PT-Radar: a programmable-data-plane-assisted port time-slot radar for LDoS detection and mitigation
摘要
Software-Defined Networking (SDN) enhances network programmability and manageability by decoupling the control plane from the data plane, yet it still inherits the vulnerability of traditional networks to denial-of-service attacks. Low-rate denial-of-service (LDoS) attacks exploit bottleneck links and TCP congestion control dynamics, exhibiting periodic disturbances characterized by a low average rate and short high-amplitude pulses, which makes them difficult to detect. Most existing SDN-based LDoS defenses follow a controller-centric traffic sampling and analysis paradigm, often relying on controller-side time-series reconstruction or continuous fine-grained monitoring. Such designs not only impose substantial overhead on the controller and the southbound interface, but also tend to be constrained by single statistics or single-scale indicators, making it difficult to stably characterize the structured pulse–quiet temporal pattern and its contextual differences. To address these limitations, we propose PT-Radar, a multi-stage detection and mitigation framework for LDoS. The key idea is to introduce a Port Time-slot Radar in the programmable data plane. By slicing port traffic into 0.1 s time slots, the radar performs scanning-style probing over sampling slots with a background window as reference, and directly extracts and aggregates a multi-dimensional set of structured features that capture LDoS pulse structures in the data plane, enabling automatic identification of anomalous slots with low-overhead reporting. PT-Radar first identifies suspicious victim devices via switch-level state monitoring, then localizes the most affected port, and activates the radar only on that port to report aggregated features to the controller, while performing flow-level attribution in the data plane. Once a machine-learning-based classifier at the controller confirms an attack, the system promptly installs fine-grained flow rules to block malicious traffic and complete mitigation. Experimental results show that PT-Radar achieves a favorable balance among detection accuracy, response latency, and system overhead, enabling robust and effective online detection and mitigation of LDoS attacks.