Seek and Push: Detecting Large Traffic Aggregates in the Dataplane
share
High level goals such as bandwidth provisioning, accounting and network anomaly detection can be easily met if high-volume traffic clusters are detected in real time. This paper presents Elastic Trie, an alternative to approaches leveraging controller-dataplane architectures. Our solution is a novel push-based network monitoring approach that allows detection, within the dataplane, of high-volume traffic clusters. Notifications from the switch to the controller can be sent only as required, avoiding the transmission or processing of unnecessary data. Furthermore, the dataplane can iteratively refine the responsible IP prefixes allowing a controller to receive a flexible granularity information. We report and discuss an evaluation of our P4-based prototype, showing our solution to be able to detect (with 95 precision), hierarchical heavy hitters and superspreaders using less than 8KB or 80KB of active memory respectively. Finally, Elastic Trie can identify changes in the network traffic patterns, symptomatic of Denial-of-Service attack events.
READ FULL TEXT
