ReAct: Reflection Attack Mitigation for Asymmetric Routing

Amplified reflection DDoS attacks remain a top threat because they turn innocuous services—DNS, NTP, and other UDP‑based protocols—into traffic amplifiers that flood victims with spoofed responses. Traditional mitigation tools assume that request and response packets travel the same path, an assumption that breaks down in modern, multi‑path networks. When routing is asymmetric, counters and heuristics misclassify legitimate replies as malicious, forcing operators to disable defenses or accept service disruption. The rise of programmable switches and smart NICs, however, gives network operators fine‑grained visibility and processing power directly in the data plane, opening the door to more nuanced defenses.

ReAct exploits this programmable fabric by anchoring its logic to transaction identifiers embedded in protocols like DNS. Each request’s ID is hashed into a Bloom filter—a compact probabilistic structure that records presence with minimal memory. When a response arrives, the same hash checks the filter; a hit indicates a legitimate request was seen, while a miss flags potential abuse. Crucially, ReAct extends this model to asymmetric paths by sharing prefix‑to‑switch mappings either through pre‑configured routing tables or through a dynamic learning phase that broadcasts retransmissions to discover where requests originated. This coordination ensures that even if a response traverses a different device than its request, the system can still verify its legitimacy without exhaustive state storage.

The practical impact is significant. Operators can now deploy AR‑DDoS detection at the edge—within CDNs, ISP PoPs, or large data‑center fabrics—without fearing collateral damage to genuine traffic. Early prototypes on Intel Tofino and Nvidia Bluefield‑3 demonstrate sub‑3% false‑positive rates at 7 kpps, a level acceptable for production environments. Looking ahead, extending ReAct to protocols lacking stable transaction IDs, such as NTP, will broaden its applicability. As programmable hardware becomes more ubiquitous, solutions like ReAct illustrate how data‑plane intelligence can transform network security from a reactive afterthought into a proactive, scalable shield.