Professional Documents
Culture Documents
On Modeling Link Flooding Attacks and Defenses
On Modeling Link Flooding Attacks and Defenses
On Modeling Link Flooding Attacks and Defenses
fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier 10.1109/ACCESS.2021.DOI
ABSTRACT The increasing popularity of Internet of Things (IoTs) is making people universally connected
and thus bringing the ease of life. Because of their sheer volume, weak security, and continual operation,
IoT devices, along with many computer servers, are widely compromised to launch powerful distributed
denial-of-service (DDoS) attacks. The emerging link flooding attacks (LFAs) are one type of such attacks
that attract significant attention in both academia and industry against the routing infrastructure. The attack
traffic flows originating from bots (e.g., compromised IoT devices) are deliberately aggregated at upstream
critical links and grow intensified, gradually making a network connected to the critical links disconnected.
Although LFAs are far more sophisticated than traditional DDoS attacks, whether such sophistication
comes without a downside has never been investigated. In this paper, by modeling link flooding attacks
and defenses, we tackle a series of questions concerning the practical issues of LFAs. Specifically, from the
perspective of attacks, we advance a novel notion of strike precision, and reveal that LFAs may exhibit attack
interference (i.e., unexpectedly interfere the connectivity of innocent networks) which might undermine the
stealthiness and persistence of LFAs. From the perspective of defenses, we make the first step to study
attack intention, i.e., inversely inferring the target network to disconnect based on the identified links under
attack. Furthermore, we consider a strong defender who employs traffic engineering to mitigate LFAs, and
formulate the game-theoretic interactions between attackers and defenders. Our formulation demonstrates
that LFAs can be effectively mitigated based on traffic engineering from a game-theoretic perspective. We
also study practical issues of non-cooperative defenses (e.g., light-weight probe deployment, multi-protocol-
based measurement).
I. INTRODUCTION links that constitute the Internet backbone [5]–[7]. LFAs have
The increasing popularity of Internet of Things (IoTs) recently come into practice after attracting the academia for
is making people universally connected and thus bringing years, posing severe threats to large-scale regional networks.
the ease of life. Because of their sheer volume, weak secu- For example, a few links of major Internet exchange points
rity, and continual operation, IoT devices, along with many in Europe and Asia were flooded to disconnect the anti-spam
computer servers, are widely compromised to build botnets service Spamhaus, with up to 300Gb/s traffic of LFAs [8].
and launch powerful distributed denial-of-service (DDoS) LFAs are powerful, formidable and hard to defend against
attacks. The emerging link flooding attacks (LFAs) are one for three major reasons. First, stemming from coordinated
type of such attacks that attract significant attention in both flows between bots and public servers (e.g., web servers)
academia and industry against the routing infrastructure. or among bots, the attack traffic flows are aggregated at a
In contrast to traditional (DDoS attacks that target (end) critical link with a huge amount. As such, a network con-
computer servers [1]–[4], LFAs target (intermediate) critical nected to the critical link will be gradually disconnected, as
VOLUME 4, 2016 1
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
the aggregated attack traffic flows grow intensified. Second, • RQ4: Consider a defender who employs traffic engi-
the disconnected network, though having traditional DDoS neering to mitigate LFAs, how to formulate the inter-
countermeasures deployed at the network perimeter, might actions between attackers and defenders from a game-
be blind to the attack, since the critical link is not within its theoretic perspective?
administrative domain. Last, even for those ISPs who have • RQ5: When traffic engineering is used in defending
the privilege to access the traffic flows crossing the critical against LFAs, how would the attack effect and strike
link, it would be challenging for them to identify the attack precision would be? Can we effectively mitigate LFAs?
traffic flows that are indistinguishable from legitimate ones.
To answer RQ1, we first quantify strike precision, as well
Since the pioneering works of Studer and Perrig [9] and
as strike efficiency. Then, we propose the Strike-Efficiency-
Kang et al. [10], considerable progress has been made to
Oriented (i.e., SEO) flooding strategy for traditional LFAs.
thwart LFAs, with a focus on detecting and mitigating the
The strategy interrupts more routes by flooding fewer se-
attack [5], [9]–[16]. In all state-of-the-art studies, it is com-
lected links. Following the SEO flooding strategy, we per-
monly believed that LFAs are far more sophisticated than tra-
form traditional LFAs to gain insight into their strike pre-
ditional server-targeted DDoS attacks by design. Neverthe-
cision. To tackle RQ2, taking into account the attack in-
less, whether such sophistication comes without a downside
terference induced by attacking each link, we propose the
has never been investigated.
Strike-Precision-Aware Hybrid (i.e., SPAH) flooding strat-
In this paper, by modeling link flooding attacks and de-
egy, for impeding the attack toward links with more severe
fenses, we tackle a series of questions concerning the prac-
attack interference while achieving larger strike efficiency.
tical issues of LFAs. Specifically, we advance the notion of
To address RQ3, we construct a mapping from the target
strike precision of LFAs, and reveal that LFAs may exhibit
networks to the sets of target links to effectively infer the
attack interference which might restrict their applicability
target networks from the set of target links under attack.
from the adversary’s standpoint. More precisely, when the
Finally, we demystify RQ4 and RQ5 from a game-theoretic
adversary aims at disconnecting a specific network (e.g., N )
perspective. To answer these questions, all experiments are
via attacking a critical link l, the connectivity of the networks
conducted using real-world traceroute data.
surrounding N (e.g., N̄ ) might be interfered (i.e., attack in-
terference), in whole or in part, depending on the connectivity We have substantially extended our previous conference
importance of l for N̄ . Due to attack interference, strike paper [17], which only focuses on RQ1 and RQ2, to include
precision of LFAs would be lowered in the sense that LFAs, three more research questions, i.e., RQ3, RQ4, and RQ5. Ad-
while disconnecting a network, may unexpectedly interfere ditionally, we study practical issues of non-cooperative de-
the connectivity of some innocent networks nearby. fenses (e.g., lightweight probe deployment, multi-protocol-
At first glance, the adversary lacks interest in attack in- based measurement) and perform more experiments for RQ1
terference. For a terrorist adversary interested in mass de- and RQ2. To our best knowledge, we are the first to advance
struction, it is true. However, for a rational adversary in the notion of strike precision and attack intention, and study
consideration of attack stealthiness and persistence, it is not attack intention for LFAs. Moreover, we design a series of
true. The reason is that attack interference tends to incentivize models to systematically study the questions under investiga-
different victim networks to collaborate in defending against tion. Our contributions are summarized below.
LFAs. Such collaboration is an effective countermeasure • We quantify strike precision, as well as strike efficiency.
against LFAs, since it increases individual networks’ visi- Our quantification sheds light on a new angle of un-
bility of coordinated attack traffic flows. The severer attack derstanding LFAs, potentially fostering more research
interference is, the stronger the incentive is. Therefore, for concerning the practical aspects of LFAs.
a rational adversary, attack interference and strike precision • Combining the greedy algorithm and the genetic algo-
would be big concerns, especially in the long run. rithm, we propose the Strike-Efficiency-Oriented (SEO)
From the perspective of attacks, we attempt to answer the flooding strategy for LFAs, for interrupting more routes
following research questions: by flooding fewer selected links. Following the SEO
• RQ1: To what extent does attack interference exist, and flooding strategy, we perform LFAs to gain insight
how do they affect strike precision, in traditional LFAs into their strike precision. The experiments suggest that
that only seeks strike efficiency, i.e., interrupting more attack interference is pervasive and significantly lowers
routes (destined to N ) by flooding fewer selected links? strike precision of LFAs.
