Leveraging Prefix Structure to Detect Volumetric DDoS Attack Signatures

Volumetric Distributed Denial of Service (DDoS) attacks continue to be one of the most pervasive threats to online services and service providers alike. While recent efforts explore the promise of programmable switch hardware to efficiently detect and mitigate massive volumetric DDoS attacks, they rely on approximate methods with relatively high and unpredictable error rates. To improve the accuracy and efficiency of DDoS attack signature detection, we develop ZAPDOS (Zooming-in At Prefix-level DdOs Signatures), a dynamic approach which leverages for the first time key insights about the inherent clustering of benign and attack traffic in the address space. ZAPDOS combines programmable switch hardware, machine learning classification, and several novel algorithmic components to efficiently generate signatures of modern-day volumetric DDoS attacks using a fixed resource budget.

Architecture of ZAPDOS.


  • State-of-the-art switch-based DDoS defenses suffer from high and unpredictable error rates in the face of realistic attack traffic distributions. State-of-the-art machine-learning approaches suffer from infeasible overheads in the face of massive volumes of attack traffic.

  • Sources of both benign and attack traffic are inherently clustered in prefix-level structures implying different regions of the address space should be given different levels of attention when detecting attack signatures, however, no prior work has leveraged this observation to improve signature detection efficiency.

  • ZAPDOS is the first approach to combine efficient switch hardware processing, accurate machine learning classification, and novel iterative refinement algorithms to exploit inherent address clustering for efficient DDoS signature detection on programmable switch hardware.

Key Points

  • ZAPDOS zooms-in on attack signatures faster than Jaqen and achieves lower and more stable error rates compared to both Jaqen and Euclid.
  • ZAPDOS accurately detects signatures of different volumetric DDoS attack vectors using a single model derived from a large training set generated with a novel data-fusion methodology.
  • The refinement algorithm in ZAPDOS effectively adapts to detect complex modern attacks that combine multiple simultaneous attack vectors while changing vectors and attack sources over time.


Leveraging Prefix Structure to Detect Volumetric DDoS Attack Signatures with Programmable Switches
Chris Misa, Ramakrishnan Durairajan, Arpit Gupta, Reza Rejaie and Walter Willinger
In IEEE Symposium on Security and Privacy (S&P’24), San Franscisco, CA, May 2024.



Team Members



This work is supported by the National Science Foundation through CNS 1850297, a Ripple faculty fellowship, a Ripple graduate fellowship, and Broadcom. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of NSF, Ripple, or Broadcom.

NSF Ripple Broadcom
Last updated Nov. 8th, 2023.