Emerging network technologies like cloud computing provide flexible services but also introduce vulnerabilities to host servers, such as exposure to Distributed Denial of Service (DDoS) attacks. Traditional host-based detection tools operate in the user space, which can delay detection because network traffic must pass through the kernel space first. Moving detection to the kernel space speeds up the process but limits traffic processing capabilities. We propose using a memory-efficient sketch-based data structure for kernel-space DDoS detection, allowing attacks to be identified immediately upon arrival at the host. We also introduce double-sketch and adaptive-threshold mechanisms to circumvent some inefficiencies of eBPF and to optimize this design for dynamic network traffic. Experiments in a controlled environment show that our approach achieves over 90% detection performance and accelerates it to a sub-microsecond level compared to the millisecond level in classical user-space methods.
Zang, M., De Iaco, F., Wu, J., Savi, M. (2025). In-Kernel Traffic Sketching for Volumetric DDoS Detection. In ICC 2025 - IEEE International Conference on Communications (pp.2180-2185). IEEE [10.1109/ICC52391.2025.11161251].
In-Kernel Traffic Sketching for Volumetric DDoS Detection
Savi M.
2025
Abstract
Emerging network technologies like cloud computing provide flexible services but also introduce vulnerabilities to host servers, such as exposure to Distributed Denial of Service (DDoS) attacks. Traditional host-based detection tools operate in the user space, which can delay detection because network traffic must pass through the kernel space first. Moving detection to the kernel space speeds up the process but limits traffic processing capabilities. We propose using a memory-efficient sketch-based data structure for kernel-space DDoS detection, allowing attacks to be identified immediately upon arrival at the host. We also introduce double-sketch and adaptive-threshold mechanisms to circumvent some inefficiencies of eBPF and to optimize this design for dynamic network traffic. Experiments in a controlled environment show that our approach achieves over 90% detection performance and accelerates it to a sub-microsecond level compared to the millisecond level in classical user-space methods.
| File | Dimensione | Formato | |
|---|---|---|---|
|
Zang et al-2025-IEEE International Conference on Communications-VoR.pdf
accesso aperto
Tipologia di allegato:
Submitted Version (Pre-print)
Licenza:
Creative Commons
Dimensione
538.97 kB
Formato
Adobe PDF
|
538.97 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