• RQ2: What are the main factors affecting attack in- • Taking into account attack interference induced by at-
terference and strike precision? Can adversaries reduce tacking each link, we propose the SPAH flooding strat-
attack interference and increase strike precision? egy, for impeding the attack toward links with more
From the perspective of defenses, we are interested in the attack interference while achieving larger strike effi-
following research questions: ciency. The experiments show that our strategy can
• RQ3: Given the identified target links that the adversary substantially increase strike precision.
attacks, how to infer the target network that the adver- • From the perspective of defenses, we make the first step
sary would like to disconnect (i.e., attack intention)? to study attack intention, i.e., inversely inferring the
2 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
parallel links
legitimate bot target link target area
deployed by TE
senders target link
public servers target area
bot target link
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
We have three remarks on strike efficiency and strike pre- repeats until |R0N |/|RN | approaches a pre-specified goal ∇,
cision. First, to evaluate LFAs comprehensively, both strike or |L0N | reaches the budget of the number of selected links Φ.
efficiency and strike precision should be measured, whereas
existing studies neglect the latter. Second, for attack stealthi- 2) Advanced Strike-Efficiency-Oriented (A-SEO) Strategy
ness and persistence, a rational adversary tends to seek larger To further improve strike efficiency achievable by the N-
strike efficiency while ensuring higher strike precision. Third, SEO strategy, we devise the A-SEO strategy in Algorithm 2
strategically deriving L0N is the core to achieve larger strike to drive L0N using the genetic algorithm. Specifically, the A-
efficiency and higher strike precision. SEO strategy initializes n different genes of the first genera-
Next, we propose different link flooding strategies in con- tion. A gene is a binary vector indicating and corresponding
sideration of strike efficiency and strike precision. Determin- to a set of selected target links. We denote the function that
ing link flooding strategies are essentially to strategically transforms the former to the latter by gene2set(), while the
derive L0N by setting different priorities for strike efficiency latter to the former by set2gene(). All genes are constructed
and strike precision. based on LN , differing from each other in the subset of
selected target links (i.e., L0N ). Particularly, among all the
B. LINK FLOODING ATTACK STRATEGIES initialized genes, one gene is obtained according to the L0N
When strategically deriving L0N , traditional adversaries in derived by the N-SEO strategy, while each of the remaining
LFAs seek high strike efficiency. We, accordingly, present genes is generated according to randomly generated L0N .
two strike-efficiency-oriented (SEO) strategies, namely, the Constituting the first generation, the set of initialized n
naive SEO strategy and the advanced SEO strategy that different genes, denoted by G1 , evolve from generation to
further improves strike efficiency of the naive one. Also, generation, forming a sequence of generations G1 , G2 , G3 , . . ..
for rational adversaries concerning strike precision, we pro- The evolution consists of selection, crossover, and muta-
pose the strike-precision-aware hybrid strategy. The proposed tion. Selection is for retaining better genes in each generation
strategy impedes the attack toward links with more severe via roulette-wheel selection [22]. That is, probabilistically
attack interferences while achieving larger strike efficiency. selecting a gene, say g, among n different genes in each
generation, and a gene with a larger value of strike efficiency,
1) Naive Strike-Efficiency-Oriented (N-SEO) Strategy say SE(g), should be assigned a larger selection probability.
Traditional adversaries heuristically derive L0N (i.e., the set In the early generations, SE(g) varies to a wide extent.
of selected target links to clog) greedily [10]. They calculate Hence, assigning g with a larger value of SE(g) a larger
|R0N |/|RN | to quantify the degradation severity of the attack selection probability is easy. However, as generations evolve,
against N . The N-SEO strategy is detailed in Algorithm 1. the value of SE(g) tends to become closer to each other,
resulting in similar selection probabilities between genes.
Algorithm 1: Naive strike-efficiency-oriented strategy. To signify the discrepancy of selection probabilities between
Input: RN , LN , ∇, Φ genes, we assign g in Gj a selection probability of Stoffa-
Output: L0N SE j (g) (SSE j (g)) using the Stoffa method [23]. SSE j (g)
L0N = ∅, R0N = ∅;
for l ∈ LN do is calculated as follows:
calculate R0N (l);
eSE(g)/Tj
end for SSE j (g) = Pn SE(g)/T , (3)
i=1 e
j
while |R0N |/|RN | < ∇ do
l = arg maxl∈LN \L0 δl (L0N );
N Tj = 0.99j−1 T1 , (4)
if |L0N | = Φ then
break; where j = 1, 2, 3, . . . represents the sequence number of
end if generations, and Tj is the temperature of the jth generation.
L0N = L0N ∪ {l}; Crossover and mutation are leveraged to achieve cross-
R0N = R0N ∪ R0N (l); generation gene improvement. The self-adaptive genetic
for l ∈ LN do
calculate R0N (l); (SAG) algorithm is employed to adaptively adjust Pc (gk , gq )
(i.e., the probability of crossover between gk and gq acquired
end for via roulette-wheel selection), Pm (g) (i.e., the probability of
end while mutation of g). Specifically, when the value of SSE(g)1
becomes homogeneous, Pc (gk , gq ) and Pm (g) defined below
In the N-SEO strategy, adversaries iteratively select a new should be increased and otherwise decreased [24] [25].
link l ∈ LN \ L0N maximizing the reward gain, δl (L0N ) = ( 0 avg
|R0N (L0N ∪ {l})|/|RN | − |R0N (L0N )|/|RN |, and insert l P −(Pc1 −P c2 )(SSE −SSE )
, SSE 0≥SSE avg ,
Pc (gk , gq )= c1 SSE max −SSE avg
into L0N . Here, R0N (·) is a function calculating the set of Pc1 , SSE 0 < SSE avg ,
interrupted routes to N due to clogging a set of links. Note (5)
that we recalculate R0N (l) for each l after removing the link 1 Unless otherwise stated, we remove the subscript j representing the
with maximum reward gain at each iteration. This process number of generations for the simplicity of representation.
VOLUME 4, 2016 5
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
TABLE 1: The values of O(N1 , N2 ) for each combination of reward rp . Then, the attacker will flood a subset of parallel
N1 and N2 . links L00P ⊆ L0P with a reward r(L00P ) and a cost c(L00P ).
N1
Therefore, the overall gain of the attacker becomes
CH SG TW JP HK
N2
CH 1 0 0 42.86% 0
G1 =r(L0N ) + c(L0N ) + r(L0N ) + r(L0X )
(11)
SG 0 1 4.76% 14.29% 14.29% +c(L0X ) + i(L0X ) + cp + r(L00P ) + c(L00P ).
