Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Mitigating Link-Flooding Attack with Segment Rerouting in SDN

  • Conference paper
  • First Online:
Cyberspace Safety and Security (CSS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11982))

Included in the following conference series:

Abstract

Link-flooding attack (LFA) is a new type of DDoS attack used to flood and congest the crucial network links, which has severely damaged enterprise networks. LFA can be launched by large-scale low-rate legitimate data flows with quite a low cost and is difficult to detect. While target areas in a network can be easily isolated since the crucial links are unavailable. SDN architecture provides new opportunities to address this critical network security problem with its global view of traffic monitoring enabled by the separation of data plane and control plane. Recently, segment routing (SR), which is an evolution of source routing, has been viewed as a promising technique for flow rerouting and failure recovery. Segment routing is a lightweight easy-deployed scheme known for its flexibility, scalability, and applicability. Therefore, in this paper, we try to mitigate LFA with segment rerouting within the SDN architecture. With the comprehensive network-wide view of the data flows and links, we first design a monitoring mechanism to detect LFA based on the availability of the crucial links. Then we use segment routing to detour the congested flows and alleviate the burden on the crucial links. Finally. the LFA bots will be identified and the malicious traffic will be blocked. Sufficient evaluations demonstrate that our LFA defense can efficiently detect LFA and preserve the network services, while only introduce a little signaling overhead between the controllers and data plane.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Studer, A., Perrig, A.: The coremelt attack. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 37–52. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04444-1_3

    Chapter  Google Scholar 

  2. Kang, M.S., Lee, S.B., Gligor, V.G.: The crossfire attack. In: 2013 Proceedings of IEEE Symposium on Security and Privacy, pp. 127–141 (2013). https://doi.org/10.1109/SP.2013.19

  3. Feamster, N., Rexford, J., Zegura, E.: The road to SDN. ACM SIGCOMM Comput. Commun. Rev. 44(2), 87–98 (2014). https://doi.org/10.1145/2602204.2602219

    Article  Google Scholar 

  4. Xia, W., Wen, Y., Foh, C.H., Niyato, D., Xie, H.: A survey on software-defined networking. IEEE Commun. Surv. Tutor. 17(1), 27–51 (2015). https://doi.org/10.1109/COMST.2014.2330903

    Article  Google Scholar 

  5. Mckeown, N., Anderson, T., Balakrishnan, H., Parulkar, G.M., Turner, J.S.: OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008). https://doi.org/10.1145/2602204.2602219

    Article  Google Scholar 

  6. OpenFlow: Openflow. http://archive.openflow.org/

  7. Filsfils, C., Nainar, N.K., Pignataro, C., Cardona, J.C., Francois, P.: The segment routing architecture. In: Proceedings of 2015 IEEE Global Communications Conference, GLOBECOM, pp. 1–6 (2015). https://doi.org/10.1109/GLOCOM.2014.7417124

  8. Abdullah, Z.N., Ahmad, I., Hussain, I.: Segment routing in software defined networks: a survey. IEEE Commun. Surv. Tutor. 21(1), 464–486 (2019). https://doi.org/10.1109/COMST.2018.2869754

    Article  Google Scholar 

  9. Desmouceaux, Y., Pfister, P., Tollet, J., Townsley, M., Clausen, T.: 6LB: scalable and application-aware load balancing with segment routing. IEEE/ACM Trans. Netw. 26(2), 819–834 (2018). https://doi.org/10.1109/TNET.2018.2799242

    Article  Google Scholar 

  10. Hao, F., Kodialam, M., Lakshman, T.V.: Optimizing restoration with segment routing. In: Proceedings of IEEE INFOCOM, pp. 1–9, July 2016. https://doi.org/10.1109/INFOCOM.2016.7524551

  11. Shin, S., Porras, P.A., Yegneswaran, V., Fong, M.W., Gu, G., Fresco, M.T.: Modular composable security services for software-defined networks. In: Proceedings of Distributed System Security Symposium (NDSS) (2013)

