| DDoS attacks have caused very serious damage to the enterprise network,although the industry has put forward a lot of defense methods,but the attackers continue to change the attack strategy to bypass the defense system.Recently,a new kind of DDoS attacks,linkflooding attacks(LFA),has been proved and already used by attackers to flood and congest network critical links.Unlike DDoS attacks,link-flooding attacks use a large amount of traffic to block critical links.However,LFA attacks are very difficult to be detected since they often utilize large-scale legitimate low-speed flows and rolling target links to launch attacks.To address such a critical security problem of link-flooding attacks,we design and implement a novel LFA defense system called LFADefender that leverages some key features,such as network-wide view,flow traceability,and elastic deployment,of two emerging network technologies,Software-Defined Networking(SDN)and Network Function Virtualization(NFV),to effectively detect and migrate LFA attacks.In LFADefender,we propose a LFA target link detection approach and a virtual LFA monitor function for link congestion detection.Moreover,we introduce a LFA mitigation mechanism in LFADefender based on flow rerouting and flow traceability for LFA attack mitigation.Our evaluations show that LFADefender can accurately detect LFA attacks and rapidly respond to them.Meanwhile,LFADefender introduces minimal overhead for the communication of network control and data planes. |
PDF Full Text Request