Optimal filter assignment policy against link flooding attack

Rajorshi Biswas; Jie Wu; Wei Chang; Pouya Ostovari

doi:10.1016/j.hcc.2024.100231

High-Confidence Computing ›› 2025, Vol. 5 ›› Issue (1) : 100231 DOI: 10.1016/j.hcc.2024.100231

Research Articles

research-article

Optimal filter assignment policy against link flooding attack

Author information +

History +

PDF (1669KB)

Abstract

A Link Flooding Attack (LFA) is a special type of Denial-of-Service (DoS) attack in which the attacker sends out a huge number of requests to exhaust the capacity of a link on the path the traffic comes to a server. As a result, user traffic cannot reach the server. As a result, DoS and degradation of Quality-of-Service (QoS) occur. Because the attack traffic does not go to the victim, protecting the legitimate traffic alone is hard for the victim. The victim can protect its legitimate traffic by using a special type of router called filter router (FR). An FR can receive server filters and apply them to block a link incident to it. An FR probabilistically appends its own IP address to packets it forwards, and the victim uses that information to discover the traffic topology. By analyzing traffic rates and paths, the victim identifies some links that may be congested. The victim needs to select some of these possible congested links (PCLs) and send a filter to the corresponding FR so that legitimate traffic avoids congested paths. In this paper, we formulate two optimization problems for blocking the least number of PCLs so that the legitimate traffic goes through a non-congested path. We consider the scenario where every user has at least one non-congested shortest path in the first problem. We extend the first problem to a scenario where there are some users whose shortest paths are all congested. We transform the original problem to the vertex separation problem to find the links to block. We use a custom-built Java multi-threaded simulator and conduct extensive simulations to support our solutions.

Keywords

Botnet / DDoS defense / Quality-of-service / Filter router / Link flooding attack / Network security

Cite this article

Download citation ▾

Rajorshi Biswas, Jie Wu, Wei Chang, Pouya Ostovari. Optimal filter assignment policy against link flooding attack. High-Confidence Computing, 2025, 5(1): 100231 DOI:10.1016/j.hcc.2024.100231

登录浏览全文

4963

注册一个新账户忘记密码

CRediT authorship contribution statement

Rajorshi Biswas: Conceptualization, Methodology, Software, Validation, Formal analysis, Investigation, Data curation, Writing - original draft, Writing - review & editing, Visualization. Jie Wu: Conceptualization, Methodology, Formal analysis, Investigation, Resources, Writing - review & editing, Supervision, Project ad- ministration, Funding acquisition. Wei Chang: Writing - review & editing. Pouya Ostovari: Writing - review & editing.

Declaration of competing interest

The authors declare that they have no known competing finan- cial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgment

This research was supported in part by the NSF grants (CNS 1757533, CNS 1629746, CNS 1564128, CNS 1449860, CNS 1461932, CNS1460971, and IIP 1439672).

References

Publishing order | Descend order by publishing year | Descend order by cited within

[1]	J. Caballero, C. Grier, C. Kreibich, V. Paxson, Measuring pay-per-install: The commoditization of malware distribution,in:Proceedings of the 20th USENIX Conference on Security, USENIX Association, Berkeley, CA, USA, 2011.

[2]	M.S. Kang, V.D. Gligor, V. Sekar, Defending against evolving DDoS attacks: Acase study using link flooding incidents,in: J. Anderson, V.Matyáš, B.Christianson, F.Stajano (Eds.), Security Protocols XXIV, Springer International Publishing, 2017.

[3]	D. Seo, H. Lee, A. Perrig, PFS: Probabilistic filter scheduling against distributed denial-of-service attacks, in: 2011 IEEE 36th Conference on Local Computer Networks, 2011.

[4]	D. Seo, H. Lee, A. Perrig, APFS: Adaptive Probabilistic Filter Scheduling against distributed denial-of-service attacks, Comput. Secur. 39 (2013).

