Fighting Fire with Light: Tackling Extreme Terabit DDoS Using Programmable Optics

Distributed denial-of-service (DDoS) attacks are a clear and present threat to both today's and future network infrastructures. Attacks are constantly growing in sophistication with new threats emerging and likely amplified with other technology trends (e.g., amplification, IoT botnets, 5G connectivity). While great progress has been made in devising many types of mitigation strategies, they are found wanting in light of advanced large-scale attacks and our ability to minimize the impact of the attacks on legitimate services. In this work, we explore a new opportunity for bolstering our DDoS defense arsenal by leveraging recent advances in programmable optics. We envision ONSET: an Optics-enabled In-Network defenSe for Extreme Terabit DDoS attacks. Our approach seeks to isolate and steer attack traffic by dynamic reconfiguration of (backup) wavelengths. This physical isolation of attack traffic enables finer-grained handling of suspicious flows and offers better performance for legitimate traffic in the face of large-scale attacks. In this position paper, we demonstrate the preliminary promise of this vision and identify several open problems at the intersection of security, optical, and systems communities.