Mitigating link-flooding attack with segment rerouting in SDN

Abstract

Link-flooding attack (LFA) is a new type of DDoS attack used to flood and congest the crucial network links, which has severely damaged enterprise networks. LFA can be launched by large-scale low-rate legitimate data flows with quite a low cost and is difficult to detect. While target areas in a network can be easily isolated since the crucial links are unavailable. SDN architecture provides new opportunities to address this critical network security problem with its global view of traffic monitoring enabled by the separation of data plane and control plane. Recently, segment routing (SR), which is an evolution of source routing, has been viewed as a promising technique for flow rerouting and failure recovery. Segment routing is a lightweight easy-deployed scheme known for its flexibility, scalability, and applicability. Therefore, in this paper, we try to mitigate LFA with segment rerouting within the SDN architecture. With the comprehensive network-wide view of the data flows and links, we first design a monitoring mechanism to detect LFA based on the availability of the crucial links. Then we use segment routing to detour the congested flows and alleviate the burden on the crucial links. Finally. the LFA bots will be identified and the malicious traffic will be blocked. Sufficient evaluations demonstrate that our LFA defense can efficiently detect LFA and preserve the network services, while only introduce a little signaling overhead between the controllers and data plane.