Detecting Target-Area Link-Flooding DDoS Attacks Using Traffic Analysis and Supervised Learning

  • Mostafa RezazadEmail author
  • Matthias R. Brust
  • Mohammad Akbari
  • Pascal Bouvry
  • Ngai-Man Cheung
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 887)


A novel class of extreme link-flooding DDoS (Distributed Denial of Service) attacks is designed to cut off entire geographical areas such as cities and even countries from the Internet by simultaneously targeting a selected set of network links. The Crossfire attack is a target-area link-flooding attack, which is orchestrated in three complex phases. The attack uses a massively distributed large-scale botnet to generate low-rate benign traffic aiming to congest selected network links, so-called target links. The adoption of benign traffic, while simultaneously targeting multiple network links, makes detecting the Crossfire attack a serious challenge. In this paper, we present analytical and emulated results showing hitherto unidentified vulnerabilities in the execution of the attack, such as a correlation between coordination of the botnet traffic and the quality of the attack, and a correlation between the attack distribution and detectability of the attack. Additionally, we identified a warm-up period due to the bot synchronization. For attack detection, we report results of using two supervised machine learning approaches: Support Vector Machine (SVM) and Random Forest (RF) for classification of network traffic to normal and abnormal traffic, i.e, attack traffic. These machine learning models have been trained in various scenarios using the link volume as the main feature set.


Distributed Denial of Service (DDoS) Link-flooding attacks Traffic analysis Supervised learning Detection mechanisms 



This work is partially funded by the joint research programme UL/SnT-ILNAS on Digital Trust for Smart-ICT.


  1. 1.
    Xue, L., Luo, X., Chan, E.W., Zhan, X.: Towards detecting target link flooding attack. In: LISA, pp. 81–96 (2014)Google Scholar
  2. 2.
    Gkounis, D., Kotronis, V., Liaskos, C., Dimitropoulos, X.A.: On the interplay of link-flooding attacks and traffic engineering. Comput. Commun. Rev. 46, 5–11 (2016)CrossRefGoogle Scholar
  3. 3.
    Gkounis, D., Kotronis, V., Dimitropoulos, X.: Towards defeating the crossfire attack using SDN. arXiv preprint arXiv:1412.2013 (2014)
  4. 4.
    Kang, M.S., Lee, S.B., Gligor, V.D.: The crossfire attack. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 127–141, May 2013Google Scholar
  5. 5.
    Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)CrossRefGoogle Scholar
  6. 6.
    Ramazani, S., Kanno, J., Selmic, R.R., Brust, M.R.: Topological and combinatorial coverage hole detection in coordinate-free wireless sensor networks. Int. J. Sens. Netw. 21(1) (2016)Google Scholar
  7. 7.
    Brust, M.R., Turgut, D., Ribeiro, C.H., Kaiser, M.: Is the clustering coefficient a measure for fault tolerance in wireless sensor networks? In: IEEE International Conference on Communications (ICC) (2012)Google Scholar
  8. 8.
    Xue, L., Luo, X., Chan, E.W.W., Zhan, X.: Towards detecting target link flooding attack. In: 28th Large Installation System Administration Conference (LISA14), Seattle, WA, pp. 90–105 (2014)Google Scholar
  9. 9.
    Botta, A., Dainotti, A., Pescapè, A.: A tool for the generation of realistic network workload for emerging networking scenarios. Comput. Netw. 56(15), 3531–3547 (2012)CrossRefGoogle Scholar
  10. 10.
    Yu, W.: Pox flow statistics (2012).
  11. 11.
    Wu, C.-C., Chen, K.-T., Chang, Y.-C., Lei, C.-L.: Peer-to-peer application recognition based on signaling activity. In: Proceedings of the 2009 IEEE International Conference on Communications, ICC 2009, pp. 2174–2178. IEEE Press, Piscataway (2009).
  12. 12.
    Wu, C.-c., Chen, K.-t., Chang, Y.-c., Lei, C.-l.: Detecting peer-to-peer activity by signaling packet counting (2008)Google Scholar
  13. 13.
    Ke, Y.-M., Chen, C.-W., Hsiao, H.-C., Perrig, A., Sekar, V.: CICADAS: congesting the internet with coordinated and decentralized pulsating attacks. In: Proceedings of the ACM Asia Conference on Computer and Communications Security, pp. 699–710. ACM, New York (2016)Google Scholar
  14. 14.
    Liaskos, C., Kotronis, V., Dimitropoulos, X.: A novel framework for modeling and mitigating distributed link flooding attacks. In: IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications, pp. 1–9. IEEE (2016)Google Scholar
  15. 15.
    Powers, D.M.: Evaluation: from precision, recall and f-measure to ROC, informedness, markedness and correlation (2011)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Mostafa Rezazad
    • 1
    Email author
  • Matthias R. Brust
    • 2
  • Mohammad Akbari
    • 3
  • Pascal Bouvry
    • 2
  • Ngai-Man Cheung
    • 4
  1. 1.Institute for Research in Fundamental Sciences (IPM)TehranIran
  2. 2.SnT, University of LuxembourgLuxembourg CityLuxembourg
  3. 3.SAP Innovation Center SingaporeSingaporeSingapore
  4. 4.Singapore University of Technology and DesignSingaporeSingapore

Personalised recommendations