[5]	R. Biswas, J. Wu, Filter assignment policy against distributed denial-of-service attack, in: 2018 IEEE 24th International Conference on Parallel and Distributed Systems, ICPADS, IEEE, 2018.

[6]	J. Wang, I.C. Paschalidis, Statistical traffic anomaly detection in time-varying communication networks, IEEE Trans. Control Netw. Syst. 2 (2) (2015).

[7]	A. Dahiya, B.B. Gupta, A reputation score policy and Bayesian game theory based incentivized mechanism for DDoS attacks mitigation and cyber defense, Future Gener. Comput. Syst. 117 (2021) 193-204.

[8]	A. Dahiya, B. Gupta, Multi attribute auction based incentivized solution against DDoS attacks, Comput. Secur. 92 (2020) 101763.

[9]	K. Argyraki, D.R. Cheriton, Loose source routing as a mechanism for traffic policies, in:Proceedings of the ACM SIGCOMM Workshop on Future Directions in Network Architecture, ACM, New York, NY, USA, 2004.

[10]	M. Motiwala, M. Elmore, N. Feamster, S. Vempala, Path splicing, in: SIGCOMM Comput. Commun. Rev., ACM, New York, NY, USA, 2008.

[11]	W. Xu, J. Rexford, MIRO: Multi-path interdomain routing,in:Proceedings of the 2006 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, 2006.

[12]	X. Yang, D. Wetherall, Source selectable path diversity via routing deflections, SIGCOMM Comput. Commun. Rev. 36 (4) (2006).

[13]	M. Suk Kang, V. D. Gligor, V. Sekar, SPIFFY: Inducing cost-detectability tradeoffs for persistent link-flooding attacks,in:Network and Distributed System Security Symposium, 2016.

[14]	S.B. Lee, M.S. Kang, V.D. Gligor, CoDef: Collaborative defense against largescale link-flooding attacks,in:Proceedings of the Ninth ACM Conference on Emerging Networking Experiments and Technologies, ACM, New York, NY, USA, 2013.

[15]	J. Ioannidis, S. M. Bellovin, Implementing pushback: Router-based defense against DDoS attacks,in:Network and Distributed System Security Symposium, 2002.

[16]	S.B. Lee, V.D. Gligor, FLoc : Dependable link access for legitimate traffic in flooding attacks, in: 2010 IEEE 30th International Conference on Distributed Computing Systems, 2010.

[17]	A. Dutta, E. Al-Shaer, S. Chatterjee, Q. Duan, Autonomous cyber defense against dynamic multi-strategy infrastructural DDoS attacks, in: 2023 IEEE Conference on Communications and Network Security, CNS, 2023, pp. 1-9.

[18]	S. Neelavathy Pari, E.C. Ritika, B. Ragul, M. Bharath, AI-based network flooding attack detection in SDN using multiple learning models and controller, in:2023 12th International Conference on Advanced Computing, ICoAC, 2023, pp. 1-7.

[19]	J.M. Smith, M. Schuchard, Routing around congestion: Defeating DDoS attacks and adverse network conditions via reactive BGP routing, in: IEEE Symposium on Security and Privacy, 2018.

[20]	R. Biswas, J. Wu, Optimal filter assignment policy against distributed denial-of-service attack, IEEE Trans. Dependable Secure Comput. (2020) 1, http://dx.doi.org/10.1109/TDSC.2020.2987301.

[21]	R. Biswas, J. Wu, W. Chang, P. Ostovari, Optimal filter assignment policy against transit-link distributed denial-of-service attack, in: 2019 IEEE Global Communications Conference, GLOBECOM, 2019, pp. 1-6.

[22]	S. Acid, L.M. De Campos, An algorithm for finding minimum D-separating sets in belief networks, in: Proceedings of the Twelfth International Conference on Uncertainty in Artificial Intelligence, Morgan Kaufmann Publishers Inc., 1996.