TW 0 7.69% 1 7.69% 7.69%
JP 15.00% 15.00% 5.00% 1 10.00%
HK 0 16.00% 4.00% 8.00% 1 Apparently, attempting to flood all the parallel links is the
optimal strategy for the adversary. If the adversary tries to
flood a new set of links, defenders will be able to detect
In TABLE 1, we measure O(N1 , N2 ) for each combi- the adversary’s attack intention and use traffic engineering
nation of target networks when attackers use the N-SEO to protect the new set of flooded links. In such a case, the
strategy. The overlap for any combination of different target adversary will never degrade the Internet connection.
networks is small. Only a small number of anchor target links Given L0P , the adversary chooses L00P ⊆ L0P that maximize
for the innocent networks will be flooded when adversaries Equation (11). Formally, L00P will be
are attacking the intended network. Therefore, we can easily
infer the target network accordingly by monitoring the anchor L00P = arg max{r(L0N ) + c(L0N ) + r(L0N )+
L00 (12)
target links. According to the mapping, the set of target links P
are unique for a specific target network. Assume the attacker r(L0X ) + c(L0X ) + i(L0X ) + cp + r(L00P ) + c(L00P )}.
only attacks a target network at a time. If most of the links in a
set of the target links are flooded, we can figure out the target The defender should choose a set of links L0P ⊇ L00P to
network. We also measure O(N1 , N2 ) for the SPAH strategy, deploy traffic engineering. Therefore, L0P should be
and find that for each combination of N1 and N2 , O(N1 , N2 )
equals 0. Therefore, there is no overlap of the target links for L0P = arg max{rd (L0N ∪L0X )+cd (L0N ∪L0X )+rt (L0P )
L0P (13)
the SPAH strategy. As a consequence, one can easily figure
out the target network for the SPAH strategy. + ct (L0P ) + it (L0P )}.
B. A GAME-THEORETIC FORMULATION OF LINK Initially, the adversary should choose a set of target links
FLOODING ATTACKS AND DEFENSES L0N and a set of links beyond the intended ones L0X to
We formally design the link flooding attack and defense congest. Considering the traffic engineering that a defender
game. As for attackers, they will select a set of target links will use, the adversary would choose links with fewer parallel
L0N to congest. By congesting these links, attackers will links to attack. To seek such links along with strike efficiency,
obtain a reward r(L0N ) at the cost of c(L0N ) due to renting we propose the LPSE strategy in Algorithm 4. Specifically,
bots. Attackers will also endure a loss i(L0N ) brought by we maximize SE and minimize L0P . Adversaries iteratively
attack interference. Attackers will attack a set of links L0X select a link l ∈ LN \ L0N maximizing the reward gain,
besides the intended ones, which brings their corresponding θl0 (L0N ) = (|R0N (L0N ∪ {l})| − |ε ∗ LP (L0N ∪ {l})|) −
r(L0X ), c(L0X ), i(L0X ). The overall gain of the attacker will (|R0N (L0N )| − |ε ∗ LP (L0N )|), where LP (·) calculates the
be formulated as number of parallel links and ε denotes a parameter defenders
choose to maximize his gain. This process repeats until
G1 =r(L0N ) + c(L0N ) + r(L0N )+ |R0N |/|RN | approaches a pre-specified goal ∇, or |L0N |
(9) reaches the budget of the number of selected links Φ.
r(L0X ) + c(L0X ) + i(L0X ).
For attackers who are concerned about both attack in-
Defenders, on the other hand, will use a cost cd (L0N ∪ L0X ) terference and traffic engineering deployed by defenders.
to detect the flooded links. Successfully detecting the flooded They will design an attack strategy to maximize SE, and
links will assign the defender a reward rd (L0N ∪ L0X ). To minimize L0P and AI. To seek such goals, we propose the
tackle the LFAs, the defender will perform traffic engineering LP-SPAH strategy in Algorithm 5. Adversaries iteratively
to reroute attack traffic to a set of links L0P . The defender select a link l ∈ LN \ L0N maximizing the reward gain,
can obtain a reward rt (L0P ) and a cost ct (L0P ). Traffic engi- θl00 (L0N ) = (|R0N (L0N ∪ {l})| − |ε ∗ LP (L0N ∪ {l})| −
neering may also introduce attack interference it (L0P ) to the |R0N̄ (L0N ∪ {l} ∪ LP (L0N ∪ {l}))|) − (|R0N (L0N )| − |ε ∗
innocent areas. The overall gain of the defender equals LP (L0N )| − |R0N̄ (L0N ∪ LP (L0N ))|). Replacing θl0 (L0N ) with
G2 =rd (L0N ∪ L0X ) + cd (L0N ∪ L0X ) + rt (L0P ) θl00 (L0N ) will generate the LP-SPAH strategy.
(10)
+ ct (L0P ) + it (L0P ).
Note that the defender will use traffic engineering to miti-
The attacker needs to pay a cost cp on probing the network gate the congestion. For the defender, the best response is to
to figure out the traffic engineering method that the defender choose a set of links L0P that satisfy Equation (13) to perform
deployed. The probing results will provide the attack with a traffic engineering. For the adversary, the best action is to
VOLUME 4, 2016 7
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
Algorithm 4: Least Parallel Links and Maximize Strike A feasible defense strategy against LFAs is to carry out
Efficiency. long-term monitoring of the status of target links. However,
Input: RN , LN , ∇, Φ it is difficult to observe the status of a target link separately.
Output: L0N As a consequence, we need to indirectly infer whether a link
L0N =∅,R0N = ∅ ;
for l ∈ LN do is under attack by measure the network path consisting of
calculate R0N (l) ; that link. Since a path normally contains many routers that
cannot be directly controlled, we monitor a path through non-
end for
while |R0N |/|RN | < ∇ do cooperative measurement methods. Moreover, because there
l = arg maxl∈LN \L0 θl0 (L0N ); are many paths around the target network and the links of
N
if |L0N | = Φ then different paths are redundant, the efficiency of monitoring all
break; paths is extremely low and will cause a large measurement
end if overhead. Therefore, we design a lightweight and effective
L0N = L0N ∪ {l}; scheme that enables defenders to quickly select the most
R0N = R0N ∪ R0N (l); valuable paths for monitoring.
for l ∈ LN do
calculate R0N (l);
A. LIGHTWEIGHT PROBE DEPLOYMENT
end for A conventional approach for performing non-cooperative
end while network measurement is to deploy many distributed probes
that may be highly dispersed in various locations. These
Algorithm 5: Least Parallel Links and Maximize Strike distributed probes have IP addresses of different networks,
Efficiency.
thereby offering plenty of measurement vantage points. How-
ever, deploying distributed probes is rather cost-intensive
Input: RN , LN , ∇, Φ
Output: L0N due to the high cost of renting and maintaining servers. To
L0N =∅,R0N = ∅ ; address such a limitation, we propose a lightweight probe
for l ∈ LN do deployment approach based on the dynamic virtual private
calculate R0N (l) ;
server (VPS). The dynamic VPS can continuously switch
end for IP addresses in different regions through keeping dialing-up
while |R0N |/|RN | < ∇ do repeatedly using just a single physical machine flexibly and
l = arg maxl∈LN \L0 θl00 (L0N );
if |L0N | = Φ then
N randomly.
break; Our experimental results show that a dynamic VPS in
China can randomly switch IP addresses in 26 provinces,
end if
L0N = L0N ∪ {l};
including 181 cities. We deploy shell scripts on the dynamic
R0N = R0N ∪ R0N (l); VPS to periodically obtain new IP addresses and save the
for l ∈ LN do results to the database. The experiment lasted 335 days and
calculate R0N (l);
obtained a total of 715,612 unique IP addresses. Based on the
end for above finding, we propose s a method of topology discovery
end while based on dynamic VPS. Using dynamic VPS, we can obtain
a large number of highly dispersed IP addresses easily and
quickly. These IP addresses will be used as the probe host
for topology discovery, and their distribution will affect the
maximize his reward considering the traffic engineering that
coverage and redundancy of network topology discovery
will be used on the links. That is,
performance.
