Asymmetric routing breaks filters; ReAct fixes it

Amplified reflection attacks now exploit diverse protocols like Microsoft RDP and Chameleon, moving beyond traditional DNS vectors.

The ReAct architecture solves the critical failure of existing mitigation systems that inadvertently drop legitimate traffic during asymmetric routing events. Unlike previous countermeasures dependent on symmetric paths, ReAct ensures accurate transaction ID matching even when requests and responses traverse divergent network segments. This capability is necessary as SECURELIST identifies a distinct shift toward exploiting varied protocols for amplification attacks, rendering static defenses obsolete.

Readers will examine the mechanics behind amplified reflection in modern asymmetric networks and how attackers use connectionless UDP protocols to overwhelm victims. The discussion details ReAct's specific algorithm for correlating requests across disjointed paths without sacrificing performance. Finally, the article outlines practical deployment strategies for ReAct on Intel Tofino switches and Nvidia Bluefield-3 SmartNICs, demonstrating how programmable data planes can enforce security without disrupting valid service flows.

The Mechanics of Amplified Reflection Attacks in Asymmetric Networks

AR-DDoS Mechanics: Exploiting Asymmetric Routing and Missing Contexts

Amplified Reflection DDoS exploits UDP protocols to turn vulnerable servers into high-volume traffic reflectors. Attackers spoof victim addresses, causing NTP servers using the MONLIST command to generate response streams roughly 500 times larger than the initial query. SNMP devices present similar risks, with observed amplification factors reaching extreme multiples. These attacks rely on connectionless transport where no persistent session exists, forcing mitigation systems to track individual transaction IDs for validation. Traditional defenses assume symmetric routing, expecting response packets to traverse the same network path as their corresponding requests.

Asymmetric routing breaks symmetric mitigation logic, causing immediate drops of legitimate response packets. Existing strategies function correctly only when a response follows the same path as its request, a condition frequently violated in modern peering arrangements. When paths diverge, counters tracking transaction IDs fail to match, triggering false positives that discard valid traffic. This misclassification directly translates to revenue loss for e-commerce and cryptocurrency platforms that cannot tolerate momentary downtime. Operators face a sharp tension between security posture and service availability. Deploying strict symmetric filters blocks legitimate traffic. The result leaves networks exposed to amplification factors reaching 500:1 via NTP or 650x via SNMP.

ReAct addresses this by joining requests with responses within the data plane, regardless of path divergence. Unlike legacy systems requiring path symmetry, this architecture maintains state across different switches to validate transaction IDs accurately. Failure to adopt such programmable solutions leaves operators resistant to deploying proven detection, perpetuating vulnerability to AR-DDoS vectors.

False positive rates spike when mitigation logic encounters asymmetric paths, forcing switches to discard valid replies lacking local request context. Standard DNS queries yield a 50:1 amplification ratio, yet traditional counters fail if the response arrives at a different node than the query. This divergence causes systems to misclassify legitimate flows as attacks, directly enabling the loss of legitimate traffic Operators historically relied on vendors for hardware updates, leaving networks exposed to these specific routing anomalies until programmable data planes emerged.

Single-switch defenses assume path symmetry, creating a blind spot where flexible, cross-switch collaboration Without this coordination, even a small fraction of asymmetric traffic triggers widespread service disruption. Modern frameworks address this by forwarding orphaned responses to the ingress switch rather than deleting them immediately. This approach prevents the significant disruption of service inherent in legacy designs.

Bloom Filter Mechanics for Transaction ID Membership Testing

ReAct employs a Bloom filter to test transaction ID membership without storing full request state in limited hardware memory. This probabilistic data structure allows the system to maintain an approximate representation of recently seen requests using a fraction of the memory required for exact measurements. Request packets trigger hashing functions that set specific bits to one within the filter array. Response packets subsequently check these bucket statuses to verify legitimacy before forwarding. The mechanism enables line-rate filtering directly inside forwarding ASICs, bypassing the latency penalties inherent in software-based solutions. Hash collisions represent the primary operational risk, where unrelated transactions map to identical bit positions. A false positive occurs if the filter incorrectly indicates a request was seen, potentially allowing attack traffic to pass. Conversely, Bloom filters never produce false negatives, ensuring legitimate responses are never dropped due to missing state. This asymmetry in error types prioritizes availability over perfect precision during high-volume events. The architecture supports flexible, cross-switch collaboration

