BALANCE: Link Flooding Attack Detection and Mitigation via Hybrid-SDN

Link Flooding Attack (LFA) is a genre of Distributed Denial of Service (DDoS) attack. LFA can cut off a target area from the network, without directly attacking the target. The attacker chooses links which when cut off will disconnect the target area and instruct the bots to flood those links with small packets. Some of the existing solutions are suitable for specific routing methods like shortest path routing or need cooperation between Autonomous Systems (AS). To overcome certain hitches of existing solutions, we have proposed a novel mechanism named BALANCE. It detects and mitigates LFA via hybrid-Software-Defined Network (SDN). SDN splits the control and data plane using OpenFlow protocol. Hybrid SDN has both legacy and SDN nodes, with a controller in the control plane. We have used Service Based Hybrid SDN (SBHS), which is a type of hybrid-SDN. BALANCE begins with an algorithm that chooses nodes in an AS to be SBHS enabled in such a way that the controller can get statistics of all the links in the AS. Next, congestion detection and location algorithms are implemented in the controller to find the congested links. Finally, LFA bot detection and mitigation algorithms are implemented in the controller to mitigate LFA. BALANCE was evaluated in testbed and emulator. We compared the results with state-of-the-art solutions. BALANCE was able to detect LFA bots at a precision of 97.64% and had HTTP response time of 2 seconds during the LFA attack.