    Google Scholar 

  12. Shin, S., Yegneswaran, V., Porras, P., Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 413–424. ACM (2013)

    Google Scholar 

  13. Hu, H., Han, W., Ahn, G.J., Zhao, Z.: FLOWGUARD: building robust firewalls for software-defined networks. In: Proceedings of the Workshop on Hot Topics in Software Defined Networking, pp. 97–102 (2014)

    Google Scholar 

  14. Fayaz, S.K., Tobioka, Y., Sekar, V., Bailey, M.: Bohatei: flexible and elastic DDoS defense. In: Proceedings of 24th USENIX Security Symposium (USENIX Security 15), pp. 817–832 (2015)

    Google Scholar 

  15. Xue, L., Luo, X., Chan, E.W., Zhan, X.: Towards detecting target link flooding attack. In: Proceedings of the 28th Large Installation System Administration Conference (LISA14), pp. 90–105 (2014)

    Google Scholar 

  16. Lee, S.B., Kang, M.S., Gligor, V.D.: CoDef: collaborative defense against large-scale link-flooding attacks. In: Proceedings of the 9th ACM Conference on Emerging Networking Experiments and Technologies, pp. 417–428. ACM (2013)

    Google Scholar 

  17. Kang, M.S., Gligor, V.D., Sekar, V.: SPIFFY: inducing cost-detectability tradeoffs for persistent link-flooding attacks. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2016)

    Google Scholar 

  18. Gillani, F., Al-Shaer, E., Lo, S., Duan, Q., Ammar, M., Zegura, E.: Agile virtualized infrastructure to proactively defend against cyber attacks. In: Proceedings of 2015 IEEE Conference on Computer Communications (INFOCOM), pp. 729–737. IEEE (2015)

    Google Scholar 

  19. Aydeger, A., Saputro, N., Akkaya, K., Rahman, M.: Mitigating crossfire attacks using SDN-based moving target defense. In: Proceedings of IEEE Conference on Local Computer Networks (LCN), pp. 627–630 (2016)

    Google Scholar 

  20. Wang, L., Li, Q., Jiang, Y., Wu, J.: Towards mitigating link flooding attack via incremental SDN deployment. In: Proceedings of IEEE Symposium on Computers and Communication (ISCC), pp. 397–402 (2016)

    Google Scholar 

  21. Liaskos, C.K., Kotronis, V., Dimitropoulos, X.: A novel framework for modeling and mitigating distributed link flooding attacks. In: Proceedings of 2015 IEEE Conference on Computer Communications (INFOCOM) (2016)

    Google Scholar 

  22. Wang, J., Wen, R., Li, J., Yan, F., Zhao, B., Yu, F.: Detecting and mitigating target link-flooding attacks using SDN. IEEE Trans. Dependable Secur. Comput. 5971(c), 1–13 (2018). https://doi.org/10.1109/TDSC.2018.2822275

    Article  Google Scholar 

Download references

Acknowledgement

This work is funded by the Civil Aviation Joint Research Fund Project of National Natural Science Foundation of China under granted number U1833107.

Author information

Authors and Affiliations

  1. School of Computer Science and Technology, Civil Aviation University of China, Tianjin, 300300, China

    Lixia Xie, Ying Ding & Hongyu Yang

Authors
  1. Lixia Xie
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ying Ding
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hongyu Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lixia Xie .

Editor information

Editors and Affiliations

  1. Rutgers University, Newark, NJ, USA

    Jaideep Vaidya

  2. Beihang University, Beijing, China

    Xiao Zhang

  3. Guangzhou University, Guangzhou, China

    Jin Li

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Xie, L., Ding, Y., Yang, H. (2019). Mitigating Link-Flooding Attack with Segment Rerouting in SDN. In: Vaidya, J., Zhang, X., Li, J. (eds) Cyberspace Safety and Security. CSS 2019. Lecture Notes in Computer Science(), vol 11982. Springer, Cham. https://doi.org/10.1007/978-3-030-37337-5_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-37337-5_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-37336-8

  • Online ISBN: 978-3-030-37337-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation