# Detecting Target-Area Link-Flooding DDoS Attacks using Traffic Analysis   and Supervised Learning

**Authors:** Mostafa Rezazad, Matthias R. Brust, Mohammad Akbari, Pascal Bouvry,, Ngai-Man Cheung

arXiv: 1903.01550 · 2019-03-06

## TL;DR

This paper introduces a traffic analysis and supervised learning approach to detect the sophisticated Crossfire link-flooding DDoS attacks that target geographical network areas by analyzing link volume data.

## Contribution

It uncovers new vulnerabilities in Crossfire attack execution and demonstrates the effectiveness of SVM and Random Forest classifiers in detecting attack traffic.

## Key findings

- Correlation between botnet coordination and attack quality
- Correlation between attack distribution and detectability
- Supervised learning models achieve high accuracy in traffic classification

## Abstract

A novel class of extreme link-flooding DDoS (Distributed Denial of Service) attacks is designed to cut off entire geographical areas such as cities and even countries from the Internet by simultaneously targeting a selected set of network links. The Crossfire attack is a target-area link-flooding attack, which is orchestrated in three complex phases. The attack uses a massively distributed large-scale botnet to generate low-rate benign traffic aiming to congest selected network links, so-called target links. The adoption of benign traffic, while simultaneously targeting multiple network links, makes detecting the Crossfire attack a serious challenge. In this paper, we present analytical and emulated results showing hitherto unidentified vulnerabilities in the execution of the attack, such as a correlation between coordination of the botnet traffic and the quality of the attack, and a correlation between the attack distribution and detectability of the attack. Additionally, we identified a warm-up period due to the bot synchronization. For attack detection, we report results of using two supervised machine learning approaches: Support Vector Machine (SVM) and Random Forest (RF) for classification of network traffic to normal and abnormal traffic, i.e, attack traffic. These machine learning models have been trained in various scenarios using the link volume as the main feature set.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1903.01550/full.md

## Figures

17 figures with captions in the complete paper: https://tomesphere.com/paper/1903.01550/full.md

## References

16 references — full list in the complete paper: https://tomesphere.com/paper/1903.01550/full.md

---
Source: https://tomesphere.com/paper/1903.01550