Analyzing the Benefits of Optical Topology Programming for Mitigating Link-Flood DDoS Attacks

Link-flood attacks (LFAs) overwhelm bandwidth on links in a network using traffic from many sources, which is indistinguishable from benign traffic. Unfortunately, traditional DDoS defenses are incapable of stopping such attacks and recently proposed software-defined solutions are ineffective. In th...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:IEEE transactions on dependable and secure computing Ročník 22; číslo 1; s. 146 - 163
Hlavní autoři: Nance-Hall, Matthew, Liu, Zaoxing, Sekar, Vyas, Durairajan, Ramakrishnan
Médium: Journal Article
Jazyk:angličtina
Vydáno: Washington IEEE 01.01.2025
IEEE Computer Society
Témata:
Computer crime
Computer simulation experiments
Cybersecurity
DDoS defense
Network topologies
Network topology
Optical fiber communication
Optical fiber networks
optical networks
Programming
Routing
Topology
Topology optimization
Traffic capacity
Traffic congestion
wide area networks
ISSN:1545-5971, 1941-0018
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:Link-flood attacks (LFAs) overwhelm bandwidth on links in a network using traffic from many sources, which is indistinguishable from benign traffic. Unfortunately, traditional DDoS defenses are incapable of stopping such attacks and recently proposed software-defined solutions are ineffective. In this work, we observe a new opportunity for mitigating LFAs using optical networking advances. In essence, we envision new capabilities for topology programming , to scale capacity on-demand to avoid congestion and add new links to the network to create new paths for traffic during LFA incidents. Realizing these benefits of optical topology programming raises unique challenges; the search space for candidate topology configurations is very large and joint optimization of topology and routing is NP-hard. We present ONSET-a framework that tackles these challenges to lay a practical foundation for topology programming-based defenses against LFAs. We show that ONSET complements existing programmable network defenses and amplifies their benefits. We perform a what-if style analysis of ONSET by simulating a wide-ranging set of attacks, including terabit-scale attacks against every single link, on five networks with two different routing capabilities and observe that ONSET provides the means to mitigate congestion loss in more than 90% of the hundreds of diverse attack scenarios considered.
Bibliografie:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2024.3391188