C. Liaskos - Personal web page                     @ UoI

Page
Menu
News
You are here:   Home > Courses > Λ5 > Λ5 - EAP-2021 > Topic 1 - Execute/Mitigate Link Flooding Attacks in SDN

Topic 1 - Execute/Mitigate Link Flooding Attacks in SDN

Abstract:  Link-flooding attacks have the potential to disconnect even entire countries from the Internet. Moreover, newly proposed indirect link-flooding attacks, such as “Crossfire”, are extremely hard to expose and, subsequently, mitigate effectively. Traffic Engineering (TE) is the network’s natural way of mitigating link overload events, balancing the load and restoring connectivity. Thus, an interplay between the attacker and the network TE is formed. This raises the question:

"Can there be a definitive winner, i.e., undetectable attackers or invincible TE schemes?"

Should you accept this mission (:D) you will be given state-of-the-art control over the network flow routing, i.e., you will be working in a Software-Defined Network.

In a nutshell

The Crossfire is a new link-flooding attack variant that separates two node areas without directing traffic to any of them, as shown below:

Regardless of the cause of link-flooding, the Traffic Engineering (TE) process naturally kicks-in to alleviate the congestion and restore connectivity.

Thus, a cyclic interaction between the network (admin) and the attacker is formed:

 

The attacker floods a link l1. The defender then re-routes traffic (TE2). The attacker updates the selected decoy servers, flooding link l2. The defender replies with TE3 and the attacker floods link l3, and so on.

Notice that the affected area should contains the target--unless you want to confuse the detector ;) ! Thus, the intersection of affected areas may eventually yield the persistent target (and the existence of the attack).

Key-assumptions
  • If you are on the TE-side, you are free to use source-based flow routing at any time and place in the network.  This is allowed by SDN! At any router, you can set "next-hop" routing rules that activate e.g., when the <source IP>, <source port>, <destination IP>, <destination port> fields of an incoming packet (or any combination thereof) take any value that you see fit. Your only rule: the network must remain connected at all times!
  • If you are on the attacker-side, you have an arbitrary set of bots deployed in the network. You can instruct them to do anything, but you cannot directly alter any routing tables! (But of course you are the master of your bot-puppets! - you can use them as decoys, make false attacks, make the TE react in a way that favors you, etc.). Moreover, when the network starts you know nothing about the network topology (you just know the IP of your attack target)!
Your task
  • Are you practice-inclined and already now a lot about managing real networks?
    • TASK "P": Showcase a rudmentary attack-defend cycle in GNS3: An attacker shall attack, and the network shall defend, locked in a loop. (Keep it simple! practical networking is tough!)
  • Are you theory-oriented and know how to handle graphs programmaticaly?
    • TASK "T": Come up with a way to either:
      • i) attack and remain undetected under the detector described in [1].
      • ii) detect attacks faster or with less network changes than [1].
      • validate your solution via simplified simulations (e.g., MATLAB, JAVA, Python).

Pick one task! (If you work as a team, pick both). Complexity and further details to be discussed @ Teams.

Bibliography
  1. On the Interplay of Link-Flooding Attacks and Traffic Engineering.
    Gkounis D., Kotronis V., Liaskos C., Dimitropoulos X.
    ACM SIGCOMM Computer Communication Review. (pdf)(doi)
  2. A Novel Framework for Modeling and Mitigating Distributed Link Flooding Attacks.
    Liaskos C., Kotronis V., Dimitropoulos X.
    In IEEE INFOCOM'16.  (pdf)(doi)(ppt)

 

Page
Menu
News

New book published: C. Liaskos, A. Tsioliaridou (Liaskos, C. Editor) (2024): Analysis of Wireless and Wired SDNs, Kallipos+, NTUA Publications, 2024. (https://dx.doi.org/10.57713/kallipos-377

New UoI student publications!:

  • A. Papadopoulos et al., "Physics-Informed Metaheuristics for Fast RIS Codebook Compilation", In IEEE Communications Magazine, to appear, 2024.
  • A. Papadopoulos et al., "Lightweight accident detection model for autonomous fleets based on GPS data", In Proceedings of the 25th Euro Working Group on Transportation Meeting (EWGT), 2023.
 New papers
  1. D. Tyrovolas et al., "Zero-Energy Reconfigurable Intelligent Surfaces (zeRIS)", IEEE Transactions on Wireless Communications, to appear, 2024. 
  2. N. Ashraf et al., "Intelligent Beam Steering for Wireless Communication Using Programmable Metasurfaces", IEEE Transactions on Intelligent Transportation Systems, to appear, 2023.
Page
Menu
News

Powered by CMSimple | Template by CMSimple | Login