Cited By
View all- Gkounis DKotronis VLiaskos CDimitropoulos X(2016)On the Interplay of Link-Flooding Attacks and Traffic EngineeringACM SIGCOMM Computer Communication Review10.1145/2935634.293563646:2(5-11)Online publication date: 9-May-2016
Towards detecting target link flooding attack
Pages 81 - 96
Abstract
A new class of target link flooding attacks (LFA) can cut off the Internet connections of a target area without being detected because they employ legitimate flows to congest selected links. Although new mechanisms for defending against LFA have been proposed, the deployment issues limit their usages since they require modifying routers. In this paper, we propose LinkScope, a novel system that employs both the end-to-end and the hop-by-hop network measurement techniques to capture abnormal path performance degradation for detecting LFA and then correlate the performance data and traceroute data to infer the target links or areas. Although the idea is simple, we tackle a number of challenging issues, such as conducting large-scale Internet measurement through noncooperative measurement, assessing the performance on asymmetric Internet paths, and detecting LFA. We have implemented LinkScope with 7174 lines of C codes and the extensive evaluation in a testbed and the Internet show that LinkScope can quickly detect LFA with high accuracy and low false positive rate.
References
[1]
Incapsula, "2013-2014 DDoS threat landscape report," 2014.
[2]
ARBOR, "DDoS and security reports," http://www.arbornetworks.com/asert/, 2014.
[3]
M. Geva, A. Herzberg, and Y. Gev, "Bandwidth distributed denial of service: Attacks and defenses," IEEE Security and Privacy, Jan.-Feb. 2014.
[4]
A. Studer and A. Perrig, "The coremelt attack," in Proc. ESORICS, 2009.
[5]
M. Kang, S. Lee, and V. Gligor, "The crossfire attack," in Proc. IEEE Symp. on Security and Privacy, 2013.
[6]
S. Lee, M. Kang, and V. Gligor, "Codef: collaborative defense against large-scale link-flooding attacks," in Proc. ACM CoNEXT, 2013.
[7]
S. Lee and V. Gligor, "Floc: Dependable link access for legitimate traffic in flooding attacks," in Proc. IEEE ICDCS, 2010.
[8]
A. Athreya, X. Wang, Y. Kim, Y. Tian, and P. Tague, "Resistance is not futile: Detecting ddos attacks without packet inspection," in Proc. WISA, 2013.
[9]
M. Crovella and B. Krishnamurthy, Internet Measurement: Infrastructure, Traffic and Applications. Wiley, 2006.
[10]
Y. He, M. Faloutsos, S. Krishnamurthy, and B. Huffaker, "On routing asymmetry in the internet," in Proc. IEEE GLOBECOM, 2005.
[11]
B. Augustin, X. Cuvellier, B. Orgogozo, F. Viger, T. Friedman, M. Latapy, C. Magnien, and R. Teixeira, "Avoiding traceroute anomalies with Paris traceroute," in Proc. ACM IMC, 2006.
[12]
A. Khan, T. Kwon, H. Kim, and Y. Choi, "AS-level topology collection through looking glass servers," in Proc. ACM IMC, 2013.
[13]
N. Spring, R. Mahajan, and D. Wetherall, "Measuring ISP topologies with rocketfuel," in Proc. ACM SIGCOMM, 2002.
[14]
X. Luo and R. Chang, "On a new class of pulsing Denial-of-Service attacks and the defense," in Proc. NDSS, 2005.
[15]
E. Chan, X. Luo, W. Li, W. Fok, and R. K. Chang, "Measurement of loss pairs in network paths," in Proc. ACM IMC, 2010.
[16]
X. Luo, E. Chan, and R. Chang, "Design and implementation of TCP data probes for reliable and metric-rich network path monitoring," in Proc. USENIX ATC, 2009.
[17]
E. Chan, A. Chen, X. Luo, R. Mok, W. Li, and R. Chang, "TRIO: Measuring asymmetric capacity with three minimum round-trip times," in Proc. ACM CoNEXT, 2011.
[18]
R. Koodli and R. Ravikanth, "One-way loss pattern sample metrics," RFC 3357, Aug. 2002.
[19]
J. Sommers, P. Barford, and W. Willinger, "Laboratory-based calibration of available bandwidth estimation tools," Microprocess. Microsyst., vol. 31, no. 4, pp. 222-235, 2007.
