Mitigating LFA through segment rerouting in IoT environment with traceroute flow abnormality detection

The Internet of Things (IoT) provides tremendous smart devices that are always connected to and interacting with the Internet. However, the development of IoT also promotes the threat of network attacks due to the billions of IoT devices vulnerable to hackers. Link-flooding attack (LFA) is a new type of DDoS attack used to flood the crucial network links. In IoT environment, LFA can be more easily launched by large-scale low-rate legitimate data flows with quite a low cost and is difficult to detect. Target areas in an enterprise network can be easily isolated since the crucial links are unavailable. Software defined network (SDN) architecture provides new opportunities to address this network security problem with the separation of data plane and control plane. Recently, segment routing (SR), which is an evolution of source routing, has been viewed as a promising technique for flow rerouting and failure recovery. SR is a lightweight easy-deployed scheme known for its flexibility, scalability, and applicability. Therefore, in this paper, we try to mitigate LFA with segment rerouting within the SDN architecture. With the comprehensive network-wide view of the data flows and links, we first design a monitoring mechanism to detect LFA based on the availability of the crucial links and traceroute flows. We consider the traceroute packet flows as time series with white Gaussian noise. A machine-learning-based auto-regression scheme is proposed to detect the abnormal increase in traceroute packets which indicates the launch of LFA. Then we use segment routing to detour the congested flows and alleviate the burden on the crucial links. Finally. the LFA bots will be identified and the malicious traffic will be blocked. Sufficient evaluations demonstrate that our LFA defense can efficiently detect LFA and preserve the network services, while only introduce a little signaling overhead between the control and data plane.