What is it about?
Network scanning attacks are a common threat on the internet. Portest detects these scanners directly in general purpose switching hardware. Compared to other approaches, the switch does not need to support programmability to run Portest. Also, no traffic needs to be duplicated and sent to an external server for processing. Instead, Portest uses the "Ternary Content Adressable Memory" (TCAM) component of switches combined with a randomized algorithm to detect with high probability when a scanning attack is started.
Featured Image
Photo by Scott Rodgerson on Unsplash
Why is it important?
Existing scan detection approaches require either a server that receives a copy of the network traffic, or specialized programmable switches that can be significantly more expensive. Approaches like Portest, that implement detection algorithms by using the very constrained environment of general-purpose switches, therefore save costs of more expensive switching hardware or overhead caused by copying traffic to a server.
Perspectives
The paper demonstrates a new concept to port scanning detection and network observability that, compared to previous approaches, works entirely on non-programmable switches. While P4-Programmable switches are powerful, their future appears insecure at the moment, as their market share is limited and Intel decided to stop producing them. I hope that concepts like Portest extend the available possibilities of established and widely used non-programmable switches by exploring what can be done using their Match-Action-Tables and TCAM.
Timon Krack
Karlsruher Institut fur Technologie
Read the Original
This page is a summary of: Portest: Port Scan Detection on Non-Programmable Switches using TCAM and Randomized Algorithm, September 2025, ACM (Association for Computing Machinery),
DOI: 10.1145/3748496.3748988.
You can read the full text:
Contributors
The following have contributed to this page
