constrained data plane with limited table sizes and memory space, thus reducing accuracy detection and vulnerability buffer saturation attacks. This paper proposes P4- ONIDS, a solution that improves the parsing and compilation of NIDS rules for the data plane alongside sketch-based solutions for suspicious flow pre-filtering while maintaining a low usage of resources and leveraging the hardware speed of the data plane. We evaluate the compiler and our pre-filtering data plane capabilities in an emulated environment using Mininet with Snort NIDS. Results have shown more than 400x reduction on generated P4 rules. Some experiments reach an accuracy of approximately 90% with 40% of packets filtering.
Distributed Denial of Service (DDoS) attacks continues to be a major issue in todays Internet. Over the last few years, we have observed a dramatic escalation in the number, scale, and diversity of these attacks. Among the various types, spoofed TCP SYN Flood is one of the most common forms of volumetric DDoS attacks. Several works explored the flexible management control provided by the new network paradigm called Defined Networking Software (SDN) to produce a flexible and powerful defense system. Among them, data plane based solutions combined with recent flexibility of programmable switches aims to leverage hardware speed and defend against Spoofed Flooding attacks. Usually, they implement anti-spoofing mechanisms that rely on performing client authentication on the data plane using techniques such as TCP Proxy, TCP Reset, and Safe Reset. However, these mechanisms have several limitations. First, due to the required interaction to authenticate the client, they penalize all clients connection time even without an ongoing attack. Second, they use a limited version of TCP cookies to detect a valid client ACK or RST, and finally, they are vulnerable to a buffer saturation attack due to limited data plan resources that stores the whitelist of authenticated users. In this work, we propose the use of sketch-based solutions to improve the data plane Safe Reset anti-spoofing defense mechanism. We implemented our solution in P4, a high-level language for programmable data planes, and evaluate our solution against a data plan. Safe Reset technique on an emulated environment using Mininet.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2025 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.