Traceroute-based target link flooding attack detection scheme by analyzing hop count to the destination

Abstract

Recently, the detection of target link flooding attack which is a new type of DDoS (Distributed Denial of Service) is required. Target link flooding attack is used for disconnecting a specific area from the Internet. It is more difficult to detect and mitigate this attack than legacy DDoS since attacking flows do not reach the target region. Among several schemes for target link flooding attack, the scheme focusing on traceroute is gathering attention. The idea behind that is the attacker needs to send traceroute to investigate the topology around targeted region before attack starts. That scheme detects the attack by finding rapid increase of traceroute. However, it cannot work when attacker's traceroute ratio is low. In this paper, we propose traceroute-based target link flooding attack detection scheme by analyzing hop count to the destination. Since the attacker must choose the link flooded to disconnect the target area, the destinations of attacker's traceroutes are concentrated within several hops from the target link while legitimate user's ones are distributed uniformly. By analyzing the number of traceroutes as per hop counts, the change can be emphasized and the attack symptom might be more easily captured. By computer simulations, we first prove the above hypotheses and show that our scheme has more robustness compared with the conventional scheme.