by Liaskos C., Kotronis V., Dimitropoulos X.
(Access related resources below: )

This work belongs to the NetVolution research track.

A Novel Framework for Modeling and Mitigating Distributed Link Flooding Attacks [[[Liaskos2016novel]]]

Abstract:  Distributed link-flooding attacks constitute a new class of attacks with the potential to segment large areas of the Internet. Their distributed nature makes detection and mitigation very hard. This work proposes a novel framework for the analytical modeling and optimal mitigation of such attacks. The detection is modeled as a problem of relational algebra, representing the association of potential attackers (bots) to potential targets. The analysis seeks to optimally dissolve all but the malevolent associations. The framework is implemented at the level of online Traffic Engineering (TE), which is naturally triggered on link-flooding events. The key idea is to continuously re-route traffic in a manner that makes persistent participation to link-flooding events highly improbable for any benign source. Thus, bots are forced to adopt a suspicious behavior to remain effective, revealing their presence. The load-balancing objective of TE is not affected at all. Extensive simulations on various topologies validate our analytical findings. 

In a nutshell

The Crossfire is a new link-flooding attack variant that separates two node areas without directing traffic to any of them, as shown below:

Question: Can we detect the bots and their target, without major changes to the network management? 

Our starting point for answering this question is Traffic Engineering (TE) process, which naturally kicks-in after the attack, to alleviate the congestion and restore connectivity, according to the following stages:


In this work, TE is optimized for attack detection, without altering its load-balancing objective.

The methodology consists in optimizing the flow mapping phase of TE:

The new optimal mapping ensures that a benign flow will have the lowest probability of contributing to a future attack by chance. Therefore, bots are forced to behave improbably over time in order to remain effective.

Internally, a novel analytical framework based on relational algebra is employed to relate bots to susceptible targets. In this aspect, the outlined TE flow mapping maximizes the support of bot-to-target relations, accentuating their presence over time.


  • Introduced a novel framework for studying stealthy DDoS link-flooding attacks. 
  • Goal: Facilitate detection of susceptible bots and targets.
  • Use relational algebra to formulate bot-to-target area relations.
    • Benefit: Ease & scalability of implementation (via standard SQL).
  • Our entry point: the Traffic Engineering (TE) process.
    • Use same inputs, leave TE load-balancing objectives untouched.
    • Detection-optimal mapping of flows-to-paths.
    • Key-idea: keep probable bots targets @ separate paths, then punish persistence.


This work was funded by the European Research Council via Grant Agreement no. 338402, project ''NetVolution: Evolving Internet Routing''.

Reference & Resources

Powered by CMSimple| Template:| Login