Amplification Reflection Distributed Denial-of-Service (AR-DDoS) attacks remain a formidable threat, exploiting stateless protocols to flood victims with illegitimate traffic. Recent advances have enabled data-plane defenses against such attacks, but existing solutions typically assume symmetric routing and are limited to a single switch. These assumptions fail in modern networks where asymmetry is common, resulting in dropped legitimate responses and persistent connectivity issues. This paper presents ReAct, an in-network defense for AR-DDoS that is robust to asymmetry. ReAct performs request-response correlation across switches using programmable data planes and a sliding-window of Bloom filters. To handle asymmetric traffic, ReAct introduces a data-plane-based request forwarding mechanism, enabling switches to validate responses even when paths differ. ReAct can automatically adapt to routing changes with minimal intervention, ensuring continued protection even in dynamic network environments. We implemented ReAct on both a P4 interpreter and NVIDIAs Bluefield-3, demonstrating its applicability across multiple platforms. Evaluation results show that ReAct filters nearly all attack traffic without dropping legitimate responses-even under high-volume attacks and asymmetry. Compared to state-of-the-art approaches, ReAct achieves significantly lower false positives. To our knowledge, ReAct is the first data-plane AR-DDoS defense that supports dynamic, cross-switch collaboration, making it uniquely suitable for deployment in networks with asymmetry.

翻译：放大反射分布式拒绝服务（AR-DDoS）攻击仍然是一种严峻威胁，其利用无状态协议向受害者泛洪非法流量。尽管近期研究已实现针对此类攻击的数据平面防御方案，但现有方法通常基于对称路由假设且局限于单一交换机。这些假设在现代普遍存在非对称性的网络中难以成立，导致合法响应被丢弃及持续性连接问题。本文提出ReAct——一种对非对称路由具有鲁棒性的AR-DDoS网络内防御系统。ReAct通过可编程数据平面与布隆过滤器滑动窗口，实现跨交换机的请求-响应关联验证。为处理非对称流量，ReAct引入基于数据平面的请求转发机制，使得交换机即使在路径不一致时仍能验证响应。该系统能以最小干预自动适应路由变化，确保在动态网络环境中持续提供防护。我们在P4解释器与NVIDIA Bluefield-3上实现了ReAct，证明了其跨平台适用性。评估结果表明，即使在高强度攻击与非对称路由场景下，ReAct仍能过滤近全部攻击流量且不丢弃合法响应。与现有先进方案相比，ReAct实现了显著更低的误报率。据我们所知，ReAct是首个支持动态跨交换机协作的数据平面AR-DDoS防御方案，这使其特别适用于部署在具有非对称特性的网络中。