by Gkounis D., Kotronis V., Liaskos C., Dimitropoulos X.
(Access related resources below: )

This work belongs to the NetVolution research track.

On the Interplay of Link-Flooding Attacks and Traffic Engineering [[[gkounis2016interplay]]]

Abstract:  Link-flooding attacks have the potential to disconnect even entire countries from the Internet. Moreover, newly proposed indirect link-flooding attacks, such as “Crossfire”, are extremely hard to expose and, subsequently, mitigate effectively. Traffic Engineering (TE) is the network’s natural way of mitigating link overload events, balancing the load and restoring connectivity. This work poses the question: Do we need a new kind of TE to expose an attack as well? The key idea is that a carefully crafted, attack-aware TE could force the attacker to follow improbable traffic patterns, revealing his target and his identity over time. We show that both existing and novel TE modules can efficiently expose the attack, and study the benefits of each approach. We implement defense prototypes using simulation mechanisms and evaluate them extensively on multiple real topologies. 

In a nutshell

The Crossfire is a new link-flooding attack variant that separates two node areas without directing traffic to any of them, as shown below:

Question: Can we detect the bots and their target, without major changes to the network management? 

Regardless of the cause of link-flooding, the Traffic Engineering (TE) process naturally kicks-in to alleviate the congestion and restore connectivity.

Thus, a cyclic interaction between the network (admin) and the attacker is formed:


The attacker floods a link l1. The defender then re-routes traffic (TE2). The attacker updates the selected decoy servers, flooding link l2. The defender replies with TE3 and the attacker floods link l3, and so on.

Notice that the affected area always contains the target, Thus, the intersection of affected areas will eventually yield the persistent target (and the existence of the attack), regardless of the TE approach.

It is then shown via analysis, simulations and emulations that branch-and-bound TE approaches can also contain the attack within progressively shrinking affected areas. 


  • Crossfire attacks can be exposed in a manner agnostic to the underlying, attack-unaware TE scheme.  
  • Certain attack-aware TE schemes can contain the effects of the attack within a small part of the network, whereas attack-unaware TE may cause network-wide routing changes.


This work was funded by the European Research Council via Grant Agreement no. 338402, project ''NetVolution: Evolving Internet Routing''.

Reference & Resources

Powered by CMSimple| Template:| Login