PLUTO: A Robust LDoS Attack Defense System Executing at Line Speed

The Low-Rate Denial of Service (LDoS) attack poses a significant threat to Internet services. Exploiting vulnerabilities in adaptive mechanisms embedded within network protocols, LDoS attacks are covert and exhibit legal behavior, making defense challenging. Existing LDoS attack solutions cannot perform real-time LDoS attack defense at line speed. With the emergence of P4, users can program the per-packet processing logic of the P4 switch, which offers us the chance to propose PLUTO, the first data plane-aware LDoS attack defense system built upon the P4 switch, possessing line-speed execution capacity. To meet the resource constraints of the P4 switch, we propose the time window-based pre-inference strategy to detect LDoS attacks and the time-limited per-flow state management to filter the LDoS attack flows. For the practical deployment, we develop the P4 Function Tool to extend the P4 primitives for more function operations. We also adopt an encoding-based mapping method to deploy the pre-inference model. Furthermore, we develop the async-updated hash table for quickly filtering LDoS attack flows. Compared with the baseline, PLUTO reduces the equal error rate (EER) by 27.96% and the average mitigation response time by 12.749s, increasing the AUC by 1.83%, the F1 Score by 7.27%, and the Recall by 9.58%