[20]
N. Hu, L. Li, Z. M. Mao, P. Steenkiste, and J. Wang, "Locating internet bottlenecks: Algorithms, measurements, and implications," in Proc. ACM SIGCOMM, 2004.
[21]
M. Allman, V. Paxson, and E. Blanton, "Rfc5681: Tcp congestion control," 2009.
[22]
B. Everitt, S. Landau, M. Leese, and D. Stahl, Cluster Analysis, 5th ed. Wiley, 2011.
[23]
B. Brodsky and B. Darkhovsky, Non-Parametric Statistical Diagnosis Problems and Methods. Kluwer Academic Publishers, 2000.
[24]
Z. Durumeric, E. Wustrow, and J. Halderman, "Zmap: Fast internet-wide scanning and its security applications," in Proc. 22nd USENIX Security Symposium, 2013, pp. 605-619.
[25]
M. Tozal and K. Sarac, "Tracenet: An internet topology data collector," in Proc. ACM IMC, 2010.
[26]
J. Li, T. Ehrenkranz, and P. Elliott, "Buddyguard: A buddy system for fast and reliable detection of ip prefix anomalies," in Proc. IEEE ICNP, 2012.
[27]
E. Katz-Bassett, H. Madhyastha, V. Adhikari, C. Scott, J. Sherry, P. Wesep, A. Krishnamurthy, and T. Anderson, "Reverse traceroute," in Proc. USENIX NSDI, 2010.
[28]
A. Khan, T. Kwon, H. Kim, and Y. Choi, "As-level topology collection through looking glass servers," in Proc. ACM IMC, 2013.
[29]
J. Padhye and S. Floyd, "Identifying the TCP behavior of web servers," in Proc. ACM SIGCOMM, 2001.
[30]
Y. Lin, R. Hwang, and F. Baker, Computer Networks: An Open Source Approach. McGraw-Hill, 2011.
[31]
Netfilter, http://www.netfilter.org.
[32]
Planetlab, https://www.planet-lab.org.
[33]
A. Dainotti, A. Botta, and A. Pescapè, "A tool for the generation of realistic network workload for emerging networking scenarios," Computer Networks, vol. 56, no. 15, 2012.
[34]
htop, http://hisham.hm/htop/.
[35]
M. Thottan and C. Ji, "Anomaly detection in ip networks," IEEE Trans. on Signal Processing, vol. 51, no. 8, 2003.
[36]
T. Peng, C. Leckie, and K. Ramamohanarao, "Survey of network-based defense mechanisms countering the dos and ddos problems," ACM Computing Surveys (CSUR), vol. 39, no. 1, 2007.
[37]
G. Loukas and G. Öke, "Protection against denial of service attacks: a survey," The Computer Journal, vol. 53, no. 7, 2010.
[38]
S. Zargar, J. Joshi, and D. Tipper, "A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks," IEEE Communications Surveys & Tutorials, vol. 15, no. 4, 2013.
[39]
M. Bhuyan, H. Kashyap, D. Bhattacharyya, and J. Kalita, "Detecting distributed denial of service attacks: Methods, tools and future directions," The Computer Journal, Mar. 2013.
[40]
M. Bhuyan, D. Bhattacharyya, and J. Kalita, "Network anomaly detection: Methods, systems and tools," Communications Surveys & Tutorials, 2013.
[41]
L. Quan, J. Heidemann, and Y. Pradkin, "Trinocular: Understanding internet reliability through adaptive probing," in Proc. ACM SIGCOMM, 2013.
[42]
Y. Zhang, Z. Mao, and M. Zhang, "Detecting traffic differentiation in backbone ISPs with NetPolice," in Proc. ACM IMC, 2009.
[43]
E. Katz-Bassett, H. Madhyastha, J. John, A. Krishnamurthy, D. Wetherall, and T. Anderson, "Studying black holes in the internet with hubble," in Proc. USENIX NSDI, 2008.
[44]
Y. Liu, X. Luo, R. Chang, and J. Su, "Characterizing Inter-Domain Rerouting by Betweenness Centrality after Disruptive Events," IEEE Journal on Selected Areas in Communications, vol. 31, no. 5, 2013.
[45]
W. Fok, X. Luo, R. Mok, W. Li, Y. Liu, E. Chan, and R. Chang, "Monoscope: Automating network faults diagnosis based on active measurements," in Proc. IFIP/IEEE IM, 2013.
