This work addresses a critical limitation of existing in-network AR-DDoS defense mechanisms, which rely on symmetric routing and are confined to single switches, leading to false drops of legitimate traffic and defense failure in asymmetric network topologies. To overcome this, the authors propose ReAct—a novel in-network defense framework that supports asymmetric routing and enables cross-switch, adaptive coordination without manual intervention. Built on the P4 programmable data plane, ReAct leverages a sliding-window Bloom filter coupled with a request-forwarding mechanism to accurately associate and validate request-response pairs. Experimental results demonstrate that under high-load attacks and asymmetric routing conditions, ReAct effectively filters nearly all attack traffic while achieving zero loss of legitimate responses and significantly lower false-positive rates compared to state-of-the-art approaches.

Amplification Reflection Distributed Denial-of-Service (AR-DDoS) attacks remain a formidable threat, exploiting stateless protocols to flood victims with illegitimate traffic. Recent advances have enabled data-plane defenses against such attacks, but existing solutions typically assume symmetric routing and are limited to a single switch. These assumptions fail in modern networks where asymmetry is common, resulting in dropped legitimate responses and persistent connectivity issues. This paper presents ReAct, an in-network defense for AR-DDoS that is robust to asymmetry. ReAct performs request-response correlation across switches using programmable data planes and a sliding-window of Bloom filters. To handle asymmetric traffic, ReAct introduces a data-plane-based request forwarding mechanism, enabling switches to validate responses even when paths differ. ReAct can automatically adapt to routing changes with minimal intervention, ensuring continued protection even in dynamic network environments. We implemented ReAct on both a P4 interpreter and NVIDIAs Bluefield-3, demonstrating its applicability across multiple platforms. Evaluation results show that ReAct filters nearly all attack traffic without dropping legitimate responses-even under high-volume attacks and asymmetry. Compared to state-of-the-art approaches, ReAct achieves significantly lower false positives. To our knowledge, ReAct is the first data-plane AR-DDoS defense that supports dynamic, cross-switch collaboration, making it uniquely suitable for deployment in networks with asymmetry.