BALANCE: Link Flooding Attack Detection and Mitigation via Hybrid-SDN

Link Flooding Attack (LFA) is a genre of Distributed Denial of Service (DDoS) attack. LFA can cut off a target area from the network, without directly attacking the target. The attacker chooses links which when cut off will disconnect the target area and instruct the bots to flood those links with small packets. Some of the existing solutions are suitable for specific routing methods like shortest path routing or need cooperation between Autonomous Systems (AS). To overcome certain hitches of existing solutions, we have proposed a novel mechanism named BALANCE. It detects and mitigates LFA via hybrid-Software-Defined Network (SDN). SDN splits the control and data plane using OpenFlow protocol. Hybrid SDN has both legacy and SDN nodes, with a controller in the control plane. We have used Service Based Hybrid SDN (SBHS), which is a type of hybrid-SDN. BALANCE begins with an algorithm that chooses nodes in an AS to be SBHS enabled in such a way that the controller can get statistics of all the links in the AS. Next, congestion detection and location algorithms are implemented in the controller to find the congested links. Finally, LFA bot detection and mitigation algorithms are implemented in the controller to mitigate LFA. BALANCE was evaluated in testbed and emulator. We compared the results with state-of-the-art solutions. BALANCE was able to detect LFA bots at a precision of 97.64% and had HTTP response time of 2 seconds during the LFA attack.

[1]  Ratul Mahajan,et al.  Measuring ISP topologies with Rocketfuel , 2004, IEEE/ACM Transactions on Networking.

[2]  Sotiris Ioannidis,et al.  Network Topology Effects on the Detectability of Crossfire Attacks , 2018, IEEE Transactions on Information Forensics and Security.

[3]  Claudia Szabo,et al.  An adaptive framework for the detection of novel botnets , 2018, Comput. Secur..

[4]  Vyas Sekar,et al.  SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks , 2016, NDSS.

[5]  Ratul Mahajan,et al.  Measuring ISP topologies with rocketfuel , 2002, TNET.

[6]  Bo An,et al.  Protecting internet infrastructure against link flooding attacks: A techno-economic perspective , 2019, Inf. Sci..

[7]  Philip Almquist,et al.  Type of Service in the Internet Protocol Suite , 1992, RFC.

[8]  Xenofontas A. Dimitropoulos,et al.  On the Interplay of Link-Flooding Attacks and Traffic Engineering , 2016, CCRV.

[9]  Sunny Behal,et al.  Characterizing DDoS attacks and flash events: Review, research gaps and future directions , 2017, Comput. Sci. Rev..

[10]  Iwao Sasase,et al.  Fast target link flooding attack detection scheme by analyzing traceroute packets flow , 2015, 2015 IEEE International Workshop on Information Forensics and Security (WIFS).

[11]  Nagarathna Ravi,et al.  TeFENS: Testbed For Experimenting Next-Generation-Network Security , 2018, 2018 IEEE 5G World Forum (5GWF).

[12]  Virgil D. Gligor,et al.  CoDef: collaborative defense against large-scale link-flooding attacks , 2013, CoNEXT.

[13]  Kemal Akkaya,et al.  Utilizing NFV for Effective Moving Target Defense Against Link Flooding Reconnaissance Attacks , 2018, MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM).

[14]  Paul Barford,et al.  Spatial-Temporal Characteristics of Internet Malicious Sources , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[15]  Kemal Akkaya,et al.  Mitigating Crossfire Attacks Using SDN-Based Moving Target Defense , 2016, 2016 IEEE 41st Conference on Local Computer Networks (LCN).

[16]  Sandhya,et al.  A survey: Hybrid SDN , 2017, J. Netw. Comput. Appl..

[17]  Mathieu Bouet,et al.  Centralized Defense Using Smart Routing Against Link-Flooding Attacks , 2018, 2018 2nd Cyber Security in Networking Conference (CSNet).

[18]  Adrian Farrel,et al.  An Architecture for Use of PCE and the PCE Communication Protocol (PCEP) in a Network with Central Control , 2017, RFC.

[19]  Vishwas Manral,et al.  Terminology for Benchmarking Software-Defined Networking (SDN) Controller Performance , 2018, RFC.

[20]  Xenofontas A. Dimitropoulos,et al.  A novel framework for modeling and mitigating distributed link flooding attacks , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[21]  Jianping Wu,et al.  Woodpecker: Detecting and mitigating link-flooding attacks via SDN , 2018, Comput. Networks.

[22]  Pere Barlet-Ros,et al.  Towards a NetFlow Implementation for OpenFlow Software-Defined Networks , 2017, 2017 29th International Teletraffic Congress (ITC 29).

[23]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[24]  Lei Xue,et al.  LinkScope: Toward Detecting Target Link Flooding Attacks , 2018, IEEE Transactions on Information Forensics and Security.

[25]  Muhammad Aamir,et al.  A Survey on DDoS Attack and Defense Strategies: From Traditional Schemes to Current Techniques , 2013 .

[26]  Iwao Sasase,et al.  Traceroute-based target link flooding attack detection scheme by analyzing hop count to the destination , 2017, 2017 23rd Asia-Pacific Conference on Communications (APCC).

[27]  Ao Tang,et al.  Routing Stability in Hybrid Software-Defined Networks , 2019, IEEE/ACM Transactions on Networking.