Summary
Asia-Pacific Network Operations and Management Symposium
2022
Session Number:PS2
Session:
Number:PS2-04
Detecting Crossfire-Attack Hosts in Search Phase
Manami Nakahara, Noriaki Kamiyama,
pp.-
Publication Date:2022/09/28
Online ISSN:2188-5079
PDF download
Summary:
A new type of Distributed denial of service (DDoS) attack, called a {\it crossfire attack} (CFA), has appeared, whereby attackers prevent packets from arriving at servers in the target area by sending many packets on some links connecting the target area and other areas and overloading those links. In the CFA, bot hosts repeatedly send traceroute packets to multiple servers in the target area within a short time frame to select the target links prior to the attack. Therefore, to prevent the CFA, it might be effective to filter all the traceroute packets sent within a time interval less than a threshold. However, legitimate hosts which send traceroute packets within a short time interval will be also detected as bot hosts. In this paper, we propose a method using two thresholds to detect the bot hosts of a CFA: one threshold is used for detecting the target servers of traceroutes; the other threshold is used for detecting the bot hosts. By using two thresholds, we can expect to detect bot hosts while avoiding false identification of legitimate hosts. We also propose a method for optimally designing detection thresholds that maximize the detection accuracy against bot hosts from the given upper limit of false identification probability of legitimate hosts.