(L0N , L0X ) = arg max{r(L0N ) + c(L0N ) + r(L0N )+ In practice, since the IP address pool of a dynamic VPS
(L0N ,L0X ) (14) is generally composed of IP addresses in different cities, it
r(L0X ) + c(L0X ) + i(L0X )}. is necessary to sample the approximate distribution of IP
addresses for a period of time in advance. Then, we need
VI. PRACTICAL ISSUES OF NON-COOPERATIVE to assign corresponding measurement targets to the dynamic
DEFENSES VPS based on the distribution of the IP addresses. When
The attack target of LFAs is the key links around the target performing topology discovery using the dynamic VPS, we
network area. Attackers control a large number of zombies to adaptively adjust the corresponding target IP address (where
access public servers around the target network area, congest the measurement packets are destined) according to the IP
the critical links along the access paths, and ultimately cut address of the dynamic VPS (where the measurement packets
off the connection between legitimate users and the target originate) and the historical measurement results. In this way,
network area. In order to achieve such a goal, attackers first the efficiency of topology discovery could be improved and
need to get the topology around the target network and figure link redundancy could be reduced.
out the critical links. To be more specific, every time when the IP address of the
8 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
represents the larger fitness value of the two genes to cross, ment method based on Linkscope [5] so to enhance the
0
and f represents the fitness value of the gene to mutate. k1 , measurement robustness.
k2 , k3 , and k4 are constants satisfying k1 < k2 , k3 < k4 . The The measurement method we use is based on the packet
adaptive cross-mutation probability setting allows genes with train, i.e., a sequence of back-to-back packets. By sending a
low fitness to have a higher probability of evolution. The path packet train, we can estimate the status of the links along
selection based on the improved genetic algorithm is detailed a path based on the characteristics of response times. In
in Algorithm 7. addition, since the size of the packet train in our experiment
is less than 50Kb, the amount of the measurement traffic is
small. As a consequence, the measurement introduces limited
Algorithm 7: The Improved Genetic Algorithm for Path overhead, hence suitable for long-term deployment.
Selection As shown in FIGURE 6, our packet train is composed
Input: Dict
Output: Path num
of measurement packets and load packets, which are rep-
function GetMinPathNum(Dict) resented by colored and shaded boxes, respectively. The
for srcDst in Dict do measurement packet supports multiple protocol types, in-
for link in Dict[srcDst] do
if link not in linkDictNum then
cluding TCP, UDP, and ICMP. The Time-to-Live (TTL) of
linkDictNum[link] = 0 the measurement packet increases symmetrically from both
linkDictNum[link] += 1 sides to the center of the train. Every time the packet train
end if
passes through a router, a pair of response packets will be
end for
triggered. Using these response packets, we can estimate
end for
linkSet = set(linkDictNum.keys())
the available bandwidth of each link along the path. In
initPopulation = calFixedInitPopulation(cnt = 40) addition, because different networks may differ in packet
curPopulation = list(initPopulation) filtering rules, packet train designed based on multiple pro-
while gIndex <= 100 do
selectPopulation, persistList = genSelect(curPopulation, tocols can adapt to sophisticated network environments. By
allNum, persistNum, gIndex) default, we use the SYN connection request packet as TCP-
cMaxFitness = 0 based measurement packet, DNS request packet as UDP-
cSumFitness = 0
for i in xrange(len(selectPopulation)) do based measurement packet, and ICMP echo request packet
cl, cp, cProfit = calProfit(selectPopulation[i]) as ICMP-based measurement packet.
if cProfit > cMaxFitnes then
cMaxFitness = cProfit Using the multi-protocol-based link measurement method,
we measure the selected path so to be aware of critical links
end if of target network. Once an attacker launches an attack against
cSumFitness += cProfit
end for a critical link, the defender could perceive the location of
cAvgFitness = cSumFitness/len(selectPopulation) attacked link and in turn take defensive strategies based on
crossover(selectPopulation, cMaxFitness, cAvgFitness) the defense model in Sec. V.
mutation(selectPopulation, cMaxFitness, cAvgFitness)
for top in persistList do
selectPopulation.append(top) VII. EXPERIMENTS
end for A. DATASET PREPARATION
curPopulation = copy.deepcopy(selectPopulation) We perform traceroute from source (Planetlab) servers
gIndex += 1
distributed all over the world to target (public) servers in five
end while
for gene in curPopulation do regional networks. FIGURE 7 shows the locations of these
finalProfitList.append((calProfit(gene))); servers. There are totally 81 source servers (40 in US, 7 in
China, 5 in Canada, 4 in Australia, 4 in Brazil, 3 in Germany,
end for
finalProfitList.sort(key = lambdax : x[-1], reverse = True) and 18 in others), and 4,843 target servers (1048 in E, 962 in
return len(finalProfitList) C, 957 in B, 942 in A, 934 in D). The entire dataset consists
of more than 1.2 × 106 routes and 1.2 × 106 links.
We consider part of the networks in five different regions
C. MULTI-PROTOCOL-BASED LINK MEASUREMENT as intended victim networks, namely, SubA in A, SubB in B,
Through path selection, we obtain a set of paths to monitor. SubC in C, SubD in D, subE in E, and the remaining part
Then, the real-time status of each path and link could be ob- as innocent victim networks (e.g., the network in A except
served via non-cooperative measurement. Non-cooperative SubA). In each attack, the adversary aims to disconnect
measurement means that the deployment of measurement one intended victim network by selecting target links to
tools are required to be only single-ended, hence drastically clog through the N-SEO strategy, the A-SEO strategy and
reducing the deployment overhead. However, when perform- the SPAH strategy. In the N-SEO strategy and the SPAH
ing non-cooperative measurement, protocols like ICMP may strategy, we assume Φ = |LN |. In the A-SEO strategy, we
be dropped by some intermediate routers or end servers. set Pc1 = 0.9, Pc2 = 0.6, Pm1 = 0.1, Pm2 = 0.001.
Therefore, we propose a multi-protocol-based link measure-
VOLUME 4, 2016 11
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
T1 U1 I1 … … I1 U1 T1 T2 U2 I2 … … I2 U2 T2 Th Uh Ih … … Ih Uh Th
Initial packet train After passing 1st router Reach the target host
……
TR UR IR IR UR TR TR UR IR IR UR TR
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
SubE
AI
AI
AI
0.4 0.4 0.4
SP
SP
0.70 0.70 0.80
0.65 0.65
0.75
0.60 0.60
0.55 0.55 0.70 SubA SubB SubC
0.50 0.50
0.65 SubD SubE
0.45 0.45
0.40 0.40 0.60
50 60 70 80 90 100 50 60 70 80 90 100 50 60 70 80 90 100
0.7 0.6
0.6 0.5
0.5 0.4
AI
AI
0.4 0.3
0.3 0.2
0.2 0.1
0.1 0.0
50 60 70 80 90 100 50 60 70 80 90 100
(a) N-SEO strategy (42 links) (b) SPAH strategy (59 links) (a) attack A&C (b) attack A&B
0.6 0.6
A&B A&C
FIGURE 10: The locations of selected target links via dif- 0.5
0.4
0.5
0.4
A&D A&E
AI
0.3 0.3
0.1 0.1
0.0 0.0
50 60 70 80 90 100 50 60 70 80 90 100
1600 1000
Percent of Interrupted Routes Percent of Interrupted Routes
1400
# of target links
800
# of target links
# of target links
1400
1200 1200
attacks than the AI in FIGURE 13. This is because at-
1000 attack sim 1000 tacking multiple targets simultaneously requires more target
800 attack seq 800
600 600 links than attacking only one target. The extra target links
400 400 result in more severe attack interference for the innocent
200 200
0
50 60 70 80 90 100
0
50 60 70 80 90 100
networks. When adversaries launch LFAs to multiple targets,
Percent of Interrupted Routes Percent of Interrupted Routes the attack also leads to more severe attack interference for
(c) attack A&D (d) attack A&E the innocent networks. More severe attack interference tends
to incentivize the victim networks to collaborate with the
FIGURE 11: The number of target links when attacking two innocent networks in defending against LFAs. As shown in
regions simultaneously and sequentially as the percentage of FIGURE 14, the SPAH strategy can effectively reduce the
interrupted routes varies under the N-SEO strategy. (attack attack interference if attackers target one area.
