Abstract
1- Introduction
2- Related work
3- Threat model
4- Woodpecker design overview
5- Optimal upgrade nodes selection policy
6- Congestion location and attack detection
7- LFA defense measures
8- Evaluation
9- Conclusion and future work
References
Abstract
Link-flooding attack (LFA), as a new type of DDoS attack, can degrade or even cut off network connectivity of a target area. This attack employs legitimate, low-density flows to flood a group of selected links. Therefore, these malicious flows can hardly be distinguished by traditional defense technologies. In our scheme, we first select M routers and upgrade them into SDN switches to maximize the network connectivity. Then, we propose a proactive probe approach to rapidly locate the congested links. Next, our scheme employs a global judgment algorithm to determine whether the network is under LFA or not. Finally, Woodpecker employs the core defense measure that based on the centralized traffic engineering to make the traffic balanced and eliminate the routing bottlenecks that are likely to be utilized by the adversary. We evaluate our scheme through comprehensive experiments. The results show that the bandwidth utilization of LFA-attacked links can be reduced by around 50% and that the average packet loss rate and jitter can be effectively decreased under LFA attacks.
Introduction
Recently, distributed denial of service (DDoS) attacks are the biggest threat to the availability of networks, applications and cloud services. The adversary generally ex5 plores resource asymmetry between the bots and victim servers, and abuses vulnerabilities of many network protocols to launch DDoS attacks [1, 2]. Many effective approaches have been proposed to detect and defend against the DDoS attacks, including Pushback [3], Ingress filter 10 [4], PacketScore [5] and so forth. These methods all need to identify malicious traffic in advance, but this operation is very difficult for link-flooding attack (LFA) — a new type of DDoS attack. Different from the traditional DDoS attacks, LFA floods 15 a well-chosen group of links to cut off the network connections of a target area, instead of attacking the target servers directly. To this end, the adversary first detects the paths from bots to the public servers and constructs a link map accordingly. Then, the adversary floods the 20 selected links by employing a large number of bots to send legitimate, low-density flows to the certain public servers. In this way, these congested links will severely degrade or even cut off the network connections of the target area. We show a simple example of LFA in Figure 1. 25 Over the last few years, LFA has quickly moved from the realm of academic curiosity [6, 7] to real-world incidents. We have already witnessed the real-life demonstration of LFA in the core of the Internet [8, 9]. The target areas of these attacks include internet exchange points, enterprises 30 and campus. Worth still, such an attack may be more frequent and massive due to inability to resist in reality. LFA typically has two remarkable characteristics. Undetectablity: The target area is not directly attacked. Thus the servers in the target area cannot perceive any 35 suspicious traffic. Indistinguishability: The adversary usually employs legitimate, low-rate flows with real IP addresses. Consequently, it is difficult to distinguish malicious flows from legitimate ones.