Detecting Target-Area Link-Flooding DDoS Attacks using Traffic Analysis and Supervised Learning

by   Mostafa Rezazad, et al.

A novel class of extreme link-flooding DDoS (Distributed Denial of Service) attacks is designed to cut off entire geographical areas such as cities and even countries from the Internet by simultaneously targeting a selected set of network links. The Crossfire attack is a target-area link-flooding attack, which is orchestrated in three complex phases. The attack uses a massively distributed large-scale botnet to generate low-rate benign traffic aiming to congest selected network links, so-called target links. The adoption of benign traffic, while simultaneously targeting multiple network links, makes detecting the Crossfire attack a serious challenge. In this paper, we present analytical and emulated results showing hitherto unidentified vulnerabilities in the execution of the attack, such as a correlation between coordination of the botnet traffic and the quality of the attack, and a correlation between the attack distribution and detectability of the attack. Additionally, we identified a warm-up period due to the bot synchronization. For attack detection, we report results of using two supervised machine learning approaches: Support Vector Machine (SVM) and Random Forest (RF) for classification of network traffic to normal and abnormal traffic, i.e, attack traffic. These machine learning models have been trained in various scenarios using the link volume as the main feature set.


Early detection of Crossfire attacks using deep learning

Crossfire attack is a recently proposed threat designed to disconnect wh...

The Maestro Attack: Orchestrating Malicious Flows with BGP

We present the Maestro attack, a novel Link Flooding Attack (LFA) that l...

Machine Learning-based Link Fault Identification and Localization in Complex Networks

With the proliferation of network devices and rapid development in infor...

Detecting Network Anomalies using Rule-based machine learning within SNMP-MIB dataset

One of the most effective threats that targeting cybercriminals to limit...

Traffic Network Partitioning for Hierarchical Macroscopic Fundamental Diagram Applications Based on Fusion of GPS Probe and Loop Detector Data

Most network partitioning methods for Macroscopic Fundamental Diagram ar...

1D CNN Based Network Intrusion Detection with Normalization on Imbalanced Data

Intrusion detection system (IDS) plays an essential role in computer net...

QUICsand: Quantifying QUIC Reconnaissance Scans and DoS Flooding Events

In this paper, we present first measurements of Internet background radi...

Please sign up or login with your details

Forgot password? Click here to reset