sim: attack simultaneously, attack seq: attack sequentially) We also measure the attack interference when attacking
VOLUME 4, 2016 13
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
AI
AI
AI
AI
0.03 0.20
0.20
0.06 0.06
0.02 0.15 0.15
0.04 0.04 0.10
0.10
0.01
0.05 0.02 0.02 0.05
0.00 0.00 0.00 0.00 0.00
Percent of Interrupted Routes Percent of Interrupted Routes Percent of Interrupted Routes Percent of Interrupted Routes Percent of Interrupted Routes
(a) attack C (b) attack B (c) attack E (d) attack D (e) attack A
FIGURE 13: Attack interference (attacking one region) as the percentage of interrupted routes varies under the N-SEO strategy.
AI
AI
AI
AI
0.03 0.06 0.20
0.2 0.06
0.15
0.02 0.04
0.04 0.10
0.1
0.01 0.02 0.02
0.05
0.0 0.00 0.00
0.00 0.00
Percent of Interrupted Routes Percent of Interrupted Routes Percent of Interrupted Routes Percent of Interrupted Routes Percent of Interrupted Routes
(a) attack C (b) attack B (c) attack E (d) attack D (e) attack A
FIGURE 14: Attack interference for other (innocent) regions when attacking one region under the SPAH strategy.
0.8 0.24
0.7 0.35
0.21
0.7
0.18
0.6 0.30
0.6 0.15
AI
AI
0.5 0.12
AI
AI
0.25
0.5 0.09
0.4 0.20 0.06
0.4
0.03
0.3
0.15
0.3 0.00
0.2
50 60 70 80 90 100 50 60 70 80 90 100
50 60 70 80 90 100 50 60 70 80 90 100
Percent of Interrupted Routes Percent of Interrupted Routes Percent of Interrupted Routes Percent of Interrupted Routes
(a) attack A&C (b) attack A&B (a) attack A&C (b) attack A&B
0.20
0.8 0.7 0.24
SubA SubB
0.18
0.7 0.6 SubC SubD 0.20 0.16
SubD
0.14
0.5 0.16
0.6 0.12
AI
AI
AI
AI
Percent of Interrupted Routes Percent of Interrupted Routes Percent of Interrupted Routes Percent of Interrupted Routes
(c) attack A&E (d) attack A&D (c) attack A&E (d) attack A&D
FIGURE 15: Attack interference for surrounding regions FIGURE 16: Attack interference for surrounding regions
when attacking two regions simultaneously as the percentage when attacking two regions simultaneously as the percentage
of interrupted routes varies under the NSEO strategy. of interrupted routes varies under the SPAH strategy.
two regions simultaneously under the SPAH strategy. In FIG- increases, SE drastically decreases. Compared with the N-
URE 16, the innocent networks are the networks surrounding SEO strategy, the A-SEO strategy has a higher value of SE.
the target network. For example, if attackers intend to attack However, the strike efficiency of the SPAH strategy is just
SubA and SubC, the complement part in A and C are the slightly lower than that of the SEO strategy. Since the SPAH
victim networks. According to our results in FIGURE 15, the strategy takes both strike precision and strike efficiency into
SPAH strategy has less attack interference than the N-SEO account, it achieves high strike precision without signifi-
strategy. In FIGURE 17, the innocent networks are all the cantly lowering strike efficiency.
available networks except the target networks. For example, We also measure strike efficiency (SE) over |R0N |/|RN |
if attackers intend to attack A and C, the networks in SubE, under different strategies for flooding multiple targets. As
B and D are the victim networks. shown in FIGURE 19, the N-SEO strategy performs better
than the SPAH strategies when attacking multiple targets.
C. MEASURING STRIKE EFFICIENCY UNDER However, when the attacker intends to interrupt over 80% of
DIFFERENT STRATEGIES routes to the target areas. The SPAH strategy performs as well
We measure strike efficiency (SE) over |R0N |/|RN | under as the N-SEO strategy.
different strategies. The result is shown in Figure 18. Combining the results above, we have the following con-
For all strategies, as the percentage of interrupted routes clusions. First, according to FIGURE 8 and FIGURE 9, on
14 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
0.05 0.04
LFAs may also congest the succeeding links of the target
0.04
0.03
0.03
link. To figure out the scale of the congested links in the next
0.02
AI
AI
0.02 hop and their corresponding attack effect, we calculate the
0.01
0.01
0.00
percentage of interrupted routes if the succeeding links are
0.00
50 60 70 80 90 100 50 60 70 80 90 100
congested. In FIGURE 22, we assume if 60%, 70%, 80%,
Percent of Interrupted Routes Percent of Interrupted Routes 90% of routes of the target link traverses the succeeding
(a) attack A&C (b) attack A&B link, the succeeding link is congested. In such a scenario, the
0.08
0.07
0.07
A&B A&C corresponding attack effect is shown in FIGURE 22.
0.06 A&D A&E
0.06
0.05
0.05 We measure the percentage of interrupted routes when
0.04
flooding parallel links, and the corresponding attack interfer-
AI
AI
0.04
0.03
0.03
0.02
0.02
0.01 0.01
ence is shown in FIGURE 23. We find that re-routing flows to
0.00
50 60 70 80 90 100
0.00
50 60 70 80 90 100
parallel links can effectively relieve the congestion and lead
Percent of Interrupted Routes Percent of Interrupted Routes to no significant attack interference to the target networks.
(c) attack A&E (d) attack A&D
For terrorist adversaries, they may be interested in flood-
ing all parallel links. However, as the attack effect, attack
FIGURE 17: Attack interference for all the other areas when interference and strike efficiency illustrated in FIGURE 24,
attacking two regions simultaneously as the percentage of attackers cannot interrupt more routes but have to endure
interrupted routes varies under the SPAH strategy. more severe attack interference and less strike efficiency
compared with the results in Sec. VII-B and Sec. VII-C.