Operators must tune the filter size against the expected request volume to minimize collision rates. Overfilling the structure degrades accuracy, while undersizing wastes available silicon resources. The trade-off is measurable: accepting a small risk of hash collisions enables protection at scales impossible with deterministic tables. This approach validates the request-response relationship for stateless protocols like DNS and NTP without maintaining per-flow counters. Request packets trigger bit-setting operations within the data plane, creating a probabilistic signature that consumes minimal memory. Response packets subsequently query these bits; a match indicates legitimacy, while a miss triggers an immediate drop. This mechanism functions effectively whether traffic traverses the same switch or different switches in an asymmetric routing environment.

Meanwhile, operators deploy this architecture at Content Distribution Network (CDN) Points of Presence where ingress and egress paths diverge. The system maintains a prefix list to forward unmatched responses to the switch holding the original request state. Flexible learning occurs via request retransmissions if initial routing rules remain undefined. A notable constraint involves hash collision rates increasing as the filter fills, potentially allowing rare false positives during sustained volumetric bursts. High-speed links carrying 300 Gb of traffic require careful tuning of hash functions to prevent bucket saturation. The cost of such deployment is offset by the elimination of manual rule updates during active attacks. ### Managing Hash Collision Risks to Prevent False Positive Drops

Hash collisions occur when two distinct transaction IDs map to the same Bloom filter bucket, creating a risk of false positive drops. ReAct mitigates this inherent probabilistic limitation by tuning hash functions to maintain a simulation error rate below 3%. This threshold ensures valid responses are not misclassified as attacks even during high-volume reflection events. Standard mitigation tools often lack this precision, leading to the erroneous dropping of legitimate traffic Operators must balance memory efficiency against collision probability when configuring bit-array sizes on programmable silicon.

The system achieves significantly lower false positives Eliminating these errors removes the need for expensive over-provisioning or manual intervention during active sieges. False positive reduction remains the primary metric for validating deployment success in asymmetric environments.

Deploying ReAct on Tofino Switches and SmartNICs

Tofino Switch Coordination Logic for ReAct Request Tracking

Coordinating request tracking on Tofino switches requires hashing packets to a Bloom filter bucket based on the transaction ID. This mechanism enables stateful filtering on hardware with limited memory by setting a bit to one if the packet is a request. Operators must configure the data plane to perform this request forwarding automatically when inbound and outbound paths differ. The system joins legitimate requests with responses within the data plane, functioning effectively whether traffic traverses the same switch or different switches in an asymmetric routing environment. Deployment follows these specific configuration steps:

1. Define the transaction ID extraction field within the P4 parser for the target protocol.
2. Instantiate the Bloom filter register array with a size matching available SRAM.
3. Map the hash output to the specific bit index for request bit-setting operations.
4. Install match-action rules to check bit status for incoming response packets.
5. Configure egress ports to drop packets where the membership test fails.

The limitation of this approach is that collisions can still occur, though the error rate remains low under standard loads. Unlike software-based solutions that struggle with memory constraints, this architecture enables line-rate filtering directly inside forwarding ASICs. The consequence of skipping coordination logic is the immediate failure of mitigation during path divergence, rendering the protection useless against sophisticated reflection vectors.

Operators must define prefix-based forwarding rules on the BlueField-3 to redirect unmatched responses to the ingress switch handling the original request. This configuration prevents the data plane from discarding valid packets during volumetric events where return paths diverge from request trajectories.

1. Map source prefixes to specific internal switch identifiers within the DOCA flow table.
2. Install match-action rules that forward responses lacking a local Bloom filter hit to the assigned peer.
3. Enable line-rate filtering to process these redirects without CPU intervention or latency penalties.
4. Verify that both ingress and egress traffic traverse the programmable smartNIC to maintain state consistency.

