Reading - Crossfire Attack Flashcards
Why are current defense methods against Botnet DDoS attacks ineffective against crossfire attacks?
Botnets conducting a crossfire attack do not need to spoof their IP addresses, and as a result defenses based on detecting spoofed IP addresses fail. Additionally, the traffic sent by these botnets to overload links is not unsolicited, the traffic flows from one participating host to another. Furthermore, the attack overloads links in aggregate, meaning many low intensity flows combine to DoS the target links. These links are harder to differentiate from legitimate
traffic, which prevents flow monitoring efforts from detecting these attacks.
Why would an attacker mounting a crossfire attack choose to dynamically change the set of target links during an attack (known as a rolling attack)?
Rolling attacks are implemented by an attacker to indefinitely continue an attack on a target area. Continuing to flood the same set of target links will ultimately have negative effects on the attack when router failure detection mechanisms are tripped. Additionally rolling attacks will make the crossfire attack even harder to detect by changing the attack vector without changing the overall target area.