A Persistent Route Diversification Mechanism for Defending against Stealthy Crossfire Attack

Abstract

Computer networks are facing the challenge of stealthy crossfire attacks that flood through persistent routes (PRs) towards their decoys at a low rate for disrupting end-to-end connectivity of the target. At first, the PRs can be stealthily probed at the initial stage of the attack. Later, some undefended and vulnerable PRs can be speculated at the renaissance stage of the attack, which yet remains unconcerned. To achieve an effective defense against the two-stage attacks, this paper investigates a new persistent route diversification defense (PRDD) mechanism to mitigate each identified PR under the attacks. The PRDD effectively stops the flooding on the PRs to mitigate their congestion. Meanwhile, it makes the adversary unable to probe or speculate the PRs under their corresponding attack stages. Thus, it disables every flooding choice for the adversary, avoiding the attacks. The PRDD is designed with scalable algorithmic complexity in computation and overhead. The PRDD is extensively assessed using NS-3 and Mininet, and the results show the following. (a) It is more effective in mitigating more attacked PRs compared with the existing solutions. (b) The defense performance of the PRDD remains highly scalable in computation, while maintaining an acceptable overhead.