[46]
E. Chan, X. Luo, W. Fok, W. Li, and R. Chang, "Noncooperative diagnosis of submarine cable faults," in Proc. PAM, 2011.
[47]
Y. Zhang, Z. Mao, and M. Zhang, "Effective diagnosis of routing disruptions from end systems," in Proc. USENIX NSDI, 2008.
[48]
X. Luo, L. Xue, C. Shi, Y. Shao, C. Qian, and E. Chan, "On measuring one-way path metrics from a web server," in Proc. IEEE ICNP, 2014.
[49]
A. Shevtekar and N. Ansari, "A router-based technique to mitigate reduction of quality (roq) attacks," Computer Networks, vol. 52, no. 5, 2008.
[50]
C. Zhang, Z. Cai, W. Chen, X. Luo, and J. Yin, "Flow level detection and filtering of low-rate DDoS," Computer Networks, vol. 56, no. 15, 2012.
[51]
C. Chang, S. Lee, B. Lin, and J. Wang, "The taming of the shrew: mitigating low-rate tcp-targeted attack," IEEE Trans. On Network Service Management, Mar. 2010.
[52]
X. Luo and R. Chang, "Optimizing the pulsing denial-of-service attacks," in Proc. IEEE DSN, 2005.
[53]
R. Castro, M. Coates, G. Liang, R. Nowak, and B. Yu, "Network tomography: recent developments," Statistical Science, vol. 19, no. 3, 2004.
[54]
L. Ma, T. He, K. Leung, A. Swami, and D. Towsley, "Identifiability of link metrics based on end-to-end path measurements," in Proc. ACM IMC, 2013.
[55]
A. Dhamdhere, R. Teixeira, C. Dovrolis, and C. Diot, "NetDiagnoser: troubleshooting network unreachabilities using end-to-end probes and routing data," in Proc. ACM CoNEXT, 2007.
[56]
S. Zarifzadeh, M. Gowdagere, and C. Dovrolis, "Range tomography: combining the practicality of boolean tomography with the resolution of analog tomography," in Proc. ACM IMC, 2012.
[57]
H. Nguyen and P. Thiran, "The boolean solution to the congested ip link location problem:theory and practice," in Proc. IEEE INFOCOM, 2007.
[58]
N. Duffield, P. Avenue, and F. Park, "Network tomography of binary network performance characteristics," IEEE Trans. Information Theory, vol. 52, no. 12, 2006.
[59]
Q. Zheng and G. Cao, "Minimizing probing cost and achieving identifiability in probe based network link monitoring," IEEE Trans. Computers, vol. 62, no. 3, 2013.
[60]
Y. Zhao, Y. Chen, and D. Bindel, "Towards unbiased end-to-end network diagnosis," IEEE/ACM Transaction on Networking, vol. 17, no. 6, 2009.
Index Terms
- Towards detecting target link flooding attack
Index terms have been assigned to the content through auto-classification.
Recommendations
Distributed mechanism in detecting and defending against the low-rate TCP attack
In this paper, we consider a distributed mechanism to detect and to defend against the low-rate TCP attack. The low-rate TCP attack is a recently discovered attack. In essence, it is a periodic short burst that exploits the homogeneity of the minimum ...
SYN flooding attack detection by TCP handshake anomalies
We present an original approach to identify synchronize (SYN) flooding attacks from the victim's side, on the basis of a classification of the different forms that TCP handshakes can take during a connection set-up between a client and a server (e.g. ...
An Early Stage Detecting Method against SYN Flooding Attack
CSA '08: Proceedings of the International Symposium on Computer Science and its ApplicationsDistributed Denial-of-Service (DDoS) attacks pose a serious threat to Internet security. While SYN flooding exploits the TCP three-way handshake process by sending many connection requests using spoofed source IP addresses to a victim server. DDoS ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Sponsors
- USENIX Assoc: USENIX Assoc
In-Cooperation
- LOPSA
Publisher
USENIX Association
United States
Publication History
Published: 09 November 2014
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 22 Sep 2024
Other Metrics
Citations
Cited By
View all- Gkounis DKotronis VLiaskos CDimitropoulos X(2016)On the Interplay of Link-Flooding Attacks and Traffic EngineeringACM SIGCOMM Computer Communication Review10.1145/2935634.293563646:2(5-11)Online publication date: 9-May-2016