Lemon Artifact for USENIX 2025

The artifact of our USENIX Security submission: Lemon: Network-wide DDoS Detection with Routing-Oblivious Per-flow Measurement

Network-wide DDoS (Distributed Denial-of-Service) detection enables early attack detection and mitigates victim losses. However, unpredictable routing of DDoS traffic will invalidate the network administrator's prior knowledge of the network topology, causing existing sketch-based measurement systems to suffer from packet over-counting and processing stage mis-allocating issues. To address this gap, we propose Lemon, a routing-oblivious, resource-friendly, and scalable DDoS detection system that accurately detect DDoS attacks without any assumption on the traffic routing. Specifically, we design a novel data structure (Lemon sketch) that supports over-counting-free and mis-allocating-free measurements in the data plane. Lemon control plane aggregates Lemon sketches from measurement points and leverages per-flow level network-wide measurement results for DDoS attack detection and victim identification. We implement Lemon in both software switch (Bmv2) and programmable switch hardware (Tofino). The evaluation results show that Lemon can achieve consistently high accuracy for DDoS detection in various topology and traffic distribution configurations.