Abstract

A new class of target link flooding attacks (LFAs) can cut off the Internet connections of a target area without being detected, because they employ legitimate flows to congest selected links. Although new mechanisms for defending against LFA have been proposed, the deployment issues limit their usage, since they require either additional modules to enhance routers or using the software-defined network to replace the traditional routers. In this paper, we propose a novel framework that employs both the end-to-end and hop-by-hop network measurement techniques to capture the abnormal path performance degradation for detecting LFA and then locate the target links or areas whenever possible, and develop a prototype of the framework named LinkScope. Although using network measurement to capture network anomaly is not new, we tackle a number of challenging issues, such as conducting large-scale Internet path monitoring via non-cooperative measurement so that users do not need to install LinkScope on every host, profiling the performance of asymmetric Internet paths and detecting LFA. The extensive evaluation in a testbed and the Internet shows that with limited bandwidth and computational overhead, LinkScope can achieve timely detection and diagnosis of LFA with high detection rate and low false positive rate.