Design flaws and vulnerabilities inherent to network protocols, devices, and services make Distributed Denial of Service (DDoS) a persisting threat in the cyberspace, despite decades of research efforts in the area. The historical vertical integration of traditional IP networks limited the solution space, forcing researchers to tweak network protocols while maintaining global compatibility and proper service to legitimate flows. The advent of Software-Defined Networking (SDN) and advances in Programmable Data Planes (PDP) changed the state of affairs and brought novel possibilities to deal with such attacks. In summary, the ability of bringing together network intelligence to a control plane, and offloading flow processing tasks to the forwarding plane, opened up interesting opportunities for network security researchers unlike ever. In this article, we dive into recent research that relies on SDN and PDP to detect, mitigate, and prevent DDoS attacks. Our literature review takes into account the SDN layered view as defined in RFC7426 and focuses on the data, control, and application planes. We follow a systematic methodology to capture related articles and organize them into a taxonomy of DDoS defense mechanisms focusing on three facets: activity level, deployment location, and cooperation degree. From the analysis of existing work, we also highlight key research gaps that may foster future research in the field.

中文翻译：

---

可编程网络中分布式拒绝服务攻击防御机制的系统综述

尽管在该领域进行了数十年的研究，但网络协议、设备和服务固有的设计缺陷和漏洞使分布式拒绝服务 (DDoS) 成为网络空间中持续存在的威胁。传统 IP 网络的历史垂直整合限制了解决方案空间，迫使研究人员调整网络协议，同时保持全球兼容性和对合法流的适当服务。软件定义网络 (SDN) 的出现和可编程数据平面 (PDP) 的进步改变了事态，并为应对此类攻击带来了新的可能性。总之，将网络智能整合到控制平面并将流处理任务卸载到转发平面的能力，为网络安全研究人员开辟了前所未有的有趣机会。在本文中，我们深入研究了最近依赖 SDN 和 PDP 来检测、缓解和防止 DDoS 攻击的研究。我们的文献综述考虑了 RFC7426 中定义的 SDN 分层视图，并侧重于数据、控制和应用程序平面。我们遵循系统的方法来捕获相关文章并将它们组织成 DDoS 防御机制的分类，重点关注三个方面：活动水平、部署地点和合作程度。通过对现有工作的分析，我们还强调了可能促进该领域未来研究的关键研究差距。