Link-flooding attacks have the potential to disconnect even entire countries from the Internet. Moreover, newly proposed indirect link-flooding attacks, such as “Crossfire”, are extremely hard to expose and, subsequently, mitigate effectively. Traffic Engineering (TE) is the network’s natural way of mitigating link overload events, balancing the load and restoring connectivity. This work poses the question: Do we need a new kind of TE to expose an attack as well? The key idea is that a carefully crafted, attack-aware TE could force the attacker to follow improbable traffic patterns, revealing his target and his identity over time. We show that both existing and novel TE modules can efficiently expose the attack, and study the benefits of each approach. We implement defense prototypes using simulation mechanisms and evaluate them extensively on multiple real topologies.
In a crossfire attack, the attacker disrupts the victim’s communications without ever sending any traffic directly to the victim; instead, the attacker identifies critical links that connect the victim to the Internet and floods them by sending traffic to “decoy” destinations, which happen to be served by the same links. How can we detect an attack that never generates traffic to the intended victim? This is the first paper that addresses this question. It makes the key observation that the detection of crossfire attacks can be a by-product of classic traffic engineering (TE): TE continuously changes the network routes in response to link overload and, as a side-effect, it forces the attacker to continuously change the decoys (in order to keep the critical links to the victim flooded); hence, simply by observing shifting traffic patterns, an administrator can eventually identify potential attacks sources, victims, and decoys. The paper also proposes a new kind of “attack-aware TE,” which reduces the frequency of routing changes caused by the attack. The reviewers appreciated the paper’s careful theoretical analysis and promising experimental evaluation, but most importantly the idea that route diversity, which is a natural result of TE, benefits the detection of crossfire attacks.