SatShield: In-Network Mitigation of Link Flooding Attacks for LEO Constellation Networks

Low Earth Orbit (LEO) satellite networks provide global connectivity but are vulnerable to security threats such as link flooding attacks. To defend against such attacks, stateof-the-art approaches employ SDN to acquire a global view of the network, enabling the detection and mitigation of malicious traffic. However, in LEO constellation networks, the distributed nature of satellites across a large spatial scale introduces significant latency in both satellite-to-ground and inter-satellite links, with latency reaching up to tens of milliseconds, while attack traffic dynamically adapts within sub-milliseconds. As a result, existing defense systems face challenges in countering these attacks effectively due to the increased reaction time caused by link latency. In this paper, we leverage programmable switches to build a real-time defense system against link flooding attacks (LFA) in LEO constellation networks. To achieve this, we analyze the practical constraints encountered in the deployment of LFA attacks against state-of-the-art LEO satellite systems. We observe that despite the ability of bots to initiate attack traffic from any location worldwide, an anomalous distribution of flow rate on the affected links can still be detected. We propose SatShield, an in-network defense system that filters out suspicious traffic (heavy flows) in the network and mitigates these threats by leveraging programmable packet scheduling. By using SatShield, we are able to achieve real-time identification and rate-limiting of attacks at line rate on a per-packet basis. We implement SatShield with P4 in a commercial programmable switch and evaluate it with real-world traffic traces. Our evaluation shows that SatShield autonomously identifies LFA attack flows and rapidly mitigates LFA attacks.