On the Interplay of Link-Flooding Attacks and Traffic Engineering

Link-flooding attacks have the potential to disconnect even entire countries from the Internet. Moreover, newly proposed indirect link-flooding attacks, such as ``Crossfire'', are extremely hard to expose and, subsequently, mitigate effectively. Traffic Engineering (TE) is the network's natural way of mitigating link overload events, balancing the load and restoring connectivity. This work poses the question: Do we need a new kind of TE to expose an attack as well? The key idea is that a carefully crafted, attack-aware TE could force the attacker to follow improbable traffic patterns, revealing his target and his identity over time. We show that both existing and novel TE modules can efficiently expose the attack, and study the benefits of each approach. We implement defense prototypes using simulation mechanisms and evaluate them extensively on multiple real topologies.

[1]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[2]  Jugal K. Kalita,et al.  Network attacks: Taxonomy, tools and systems , 2014, J. Netw. Comput. Appl..

[3]  Dimitrios Gkounis Cross-domain DoS link-flooding attack detection and mitigation using SDN principles , 2014 .

[4]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[5]  H. Kim,et al.  A SDN-oriented DDoS blocking scheme for botnet-based attacks , 2014, 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN).

[6]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[7]  Bruce A. Reed,et al.  Finding disjoint trees in planar graphs in linear time , 1991, Graph Structure Theory.

[8]  Xin Jin,et al.  Dynamic scheduling of network updates , 2014, SIGCOMM.

[9]  Radu State,et al.  Implications and detection of DoS attacks in OpenFlow-based networks , 2014, 2014 IEEE Global Communications Conference.

[10]  Celso C. Ribeiro,et al.  A hybrid genetic algorithm for the weight setting problem in OSPF/IS‐IS routing , 2005, Networks.

[11]  Christian E. Hopps,et al.  Analysis of an Equal-Cost Multi-Path Algorithm , 2000, RFC.

[12]  David Thaler,et al.  Multipath Issues in Unicast and Multicast Next-Hop Selection , 2000, RFC.

[13]  Brighten Godfrey,et al.  Stabilizing Route Selection in BGP , 2015, IEEE/ACM Transactions on Networking.

[14]  Admela Jukan,et al.  A Survey on Internet Multipath Routing and Provisioning , 2015, IEEE Communications Surveys & Tutorials.

[15]  Xenofontas A. Dimitropoulos,et al.  A novel framework for modeling and mitigating distributed link flooding attacks , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[16]  Celso C. Ribeiro,et al.  Design of Survivable Networks: A survey , 2005 .

[17]  Lei Xue,et al.  Towards Detecting Target Link Flooding Attack , 2014, LISA.

[18]  Virgil D. Gligor,et al.  CoDef: collaborative defense against large-scale link-flooding attacks , 2013, CoNEXT.

[19]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[20]  Jayadev Misra,et al.  Finding Repeated Elements , 1982, Sci. Comput. Program..

[21]  Matthew Roughan,et al.  The Internet Topology Zoo , 2011, IEEE Journal on Selected Areas in Communications.

[22]  Adrian Perrig,et al.  The Coremelt Attack , 2009, ESORICS.