Therefore, re-routing flows to parallel links can effectively
average, when adversaries interrupt 80% of routes to the in- relieve the congestion.
tended victim network by strategies that only consider strike Considering the traffic engineering that defenders use,
efficiency, attack interference is severe and strike precision is adversaries will choose target links following the LPSE
low. More precisely, by the N-SEO strategy, we have AI = strategy. In FIGURE 25, we measure the attack effect, attack
46.82%, SP = 69.16%, and AI = 40.36%, SP = 72.18% interference and strike efficiency of the LPSE strategy when ε
for the A-SEO strategy. equals 5. Using the LPSE strategy, adversaries can select the
Second, the main factors affecting attack interference and links that have fewer parallel links. Therefore, there are fewer
strike precision include the percentage of routes adversaries parallel links for the defender to choose so to deploy traffic
would like to interrupt (i.e., a larger percentage results in engineering. Meanwhile, adversaries can effectively improve
more attack interference and lower strike precision), the ratio their strike efficiency using the LPSE strategy.
of the size of the intended victim network to that of the For adversaries who are concerned about both attack inter-
innocent victim network (i.e., a larger ratio generally leads ference, the traffic engineering defense and strike efficiency,
to less attack interference and higher strike precision). To they may use the LP-SPAH strategy to launch LFAs. In
lower attack interference and improve strike precision, the FIGURE 26, we measure the attack effect, attack interference
SPAH strategy can be used. On average, when adversaries and strike efficiency of the LP-SPAH strategy. Adversaries
interrupt 80% of routes to the intended victim network by the can lower their attack interference while keeping good attack
SPAH strategy, AI = 13.34%, SP = 91.79%, at the cost of effect and high strike efficiency. We therefore conclude that
slightly more selected links to clog but without significantly the LP-SPAH strategy can effectively help the attacker to
decreasing strike efficiency. launch LFAs in a sophisticated way.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
800 SubD
800 800
SE
SE
SE
SubE
600 600 600
400
400 400
200
200 200
0
0 0
50 60 70 80 90 100 50 60 70 80 90 100 50 60 70 80 90 100
350
target link
500
300
target area
Interrupted Routes
Interrupted Routes
bot 400
target link 0.24 0.24
Percent of Actual
Percent of Actual
250
SubA SubB
SE
SE
0.21 0.21
300 200
SubC SubD
0.18 0.18
150 SubE
200 0.15 0.15
100
0.12 0.12
100
50
0.09 0.09
0 0 0.06 0.06
50 60 70 80 90 100 50 60 70 80 90 100
0.03 0.03
0.00 0.00
bots
Percent of Interrupted Routes Percent of Interrupted Routes
50 60 70 80 90 100 50 60 70 80 90 100
(a) SPAH strategy (victims: (b) SPAH strategy (victims: Percent of Intended Interrupted Routes Percent of Intended Interrupted Routes
Interrupted Routes
Interrupted Routes
Percent of Actual
Percent of Actual
A&D
500 500 0.28 0.32
by nature
SE
SE
A&E
400 400 0.24 0.28
0.24
public servers
300 300 0.20
0.20
200 200 0.16
100
target link
100
target area 0.12
0.16
0.12
0.08
0.08
50 60 70 80 90 100 50 60 70 80 90 100
0.04 0.04
0.00
bots 0.00
Percent of Interrupted Routes Percent of Interrupted Routes
50 60 70 80 90 100 50 60 70 80 90 100
(c) N-SEO strategy (vic- (d) N-SEO strategy (vic- Percent of Intended Interrupted Routes Percent of Intended Interrupted Routes
tims: all the other areas) tims: surrounding areas) target link
(c) 70% routes congested at the (d) 60% routes congested at the
FIGURE 19: Strike efficiency (SE) as the percentage of succeeding link succeeding link
interrupted routes varies under different strategies. FIGURE 22: Attack effect when congesting a succeeding
link as the percentage of interrupted routes varies.
parallel links
Interrupted Routes
SubA SubB
deployed by TE 0.24
Percent of Actual
50 60 70 80 90 100 50 60 70 80 90 100
the congestion of the target link, but may flood the next link. Percent of Intended Interrupted Routes Percent of Intended Interrupted Routes
str
(a) Attack effect (b) Attack interferencegreedy method im
selected 1,847 paths, including 1,200 unique links. Then, FIGURE 23: Attack effect & interference using existing
we compare the number of paths required to cover different parallel links as the percentage of interrupted routes varies.
numbers of links when the two algorithms are employed or no
algorithms are used (i.e., unprocessed). The specific results
are shown in FIGURE 27. As the figure shows, as the link also increases.It can be found that both the greedy-based and
coverage increases, the number of paths required to measure improved genetic-based path selection algorithms can cover
the specified links with fewer paths, and the improved genetic
algorithm slightly outperforms the greedy algorithm.
0.08
Interrupted Routes
Percent of Actual
SubE
SubD
2) Multi-protocol Measurement Evaluation
0.12
0.04
Linkscope is capable of performing packet pair-based non-
AI
0.09
0.06 0.02
0.03 cooperative measurement to perceive abnormal link perfor-
0.00 0.00
50 60 70 80 90 100 50 60 70 80 90 100
mance changes [5], and the multi-protocol measurement
Percent of Intended Interrupted Routes Percent of Intended Interrupted Routes method proposed in this paper mainly focuses on further
(a) Attack effect (b) Attack interference enhancing its robustness. In our experiment, we use one
host to probe 300 DNS servers, and compare measurement
FIGURE 21: Attack effect & interference using deployed success rates of different protocols by changing the protocol
parallel links as the percentage of interrupted routes varies. type used by the packet train. TABLE 2 shows the results.
16 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
0.95 0.7
500
0.90 0.6 SubA SubB
Percent of
0.85 400
0.5 SubC SubD
0.80
SE
SubE
AI
0.4
0.75 300
0.70 0.3
0.65 200
0.2
0.60
0.1 100
0.55
0.50 0.0
0
50 60 70 80 90 100 50 60 70 80 90 100 50 60 70 80 90 100
Percent of Intended Interrupted Routes Percent of Intended Interrupted Routes Percent of Interrupted Routes
0.8 600
1.00
0.95 0.7
500
SubA SubB
0.90 0.6
SubC SubD
Percent of
0.85 400
0.5
0.80 SubE
SE
AI
0.4
0.75 300
0.70 0.3
0.65 200
0.2
0.60
0.1 100
0.55
0.50 0.0
0
50 60 70 80 90 100 50 60 70 80 90 100 50 60 70 80 90 100
Percent of Intended Interrupted Routes Percent of Intended Interrupted Routes Percent of Interrupted Routes
450
1.00
0.6
0.95 400
SubA SubB
0.90 0.5 350
SubC SubD
Percent of
0.85 300
0.4 SubE
0.80
250
SE
AI
0.75 0.3
200
0.70
0.2
0.65 150
0.55 50
0.0
0.50
0
50 60 70 80 90 100 50 60 70 80 90 100 50 60 70 80 90 100
Percent of Intended Interrupted Routes Percent of Intended Interrupted Routes Percent of Interrupted Routes
FIGURE 27: Comparison of the number of paths required to cess rate of multiple-protocol measurement is significantly
cover different links. higher than that of single-protocol measurement.
