Active Link Obfuscation to Thwart Link-flooding Attacks for Internet of Things

The DDoS attack is a serious threat to the Internet of Things (IoT). As a new class of DDoS attacks, Link-flooding attack (LFA) disrupts connectivity between legitimate IoT devices and target servers by flooding only a small number of links. Several mechanisms have been proposed to mitigate the sophisticated attack. However, they can only reactively mitigate LFA after target links have been flooded by the adversaries. In this paper, we propose an active LFA mitigation mechanism, called Linkbait, that is a proactive and preventive defense to throttle LFA for IoT. The fact behind Linkbait is that adversaries rely on the set of key links impacting the network connectivity (i.e.,linkmap) to identify target links. Linkbait mitigates the attacks by interfering with linkmap discovery and providing a fake linkmap to adversaries. Inspired by moving target defense (MTD), we propose a link obfuscation algorithm in Linkbait that selectively reroutes probing flows to hide target links from adversaries and mislead them to identify bait links as target links. By providing the faked linkmap to adversaries, Linkbait can actively mitigate LFA for IoT even without identifying compromised IoT devices while not affecting flows from legitimate IoT devices. To block attack traffic and further reduce the impact in IoT, we propose a compromised IoT devices detection algorithm that extracts unique traffic patterns of LFA for IoT and leverages support vector machine (SVM) to identify attack traffic. We evaluate the performance of Linkbait by using both real-world experiments and large-scale simulations. The experimental results demonstrate the effectiveness of Linkbait

Strategic Defense against Stealthy Link Flooding Attacks: A Signaling Game Approach

With the increasing diversity of Distributed Denial-of-Service (DDoS) attacks, it is becoming extremely challenging to design a fully protected network. For instance, Stealthy Link Flooding Attack (SLFA) is a variant of DDoS attacks that strives to block access to a target area by flooding a small set of links, and it is shown that it can bypass traditional DDoS defense mechanisms. One potential solution to tackle such SLFAs is to apply Moving Target Defense (MTD) techniques in which network settings are dynamically changed to confuse/deceive attackers, thus making it highly expensive to launch a successful attack. However, since MTD comes with some overhead to the network, to find the best strategy (i.e., when and/or to what extent) of applying it has been a major challenge. The strategy is significantly influenced by the attacker's behavior that is often difficult to guess. In this work, we address the challenge of obtaining the optimal MTD strategy that effectively mitigates SLFAs while incurs a minimal overhead. We design the problem as a signaling game considering the network defender and the attacker as players. A belief function is established throughout the engagement of the attacker and the defender during this SLFA campaign, which is utilized to pick the best response/action for each player. We analyze the game model and derive a defense mechanism based on the equilibria of the game. We evaluate the technique on a Mininet-based network environment where an attacker is performing SLFAs and a defender applies MTD based on equilibria of the game. The results show that our signaling game-based dynamic defense mechanism can provide a similar level of protection against SLFAs like the extensive MTD solution, however, causing a significantly reduced overhead