The data-plane request forwarding Without this explicit coordination, standard mitigation logic assumes symmetry and incorrectly classifies valid responses as attack traffic. The limitation involves increased complexity in rule management; operators must maintain accurate prefix-to-switch mappings as routing policies evolve. Static configurations fail when BGP shifts alter entry points, requiring flexible updates to the forwarding table. Failure to synchronize these tables results in blackholing legitimate user sessions while the filter blocks spoofed floods.

Validation Checklist for ReAct Deployment Accuracy and False Positive Prevention

Verify Bloom filter bit-array sizing against the 11% memory overhead ceiling to prevent hash collision spikes during volumetric surges.

1. Calculate bucket depth using peak transaction rates rather than average load to maintain line-rate filtering under stress.
2. Program Tofino match-action tables to redirect unmatched responses to the specific ingress switch holding the request state.
3. Confirm Nvidia BlueField-3 DOCA flows map source prefixes to internal switch identifiers before enabling drop policies.
4. Monitor false positive counts hourly, ensuring they remain negligible compared to the significantly lower false positives

Operators must accept that aggressive bit-array compression increases collision probability, potentially allowing malicious traffic to pass as legitimate. This trade-off favors availability over strict security when memory resources constrain the programmable data plane.

ReAct Protocol Agnosticism Beyond DNS Transaction IDs

ReAct functions only for protocols embedding stable transaction IDs, excluding timestamp-based systems like NTP where re-transmissions generate new identifiers. The mechanism relies on matching request and response fields within the data plane to validate legitimacy before forwarding traffic. This approach succeeds with DNS because the identifier remains constant across the exchange, allowing the Bloom filter to track state accurately. However, NTP presents a fundamental incompatibility since the ID derives from the request timestamp, which shifts if the client retries the query. Operators asking if they should use ReAct for asymmetric networks must recognize this boundary: the system prevents false positives for supported protocols but offers no protection for timestamp-dependent flows. The limitation creates a gap in defense against high-volume amplification vectors that exploit stateless time synchronization services. Expanding the framework requires novel logic to handle stateless protocols lacking persistent identifiers in their header structures. While DNSGuard targets specific domain attacks, ReAct aims for broader reflection attacks. The cost of this narrow scope leaves networks exposed to non-DNS reflection vectors until developers implement alternative tracking methods.

Operators cannot deploy ReAct for Microsoft RDP or Chameleon VPN today because these protocols lack the stable transaction IDs required for Bloom filter matching. The shift toward diverse exploitable protocols including Microsoft RDP creates immediate risk as attackers bypass DNS-focused defenses. Unlike Jaqen or DIDA, which fail under asymmetric conditions by dropping valid responses, ReAct coordinates across switches to maintain request-response validation without symmetry assumptions. This distinction matters for CDN edges where return paths frequently diverge from ingress routes. The limitation remains strict: any protocol generating new identifiers on retransmission breaks the state tracking mechanism. NTP already exhibits this failure mode, and emerging VPN tunnels may follow similar patterns.

Extending defense requires embedding consistent identifiers into the data plane logic for newer protocols. Without this modification, operators face a binary choice: accept blind spots for RDP traffic or risk blocking legitimate sessions during volumetric events. The cost of misclassification includes revenue loss for platforms that cannot afford downtime. Future work must address protocols lacking inherent identifiers before full protocol agnosticism becomes viable. Until then, ReAct remains restricted to DNS and similar.

Operators hesitate to deploy asymmetric detection because misclassifying legitimate traffic creates immediate revenue loss for e-commerce platforms Traditional counter-measures function correctly only when request and response paths align perfectly across the network infrastructure. Any divergence causes these systems to drop valid packets, triggering service outages that cost money quicker than mitigation saves it. This financial risk outweighs the theoretical security benefit for cryptocurrency exchanges handling high-value transactions. Passive monitoring tools fail to provide sufficient visibility to justify this operational risk without direct data-plane validation. Honeypot deployments capture only a fraction of actual victimization events, leaving blind spots in threat intelligence.

Dropping zero attack traffic is preferable to dropping one percent of legitimate customer orders. InterLIR recommends validating false positive rates in staging environments before enabling drop policies on production edges.