VIII. DISCUSSION
Adversaries can effectively increase the precision when
The success-num in the table refers to the number of performing LFAs via the SPAH strategy. However, such
IPs that can successfully receive the packet train and return precision comes at the cost of lowered strike efficiency. That
response packets. When using Multi-protocol, as long as any is, compared with the SEO strategy, the SPAH strategy has
one of the three protocols can get response packets, it will be to clog more target links in order to interrupt the same
considered as a successful measurement. We see that the suc- number of routes. Fortunately, the number of target links
VOLUME 4, 2016 17
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
is not increased substantially, whereas the precision is im- challenging for rational adversaries in consideration of strike
proved significantly. Furthermore, according to our data, the precision to determine which network to disconnect, since
number of average (traceroute) hops from the target links clogging one link may interfere many other networks.
selected by the SPAH strategy to the intended victim network
equals 6.76, indicating that the attacked links are beyond IX. RELATED WORK
the administrative domain of the intended victim network The layered architecture of the Internet enables various
and thus defending these links against the attack remains types of connectivity structures [27]. CAIDA’s Archipelago
difficult. We, therefore, envision that there is a tendency that project [28] and DIMES [29] measured the router-level
adversaries take into account strike precision when perform- Internet topology via traceroute. Kang et al. analyzed the
ing LFAs for attack stealthiness and persistence. Terrorist pervasiveness of routing bottlenecks in 15 countries and 15
attackers may deploy LFAs by Mirai or other IoT botnets to cities around the world. Albert et al. [30] showed that if
launch LFAs in a more powerful and sly way. By combining an adversary disables 4% of the highly connected routers,
the pervasiveness of IoT devices and the slyness of LFAs the entire Internet will be broken up into small isolated
concerning attack interference, defenders can design LFAs pieces. However, later work by Magoni [31] and Wang et
that is more challenging to defend against. By analyzing the al. [32] concluded that breaking the entire Internet may not be
behaviors of the TCP traffic, the attackers may use to launch infeasible because of the vast number of routers or links that
congestion, we model the attack stages of the attacker and need to be disconnected. The IoT-originated DDoS attacks
give suggestions for the defenders. have attracted much academic attention. The large volume,
Besides the cost of lowered strike efficiency, seeking strike pervasiveness, and high vulnerability of IoT devices make
precision may lead to the increase of the ratio of the routes IoT devices great threats to Internet security. [33], [34]
crossing the set of selected target links and destined to the Recently, LFAs have gained attention in the literature.
intended victim network to all the routes crossing the set Kang et al. proposed LFAs that can effectively cut off the
of selected target links. Consequently, when coordinating Internet connections of a target area without being detected
attack traffic flows, adversaries have more choices to send [10], [13]. The Coremelt attack could be considered a spe-
attack traffic flows to decoy servers inside the intended victim cial case of LFAs [9]. Since LFAs result in abnormal link
network. In this case, for attack stealthiness and persistence, performance, traditional active link (and path) measurement
rational adversaries would construct attack traffic flows meet- techniques, such as packet pair and packet train, could
ing two requirements. First, each attack traffic flow, when be- naturally facilitate the detection of LFAs. To apply these
ing inspected separately, is indistinguishable from legitimate techniques in detecting LFAs, LinkScope employs both end-
flows. Second, these attack flows should exhibit diversity to-end and hop-by-hop measurement to detect the links under
without similar behavioral patterns (e.g., visit different web- such attacks [5], [6].
sites at different times) to evade correlation-based detection. To defend against LFAs, Gkounis et al. showed that both
To defend against rational adversaries in consideration of existing and novel traffic engineering modules can efficiently
strike precision, one solution is to monitor the performance expose the attack. They implemented a defense prototype
(e.g., available bandwidth) of the set of links selected by using simulation mechanisms and evaluated it extensively
the SPAH strategy in real time and trigger warnings upon on multiple real typologies [16]. Attacks by cost-sensitive
anomaly occurs [6]. Defenders can also employ traffic en- attackers try to fully utilize the bots’ upstream bandwidth.
gineering methods to defend against LFAs. According to our Kang et al. tackled this root cause that it is sufficient to
results, traffic engineering can effectively help to relieve the perform a rate change test, where they temporarily increased
congestion of target links and help to figure out the intended the effective bandwidth of the bottleneck core link and ob-
attacking target network by only observing the congestion of served the response. Attackers will be detected since they
target links. Due to the strong power of LFAs, we argue that are unable to demonstrably increase throughput after band-
it is still challenging to tackle LFAs using traffic engineer- width expansion. Kang et al. designed a software-defined
ing. Therefore, we model and formulate the game-theoretic network (SDN) based system called SPIFFY that addresses
interactions between the attacker and defenders. key practical challenges in turning this high-level idea into
The experimental results demonstrate traffic engineering a concrete defense mechanism, and provided a practical
can effectively relieve the congestion brought by LFAs and solution to force a trade-off between cost and detectability
help to figure out the intended attacking targets by observing for LFAs [14]. Traffic Engineering methods have also been
the target links. According to our results, defenders should proposed to tackle LFAs, Gkounis et al. propose that Traffic
follow the strategies we propose to deploy their defense. In Engineering can efficiently expose the attack [16]. Liaskos et
addition, from the perspective of routing topology design, al. proposed that by using Traffic Engineering, attackers have
one can also increase the overlapping of the (intermediate) to adopt a suspicious behavior to keep their attack, which
links of different networks, as well as the entropy of the makes themselves reveal their presence [20].
distribution of link importance to different networks. Con- Game theory has also provided a lot of inspiration for
sider the extreme case where all links are equally important defending against LFAs. Ma et al. proposed a randomized
to different networks in terms of connectivity. It would be approach based on Stackelberg security game to optimize
18 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
the LFAs detection methods [35]. Aydeger et al. proposed [13] M. S. Kang and V. D. Gligor, “Routing bottlenecks in the internet: Causes,
a signaling game-based dynamic defense mechanism and exploits, and countermeasures,” in Proc. ACM SIGSAC, 2014.
[14] M. S. Kang, V. D. Gligor, and V. Sekar, “Spiffy: Inducing cost-detectability
prove that it can provide a good level of protection [36]. tradeoffs for persistent link-flooding attacks.” in Proc. NDSS, 2016.
[15] S. B. Lee, M. S. Kang, and V. D. Gligor, “Codef: collaborative defense
X. CONCLUSION against large-scale link-flooding attacks,” in Proc. ACM CoNEXT, 2013.
[16] D. Gkounis, V. Kotronis, C. Liaskos, and X. Dimitropoulos, “On the in-
Despite making considerable research progresses regard- terplay of link-flooding attacks and traffic engineering,” ACM SIGCOMM
ing LFAs, existing studies do not consider attack interference Computer Communication Review, vol. 46, no. 2, pp. 5–11, 2016.
and strike precision which might restrict the applicability [17] J. Peng, X. Ma, J. Li, L. Xue, and W. Hu, “Shoot at a pigeon and kill a
crow: On strike precision of link flooding attacks,” in Proc. NSS, 2018.
of LFAs from the adversary’s standpoint. We take the first [18] M. Pióro and D. Medhi, Routing, flow, and capacity design in communica-
step to take into account these issues, and model LFAs from tion and computer networks. Elsevier, 2004.
both the attack and defense perspectives. For rational adver- [19] S. Balon, F. Skivée, and G. Leduc, “How well do traffic engineering
objective functions meet te requirements?” in International Conference on
saries concerning attack stealthiness and persistence, attack Research in Networking, 2006.
interference and strike precision would be big concerns, [20] C. Liaskos, V. Kotronis, and X. Dimitropoulos, “A novel framework for
especially in the long run. Using real-world traceroute data, modeling and mitigating distributed link flooding attacks,” in Proc. IEEE
INFOCOM, 2016.
we demonstrate that current link flooding strategies that only [21] B. Fortz and M. Thorup, “Internet traffic engineering by optimizing ospf
seek strike efficiency (i.e., interrupting more routes by flood- weights,” in Proc. IEEE INFOCOM, 2000.
ing fewer links) may result in poor strike precision, severely [22] A. Lipowski and D. Lipowska, “Roulette-wheel selection via stochastic
acceptance,” CoRR, vol. abs/1109.3627, pp. 2193–2196, 2012.
interfering the connectivity of the networks surrounding the [23] P. L. Stoffa and M. K. Sen, “Nonlinear multiparameter optimization using
intended victim network. The proposed hybrid strategy im- genetic algorithms: Inversion of plane-wave seismograms,” Geophysics,
proves strike precision significantly at the cost of limited vol. 56, no. 11, pp. 1794–1810, 1991.
