Modern DDoS defense systems rely on probabilistic monitoring algorithms to identify flows that exceed a volume threshold and should thus be penalized. Commonly, classic sketch algorithms are considered sufficiently accurate for usage in DDoS defense. However, as we show in this paper, these algorithms achieve poor detection accuracy under burst-flood attacks, i.e., volumetric DDoS attacks composed of a swarm of medium-rate sub-second traffic bursts. Under this challenging attack pattern, traditional sketch algorithms can only detect a high share of the attack bursts by incurring a large number of false positives. In this paper, we present ALBUS, a probabilistic monitoring algorithm that overcomes the inherent limitations of previous schemes: ALBUS is highly effective at detecting large bursts while reporting no legitimate flows, and therefore improves on prior work regarding both recall and precision. Besides improving accuracy, ALBUS scales to high traffic rates, which we demonstrate with an FPGA implementation, and is suitable for programmable switches, which we showcase with a P4 implementation.

翻译：现代DDoS防御系统依赖概率监控算法来识别超过流量阈值并应受到惩罚的流。通常，经典草图算法被认为在DDoS防御中具有足够高的准确性。然而，如本文所示，这些算法在突发洪水攻击（即由一群中等速率亚秒级流量突发组成的容积式DDoS攻击）下检测精度较差。面对这种具有挑战性的攻击模式，传统草图算法只能通过引发大量假阳性来检测较高比例的突发攻击。本文提出ALBUS，一种克服先前方案固有局限性的概率监控算法：ALBUS在检测大流量突发时非常有效，同时不报告任何合法流，因此在召回率和精确率两方面均优于先前工作。除提高精度外，ALBUS可通过FPGA实现扩展至高速流量，并适用于可编程交换机（本文通过P4实现展示其适用性）。