Pisces: In-Path Distributed Denial-of-Service Defense via Efficient Authentication Code Embedded in IP Address

Yi Zhao; Bingyang Liu; Weiyu Jiang; Ke Xu; Qi Li; Chuang Wang; Zongxin Dou; Yanjun Liu

doi:10.1109/TDSC.2025.3530140

Pisces: In-Path Distributed Denial-of-Service Defense via Efficient Authentication Code Embedded in IP Address

Yi Zhao, Bingyang Liu^*, Weiyu Jiang, Ke Xu^*, Qi Li, Chuang Wang, Zongxin Dou, Yanjun Liu

^*Corresponding author for this work

Research output: Contribution to journal › Article › peer-review

Abstract

High-volume brute-force distributed denial-of-service (DDoS) attack is among the top threats on the Internet. Existing widely deployed methods (e.g., BGP blackhole and scrubbing center) have difficulty achieving legitimate traffic friendliness, low cost, low latency, and high accuracy. We present an in-path DDoS defense mechanism, namely Pisces. Without requiring modifications to existing IP protocols, Pisces embeds authentication information into the IP address. Simultaneously, we design a QUIC-based extension to distribute authentication information. Pisces incorporates a translator module and a filter module, which accurately identifies malicious and legitimate traffic. These multi-dimensional compatibility advantages make it easy to deploy in the real world. We implement Pisces on a high-end commercial router with service processing units. Even without hardware acceleration, a single CPU can achieve 20 Gbps throughput and the performance can scale linearly with the number of CPUs. The additional latency for the victim-related traffic and other traffic is around 27 us and 0.5 us, respectively, whose cost is far less than the scrubbing center. Remarkably, Pisces without false positives can provide high-quality datasets for intelligent approaches and form a prominent complementary effect.

Original language	English
Pages (from-to)	3337-3353
Number of pages	17
Journal	IEEE Transactions on Dependable and Secure Computing
Volume	22
Issue number	4
DOIs	https://doi.org/10.1109/TDSC.2025.3530140
Publication status	Published - 2025
Externally published	Yes

Keywords

Authentication code
DDoS defense
IP address
filter
translator

Access to Document

10.1109/TDSC.2025.3530140

Cite this

@article{d9145b1dbb914d69ba6f893a0e2515ee,

title = "Pisces: In-Path Distributed Denial-of-Service Defense via Efficient Authentication Code Embedded in IP Address",

abstract = "High-volume brute-force distributed denial-of-service (DDoS) attack is among the top threats on the Internet. Existing widely deployed methods (e.g., BGP blackhole and scrubbing center) have difficulty achieving legitimate traffic friendliness, low cost, low latency, and high accuracy. We present an in-path DDoS defense mechanism, namely Pisces. Without requiring modifications to existing IP protocols, Pisces embeds authentication information into the IP address. Simultaneously, we design a QUIC-based extension to distribute authentication information. Pisces incorporates a translator module and a filter module, which accurately identifies malicious and legitimate traffic. These multi-dimensional compatibility advantages make it easy to deploy in the real world. We implement Pisces on a high-end commercial router with service processing units. Even without hardware acceleration, a single CPU can achieve 20 Gbps throughput and the performance can scale linearly with the number of CPUs. The additional latency for the victim-related traffic and other traffic is around 27 us and 0.5 us, respectively, whose cost is far less than the scrubbing center. Remarkably, Pisces without false positives can provide high-quality datasets for intelligent approaches and form a prominent complementary effect.",

keywords = "Authentication code, DDoS defense, IP address, filter, translator",

author = "Yi Zhao and Bingyang Liu and Weiyu Jiang and Ke Xu and Qi Li and Chuang Wang and Zongxin Dou and Yanjun Liu",

note = "Publisher Copyright: {\textcopyright} 2004-2012 IEEE.",

year = "2025",

doi = "10.1109/TDSC.2025.3530140",

language = "English",

volume = "22",

pages = "3337--3353",

journal = "IEEE Transactions on Dependable and Secure Computing",

issn = "1545-5971",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "4",

}

TY - JOUR

T1 - Pisces

T2 - In-Path Distributed Denial-of-Service Defense via Efficient Authentication Code Embedded in IP Address

AU - Zhao, Yi

AU - Liu, Bingyang

AU - Jiang, Weiyu

AU - Xu, Ke

AU - Li, Qi

AU - Wang, Chuang

AU - Dou, Zongxin

AU - Liu, Yanjun

PY - 2025

Y1 - 2025

N2 - High-volume brute-force distributed denial-of-service (DDoS) attack is among the top threats on the Internet. Existing widely deployed methods (e.g., BGP blackhole and scrubbing center) have difficulty achieving legitimate traffic friendliness, low cost, low latency, and high accuracy. We present an in-path DDoS defense mechanism, namely Pisces. Without requiring modifications to existing IP protocols, Pisces embeds authentication information into the IP address. Simultaneously, we design a QUIC-based extension to distribute authentication information. Pisces incorporates a translator module and a filter module, which accurately identifies malicious and legitimate traffic. These multi-dimensional compatibility advantages make it easy to deploy in the real world. We implement Pisces on a high-end commercial router with service processing units. Even without hardware acceleration, a single CPU can achieve 20 Gbps throughput and the performance can scale linearly with the number of CPUs. The additional latency for the victim-related traffic and other traffic is around 27 us and 0.5 us, respectively, whose cost is far less than the scrubbing center. Remarkably, Pisces without false positives can provide high-quality datasets for intelligent approaches and form a prominent complementary effect.

AB - High-volume brute-force distributed denial-of-service (DDoS) attack is among the top threats on the Internet. Existing widely deployed methods (e.g., BGP blackhole and scrubbing center) have difficulty achieving legitimate traffic friendliness, low cost, low latency, and high accuracy. We present an in-path DDoS defense mechanism, namely Pisces. Without requiring modifications to existing IP protocols, Pisces embeds authentication information into the IP address. Simultaneously, we design a QUIC-based extension to distribute authentication information. Pisces incorporates a translator module and a filter module, which accurately identifies malicious and legitimate traffic. These multi-dimensional compatibility advantages make it easy to deploy in the real world. We implement Pisces on a high-end commercial router with service processing units. Even without hardware acceleration, a single CPU can achieve 20 Gbps throughput and the performance can scale linearly with the number of CPUs. The additional latency for the victim-related traffic and other traffic is around 27 us and 0.5 us, respectively, whose cost is far less than the scrubbing center. Remarkably, Pisces without false positives can provide high-quality datasets for intelligent approaches and form a prominent complementary effect.

KW - Authentication code

KW - DDoS defense

KW - IP address

KW - filter

KW - translator

UR - https://www.scopus.com/pages/publications/85215371630

U2 - 10.1109/TDSC.2025.3530140

DO - 10.1109/TDSC.2025.3530140

M3 - Article

AN - SCOPUS:85215371630

SN - 1545-5971

VL - 22

SP - 3337

EP - 3353

JO - IEEE Transactions on Dependable and Secure Computing

JF - IEEE Transactions on Dependable and Secure Computing

IS - 4

ER -

Pisces: In-Path Distributed Denial-of-Service Defense via Efficient Authentication Code Embedded in IP Address

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this