Detection And Analysis Of Link Flooding Attack Based On General Traffic Measurement

Link flooding attack is the most advanced distributed denial of service attack.It uses large-scale botnet to attack the target network link,resulting in the inaccessibility of legitimate users.Because its saturation attack flow does not converge to a single target server,but scatters among multiple decoy servers,it is difficult for the existing defense mechanisms to detect highly ag-gregated attack targets.Linkscope^[1]and other detection methods detect the link state through the active measurement method by sending detection message,and then detect the abnormal temporal and spatial crash of link state through machine learning.However,the link state char-acteristics in the current research are relatively rare,which is difficult to perceive the network traffic distribution.So it is difficult to distinguish Flash crowd caused by sudden access of a large number of legitimate users in a short time and link congestion caused by flooding attack.Aiming at the shortcomings of current link flooding attack detection and defense technol-ogy,this paper proposes a passive measurement scheme of link status that can perceive traffic distribution.In this paper,we design a general traffic measurement algorithm that can work on the data plane of network equipment.It can extract the moment estimates of traffic distribu-tion and top-k flow at the same time,so as to provide more abundant traffic statistics for link flooding attack detection.The main contributions and innovations of this paper are as follows:（1）For the flow length estimation problem,this paper proposes a more space-efficient counting sketch,Gen-CM,as a basic building block used by layers in a general flow measure-ment algorithm.Inspired by the representation of floating-point numbers,Gen-CM designed a 16-bits general-purpose counter based on counter compression instead of a 32-bits counter,which can efficiently count the number of bytes or packets of each stream.On the other hand,Gen-CM uses probabilistic update,conservative update and other techniques,compared with the Count Sketch used in Univ Mon^[2],the number of hashes and the number of memory ac-cesses during update are reduced by 1/2 and 3/4 respectively.The experimental results show that the Gen-CM sketch in this paper only uses 32 KB of memory space to achieve the same estimation accuracy as Count Min Sketch（CM）、Count Sketch（CS）、Conservative Update（CU）under the allocation of 1024 KB,512 KB,and 64 KB,respectively.（2）For the general flow measurement problem,this paper proposes a lightweight general flow measurement algorithm LMS.Univ Mon is the first real general flow measurement algo-rithm.It can not only count the flow of large flows,but also provide a moment estimator of the overall flow distribution through stratified sampling and other designs.However,it has serious performance flaws in its design.Therefore,this paper redesigns a new progressive sampling algorithm and high-frequency filter technique,which significantly reduces the processing over-head for each packet,making it more suitable for pipeline implementation on the data plane of high-speed switches.In addition,this new design significantly improves measurement accu-racy.The experimental results show that when the same memory size as Univ Mon is allocated,the error of the LMS algorithm in measuring the second moment is reduced by about 40 times,and the measurement error of the entropy is reduced by 3 times.（3）Aiming at the problem that the detection features used in the current link flooding attack detection algorithm are scarce and it is difficult to perceive the traffic distribution,this paper proposes a link flooding attack detection algorithm based on multi-dimensional traffic charac-teristics.First,we perform feature selection on the data obtained by the above measurement algorithm,and combine the features that are sensitive to link flooding attacks into a feature vec-tor.In order to effectively utilize multi-dimensional features for joint anomaly detection,this paper proposes anomaly detection algorithms based on Mahalanobis distance and LOF,which detect global and local outliers in multi-dimensional data,respectively.Finally,we propose a bot-host filtering mechanism based on soft timeout rules to mitigate the impact of link flooding attacks.The experimental results show that the F1-score of the link flooding attack detection algorithm based on multi-dimensional traffic features proposed in this paper is improved by6%and 10.6%respectively compared with Link Scope^[1]and the method that only uses a single feature.（4）We build a link flooding attack detection system based on VPP.The system consists of traffic generator based on tcpreplay and hping3,VPP software switch and control surface based on VAPI and python.The traffic generator based on tcpreplay and hping3 is responsible for generating background traffic and attack traffic.The LMS algorithm in this paper is deployed on the data plane of VPP software switch to measure the traffic distribution characteristics and Top-k large flow.The link flood attack detection and mitigation module in this paper are deployed on the control plane by Python implementation.Finally,we display the detection results with the lightweight web framework Flask.