On the Security Risks of Memory Adaptation and Augmentation in Data-plane DoS Mitigation
Hocheol Nam
Network and Distributed System Security (NDSS) Symposium 2026 · Day 1 · Systems Security
Programmable switches have transformed DoS defense by enabling real-time, line-rate detection and mitigation directly in the network data plane. But this talk reveals that the very optimizations making these defenses efficient -- memory slicing, resource augmentation, adaptive memory reallocation, and periodic sketch refresh -- create new exploitable attack surfaces. The researchers introduce the **Heracles attack**, the first attack that **proactively exploits** the internal optimization mechanisms of data-plane DoS defenses rather than merely trying to evade detection. Tested against **Poseidon** (presented at Oakland 2024), Heracles caused the defense to fail to block **78% of malicious traffic** using synchronized augmentation and **50%** using memory squeezing. The team also proposes **SHIELD**, a hierarchical sketch-based defense that decouples timing across layers, blocks all malicious traffic within 3 seconds, and is fully open-source on GitHub.
AI review
An excellent attack-and-defense paper that identifies structural vulnerabilities in programmable switch-based DoS defenses. The Heracles attack doesn't just evade detection -- it proactively exploits the optimization mechanisms (memory slicing, adaptive reallocation, control plane augmentation) to cause Poseidon to miss 78% of malicious traffic. The attack methodology is generalizable across multiple in-network defense systems, and the SHIELD defense with hierarchical timing decoupling is a clean architectural fix. Both offense and defense are implemented on real Tofino hardware.