| Abstract: |
Link-flooding attacks have the potential to disconnect even entire countries from the Internet. Moreover, newly pro- posed indirect link-flooding attacks, such as “Crossfire”, are
extremely hard to expose and, subsequently, mitigate effec- tively. Traffic Engineering (TE) is the network’s natural way of mitigating link overload events, balancing the load and
restoring connectivity. This work poses the question: Do we need a new kind of TE to expose an attack as well? The key idea is that a carefully crafted, attack-aware TE could force the attacker
to follow improbable traffic patterns, revealing his target and his identity over time. We show that both existing and novel TE modules can efficiently expose the attack, and study the benefits
of each approach. We implement defense prototypes using simulation mechanisms and evaluate them extensively on multiple real topologies. |