[24] J. Jing, M. Li-dong, L. Shu-ling, and J. Lin, “Simulation research based on
degradation of strike efficiency. From the perspective of de- a self-adaptive genetic algorithm,” in Proc. IEEE ICIS, 2010.
fenses, we study attack intention, i.e., inversely inferring the [25] A. K. Qin and P. N. Suganthan, “Self-adaptive differential evolution algo-
attack intention (i.e., the target network to disconnect) based rithm for numerical optimization,” in 2005 IEEE congress on evolutionary
computation, vol. 2. IEEE, 2005, pp. 1785–1791.
on the identified attacked links. Furthermore, we consider a [26] K. Deb and H.-G. Beyer, “Self-adaptive genetic algorithms with simulated
strong defender who employs traffic engineering to mitigate binary crossover,” Evolutionary computation, vol. 9, no. 2, pp. 197–221,
LFAs, and formulate the game-theoretic interactions between 2001.
[27] W. Willinger and M. Roughan, “Internet topology research redux,” ACM
attackers and defenders. Our formulation demonstrates that SIGCOMM eBook: Recent Advances in Networking, 2013.
LFAs can be effectively mitigated based on traffic engineer- [28] Y. Hyun, “Caida monitors: The archipelago measurement infrastructure,
ing from a game-theoretic perspective. Our study also reveals 2009.”
[29] Y. Shavitt and E. Shir, “Dimes: Let the internet measure itself,” ACM
that practical issues such as light-weight probe deployment SIGCOMM Computer Communication Review, vol. 35, no. 5, pp. 71–74,
and multi-protocol-based measurement are important in non- 2005.
cooperative defenses. [30] R. Albert, H. Jeong, and A.-L. Barabasi, “Error and attack tolerance of
complex networks,” Nature, vol. 406, no. 6794, 2000.
[31] D. Magoni, “Tearing down the internet,” IEEE Journal on Selected Areas
REFERENCES in Communications, vol. 21, no. 6, pp. 949–960, 2003.
[1] X. Luo and R. K. Chang, “Optimizing the pulsing denial-of-service [32] Y. Wang, S. Xiao, G. Xiao, X. Fu, and T. H. Cheng, “Robustness of
attacks,” in Proc. IEEE DSN, 2005, pp. 582–591. complex communication networks under link attacks,” in Proc. ACM
[2] ——, “On a new class of pulsing denial-of-service attacks and the de- ICAIT, 2008.
fense.” in Proc. NDSS, 2005. [33] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein,
[3] Y. Tang, X. Luo, Q. Hui, and R. K. Chang, “Modeling the vulnerability J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis
of feedback-control based internet services to low-rate dos attacks,” IEEE et al., “Understanding the mirai botnet,” in Proc. USENIX Security, 2017.
transactions on information forensics and security, vol. 9, no. 3, pp. 339– [34] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “Ddos in the iot: Mirai
353, 2014. and other botnets,” Computer, vol. 50, no. 7, pp. 80–84, 2017.
[4] C. Wang, T. T. Miu, X. Luo, and J. Wang, “Skyshield: A sketch-based [35] X. Ma, B. An, M. Zhao, X. Luo, L. Xue, Z. Li, T. Miu, and X. Guan,
defense system against application layer ddos attacks,” IEEE Transactions “Randomized security patrolling for link flooding attack detection,” IEEE
on Information Forensics and Security, vol. 13, no. 3, pp. 559–573, 2018. Transactions on Dependable and Secure Computing, 2019.
[5] L. Xue, X. Ma, X. Luo, E. W. Chan, T. T. Miu, and G. Gu, “Linkscope: [36] A. Aydeger, M. H. Manshaei, M. A. Rahman, and K. Akkaya, “Strategic
Towards detecting target link flooding attacks,” IEEE Transactions on defense against stealthy link flooding attacks: A signaling game approach,”
Information Forensics and Security, pp. 2423–2438, 2018. arXiv preprint arXiv:1912.10073, 2019.
[6] L. Xue, X. Luo, E. W. Chan, and X. Zhan, “Towards detecting target link
flooding attack.” in Proc. USENIX LISA, 2014.
[7] X. Ma, J. Li, Y. Tang, B. An, and X. Guan, “Protecting internet infras-
tructure against link flooding attacks: A techno-economic perspective,”
Information Sciences, 2018.
XIN WANG is a master student with MOE Key
[8] P. Bright, “Can a ddos break the internet?” http://goo.gl/oM6XJt, 2013.
[9] A. Studer and A. Perrig, “The coremelt attack,” in Proc. Springer ES-
Lab for Intelligent Networks and Network Secu-
ORICS, 2009, pp. 37–52. rity, Faculty of Electronic and Information Engi-
[10] M. S. Kang, S. B. Lee, and V. D. Gligor, “The crossfire attack,” in Proc. neering, Xi’an Jiaotong University, Xi’an, China.
IEEE S&P, 2013. He received his bachelor’s degree in Computer
[11] T. Hirayama, K. Toyoda, and I. Sasase, “Fast target link flooding attack Science and Technology at China Agricultural
detection scheme by analyzing traceroute packets flow,” in Proc. IEEE University in 2020. His current research focuses
WIFS, 2015. on Internet routing measurement and analysis.
[12] L. Wang, Q. Li, Y. Jiang, and J. Wu, “Towards mitigating link flooding
attack via incremental sdn deployment,” in Proc. IEEE ISCC, 2016.
VOLUME 4, 2016 19
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3131503, IEEE Access
XIAOBO MA is an associate professor with MOE LI FENG received his B.S. and M.S. degrees in
Key Lab for Intelligent Networks and Network electrical engineering from Xi’an University of
Security, Faculty of Electronic and Information Science and Technology, Xi’an, China, in 1997
Engineering, Xi’an Jiaotong University, where he and 2001, respectively and his Ph.D degree in
received a Ph.D. in Control Science and Engineer- Electrical Engineering from the Xi’an Jiaotong
ing in 2014. He was a Post-Doctoral Research University in 2005. He was a visitor at Mi-
Fellow with The Hong Kong Polytechnic Univer- crosoft Research Asia (MSRA) joining the Mi-
sity. He is an XJTU Tang Scholar and a member crosoft Communication Protocols Project (MCPP)
of IEEE. His research interests include Internet from June to August 2004. He is now a senior
measurement and cyber security. research scientist at Center for Dependable and
Secure Computing (CDSC) of Wuhan Digital Engineering Institute (WDEI),
Wuhan, China. He is also a postdoctoral research fellow from September
2007 in Department of Computer Science, Xi’an Jiaotong University, Xi’an,
China. His research interests currently focus on mobile Ad hoc network
and information security. Li Feng is also a member of the IEEE Computer
Society.
JIAHAO PENG was a master student (when fin-
ishing this work) with MOE Key Lab for Intel-
ligent Networks and Network Security, Faculty
of Electronic and Information Engineering, Xi’an
Jiaotong University, Xi’an, China. He received his
master’s degree in Cyber Science and Engineering
in 2021 at Xi’an Jiaotong University. His research
focuses on Internet measurement and security.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/