{"title":"通过SDN增量部署缓解链路泛洪攻击","authors":"Lei Wang, Qing Li, Yong Jiang, Jianping Wu","doi":"10.1109/ISCC.2016.7543772","DOIUrl":null,"url":null,"abstract":"Link flooding attack (LFA), as a new type of DDoS attack, can degrade or even cut off network connectivity of a target area. This attack employs legitimate, low-density flows to flood a group of selected links. Therefore, these malicious flows can hardly be distinguished by traditional schemes. In this paper, we propose a scheme called Woodpecker, which makes the LFA more difficult to take effect. First, we select M routers and upgrade them into SDN switches that can maximize the network connectivity. Second, we propose a proactive probe approach to quickly locate the congested links and judge whether LFA occurs. Finally, Woodpecker employs centralized traffic engineering based on the upgraded nodes, which can make the traffic balanced enough to eliminate the routing bottlenecks likely to be utilized by the adversary. We evaluate our scheme by comprehensive experiments. The results show that: 1) the bandwidth utilization of LFA-attacked links can be reduced by around 50%; 2) the average packet loss rate and jitter can be effectively mitigated under LFA attacks.","PeriodicalId":148096,"journal":{"name":"2016 IEEE Symposium on Computers and Communication (ISCC)","volume":"22 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"37","resultStr":"{\"title\":\"Towards mitigating Link Flooding Attack via incremental SDN deployment\",\"authors\":\"Lei Wang, Qing Li, Yong Jiang, Jianping Wu\",\"doi\":\"10.1109/ISCC.2016.7543772\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Link flooding attack (LFA), as a new type of DDoS attack, can degrade or even cut off network connectivity of a target area. This attack employs legitimate, low-density flows to flood a group of selected links. Therefore, these malicious flows can hardly be distinguished by traditional schemes. In this paper, we propose a scheme called Woodpecker, which makes the LFA more difficult to take effect. First, we select M routers and upgrade them into SDN switches that can maximize the network connectivity. Second, we propose a proactive probe approach to quickly locate the congested links and judge whether LFA occurs. Finally, Woodpecker employs centralized traffic engineering based on the upgraded nodes, which can make the traffic balanced enough to eliminate the routing bottlenecks likely to be utilized by the adversary. We evaluate our scheme by comprehensive experiments. The results show that: 1) the bandwidth utilization of LFA-attacked links can be reduced by around 50%; 2) the average packet loss rate and jitter can be effectively mitigated under LFA attacks.\",\"PeriodicalId\":148096,\"journal\":{\"name\":\"2016 IEEE Symposium on Computers and Communication (ISCC)\",\"volume\":\"22 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-06-27\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"37\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 IEEE Symposium on Computers and Communication (ISCC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ISCC.2016.7543772\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE Symposium on Computers and Communication (ISCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISCC.2016.7543772","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Towards mitigating Link Flooding Attack via incremental SDN deployment
Link flooding attack (LFA), as a new type of DDoS attack, can degrade or even cut off network connectivity of a target area. This attack employs legitimate, low-density flows to flood a group of selected links. Therefore, these malicious flows can hardly be distinguished by traditional schemes. In this paper, we propose a scheme called Woodpecker, which makes the LFA more difficult to take effect. First, we select M routers and upgrade them into SDN switches that can maximize the network connectivity. Second, we propose a proactive probe approach to quickly locate the congested links and judge whether LFA occurs. Finally, Woodpecker employs centralized traffic engineering based on the upgraded nodes, which can make the traffic balanced enough to eliminate the routing bottlenecks likely to be utilized by the adversary. We evaluate our scheme by comprehensive experiments. The results show that: 1) the bandwidth utilization of LFA-attacked links can be reduced by around 50%; 2) the average packet loss rate and jitter can be effectively mitigated under LFA attacks.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
