SPARQ: SYN Protection using Acyclic Redundancy check and Quartile range on P4 switches

Software-defined networking (SDN), enabled by high-performance programmable switches, offers a new avenue to counter cyber attacks. Programmable switches offer the ability to customize and conduct in-depth packet analysis, thus providing efficient and timely responses to DDoS attacks. However, implementing sophisticated DDoS detection may be a challenge in programmable switches because the p4 language does not support floating-point arithmetic, logarithmic functions, or loops. Furthermore, the limited SRAM and TCAM memory on programmable switches makes storing the network connection state difficult. Hence, effective deployment of DDoS detection techniques remains challenging due to these limitations and the rising complexity of the attacks. Many researchers proposed the DDoS detection solution directly on a programmable switch, ignoring the pressing need for a distributed solution. Therefore, this paper presents an innovative, decentralized traffic analysis framework called SPARQ that optimally utilizes the data and control planes. SPARQ is based on Rényi entropy that filters TCP SYN DDoS attacks. It leverages the programming ability of data planes for traffic classification and utilizes the control plane to calculate the metrics and acyclic redundancy checks within the traffic. Moreover, SPARQ uses quartile ranges to track packet inter-arrival time so that abnormal traffic patterns can be identified. We implement SPARQ in a BMv2 switch using the p4runtime controller, enabling seamless integration with SDN systems. We compare the performance of SPARQ with state-of-the-art solutions using the CAIDA dataset. The comparative analysis demonstrates that SPARQ provides a 20.59% reduction in CPU load, an average detection time shorter than 88%, and a 17.8% improvement in true positive rate (TPR).