On the Interplay of Link-Flooding Attacks and Traffic Engineering

TL;DR

This paper investigates how traffic engineering can be adapted to detect and expose sophisticated link-flooding attacks like Crossfire by forcing attackers to reveal their targets through strategic load balancing.

Contribution

It proposes a novel attack-aware traffic engineering approach that can effectively expose link-flooding attackers by inducing revealing traffic patterns.

Findings

Existing TE modules can be adapted for attack detection

Attack-aware TE can reveal attacker targets over time

Simulation confirms effectiveness on real topologies

Abstract

Link-flooding attacks have the potential to disconnect even entire countries from the Internet. Moreover, newly proposed indirect link-flooding attacks, such as 'Crossfire', are extremely hard to expose and, subsequently, mitigate effectively. Traffic Engineering (TE) is the network's natural way of mitigating link overload events, balancing the load and restoring connectivity. This work poses the question: Do we need a new kind of TE to expose an attack as well? The key idea is that a carefully crafted, attack-aware TE could force the attacker to follow improbable traffic patterns, revealing his target and his identity over time. We show that both existing and novel TE modules can efficiently expose the attack, and study the benefits of each approach. We implement defense prototypes using simulation mechanisms and evaluate them extensively on multiple real topologies.