Abstract
Crossfire is an indirect target area link-flooding Distributed Denial of Service (DDoS) attack determined to affect the neighbors of the real target. Currently, Crossfire DDoS attacks are acquiring impetus because of their indistinguishability and undetectability. SDN (Software Defined Networking) is a progressing technique because of its adaptability and programmability. Moving Target Defense (MTD) is an arising security strategy to counter attacks by progressively changing the attacked plane. IBN (Intent-based Networking) is another promising methodology for providing dynamic network management. IBN-based MTD can provide efficient MTD solutions because of the concentrated control and observing capacities of the intents when translated into rules inside the SDN control plane. In this paper, a framework for the security of Crossfire DDoS attacks is proposed by making use of Intent-based Traffic modifications through the Open Networking Operating System (ONOS) Rest API and Domain Name System (DNS) port redirection. In this paper, we exploited Intent-based MTD to divert traffic from the principal host to virtual shadow hosts to counter this attack. Traffic redirection helps in masquerading the attacker headed for shadow host and consequently getting the erroneous path towards the network and, hence, the Crossfire attack couldn’t be executed as expected. The proposed technique is simulated using Mininet and ONOS SDN controllers. The outcomes showed traffic is successfully redirected at a low computational expense. Therefore, Crossfire DDoS is efficiently mitigated as promising results are found.
Highlights
I NDIRECT Distributed Denial of Service (DDoS) attack carried out by utilizing bot-net driven computers has been known for some time
The obtained outcomes demonstrated that it ranges between 20% to 30% of CPU it could increase up to 80% in case a single Software Defined Networking (SDN) controller gets the entire received traffic which poses threat of single point of failure
Redirection is chosen because if we drop suspicious packets, there is a chance that illegitimate traffic could have been masqueraded as legitimate in another form to enter into the network
Summary
I NDIRECT Distributed Denial of Service (DDoS) attack carried out by utilizing bot-net driven computers has been known for some time This novel class of DDoS attack is known as Crossfire attack or Link-Flooding attack [1]. This type of attack can remain undetected, if any of the following conditions are fulfilled [2]: 1) Valid IP addresses might be used by bots all the detection or prevention mechanisms based on spoofed IPs turned out to be inappropriate. When incorporated with MTD, it enhances the potential to secure network infrastructure after implementation of our proposed framework
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
