The Crossfire Attack Flashcards
a powerful attack that degrades and often cuts off network connections to a variety of selected server targets (e.g., servers of an enterprise, a city, a state, or a small country) by flooding only a few network links.
The Crossfire attack
undetectable by any targeted servers, since they no longer receive any messages, and by network routers,
since they receive only low-intensity, individual flows that are indistinguishable from legitimate flows
The Crossfire attack
it can isolate a target area by flooding carefully
chosen links
The Crossfire attack
requires relatively small botnets (e.g., ten thousand bots) and is largely independent of the bot distribution
The Crossfire attack
has no effective countermeasure at either target routers or end-point servers, and as a result, it can degrade and even cut off connections to selected Internet areas ranging from a single organization to several US states, for a long time
The Crossfire attack
international agreements regarding prosecution of
telecommunication-infrastructure attacks may also become necessary
True
The Crossfire attack can be launched against any target area (regardless of its size) since an adversary can usually find a large number of public servers inside that
target area and decoy servers near it
For example: the adversary can select any of the many publicly accessible servers without needing permission from that server. This offers a great deal of flexibility in the adversary’s choice of a target area, which is one of the most important characteristics that distinguish the Crossfire attack from other link-flooding attacks
The Crossfire attack is able to disconnect a
target area persistently by controlling the bot traffic so as not to trigger any control plane changes
This is achieved by using stable routes in rolling attacks,
which change an active set of target links dynamically
In the Crossfire attack, a large number of low-rate attack flows pass through a target link.
Hence, a router connected to the target link cannot distinguish the attack flows from legitimate ones.
In other words, since all the attack flows carry different
source IP addresses and destination IP addresses, the high bandwidth aggregation mechanisms
The Crossfire attack uses all legitimate flows to flood target links. Each bot creates ordinary connections (e.g., HTTP) with a set of decoy servers following the adversary’s (i.e., the botmaster’s) assignments, and hence individual connections do not trigger an attack alarm at the servers.
Since a target area is not directly attacked and the decoy servers near the target area do not see any suspicious traffic, the servers in the target area would be unable to detect the attack. Even decoy servers would be unable to detect the attack since the well coordinated flows to the decoy servers would cause only a few Mbps bandwidth increase to each server. Furthermore, the adversary can easily select target links among the links in the target set that are several hops (i.e., at least 3 hops in our experiments) away from the target area since links with high flow density are usually located in the core backbone networks. This makes it difficult even for the target links to
identify an attack.
The Crossfire attack has four distinct characteristics which distinguish it from ordinary DDoS attacks
1) undetectability,
2) attack-flow indistinguishability,
3) flexibility in the choice of targets,
4) and persistence in terms of attack duration.
