CableLabs is cooking up a new method to stop distributed denial of service (DDoS) attacks by blocking devices at the source, where attacks are full-strength, by using programming language P4.
On the sidelines of this week's SCTE-ISBE Cable-Tec Expo in New Orleans, CableLabs' Randy Levensalor outlined the security project known as "Transparent Security."
Transparent Security can mitigate ingress and egress traffic at every point in the network. Most DDoS software solutions are typically deployed only at the edge of a network, which means they can't protect the network from internal DDoS attacks. In turn, internal DDoS attacks can weaponize service providers' networks for further attacks.
"Instead of looking at just protecting yourself against a DDS attack, we can block the attack closer to the source and identify either the customer or the device on the customer premises that is launching the attack," said Levensalor, lead architect, software research and development. "What we do is kind of a two pronged approach. One is to identify the source of the attack and we're doing in-band network telemetry so we're having the originating MAC and the originating IP address of the device and we're adding that to the packet.
"Then we add more information for every hop the packet takes within the access network. Then we're able to look at every header on every egress packet to identify the attack in seconds."
P4 (Programming Protocol-independent Packet Processors) is a domain-specific programming language for networking that is widely used with software-defined networking (SDN.) Since its inception in 2013, P4 has become the de facto standard for expressing how packets are processed by the data plane of a forwarding element, such as a hardware or software switch, network interface card (NIC,) router, or network appliance.
"We have a white boxes that we put P4 on and then we're also able to run P4 on the gateway," Levensalor said. "We're doing offloading onto a NIC that you can also run in software and FPGAs. We use P4 to do that in-band telemetry and we also strip that information before it leaves our network.
"For the mitigation, we have P4 tables that will do the dropping. With P4 you can get a lot more fine-grained in the signature than you can with something like OpenFlow. We can keep the other devices up and running while only blocking the traffic that is part of the DDoS attack."
By combining P4 with ASICs that are built to run programs at high speed, CableLabs can mitigate DDoS attacks without sacrificing network performance. As service providers update their networks with customizable switches and edge compute capabilities, they can add new features with a software update, according to Levensalor.
Levensalor said CableLabs has a proof-of-concept (PoC) for Transparent Security underway, and it's starting to work with vendors on the interfaces. CableLabs is using an internally developed software-defined networking controller for the PoC.
CableLabs has big plans for the programmable data plane and P4. Levensalor said CableLabs is also looking at using the programmable data plane for cloud-native and edge compute in tandem with Kubernetes.
"So, some of the things we've moved from physical devices to VNFs to containers, we actually now are able to start looking at some of the functionality embedded on a switch so we can run it at line rate without needing a server," he said. "We'll get this platform in place where we have P4 change the behavior of the network and the devices. We have in-band telemetry so we have visibility for every package in our networks. Then we have an analytics engine and controllers at the edge.
"Suddenly this opens a whole new world of closed-loop automation that we can do and tie into other programs."