SCIENCE CHINA Information Sciences, Volume 63 , Issue 6 : 169301(2020) https://doi.org/10.1007/s11432-019-9921-7

Multi-variant network address hopping to defend stealthy crossfire attack$^\dagger$

More info
  • ReceivedJan 3, 2019
  • AcceptedJun 18, 2019
  • PublishedMar 12, 2020


There is no abstract available for this article.


This work was supported by National Key Research and Development Program of China (Grant Nos. 2016YFB0800102, 2017YFB0803205), Key Research and Development Program of Zhejiang Province (Grant Nos. 2017C01064, 2017C01055, 2018C01088), and Fundamental Research Funds for the Central Universities (Grant No. 2016XZZX001-04).


[1] Kang M S, Lee S B, Gligor V D. The crossfire attack. In: Proceedings of IEEE Symposium on Security and Privacy, Berkeley, 2013. 127--141. Google Scholar

[2] Venkatesan S, Albanese M, Amin K, et al. A moving target defense approach to mitigate DDoS attacks against proxy-based architectures. In: Proceedings of IEEE Conference on Communications and Network Security (CNS), Philadelphia, 2016. 198--206. Google Scholar

[3] Wang J, Wen R, Li J Q, et al. Detecting and mitigating target link-flooding attacks using SDN. IEEE Trans Depend Secure Comput, 2018. doi: 10.1109/TDSC.2018.2822275. Google Scholar

[4] Zheng J, Li Q, Gu G. Realtime DDoS Defense Using COTS SDN Switches via Adaptive Correlation Analysis. IEEE TransInformForensic Secur, 2018, 13: 1838-1853 CrossRef Google Scholar

[5] Hu H, Wu J, Wang Z. Mimic defense: a designed-in cybersecurity defense framework. CrossRef Google Scholar

[6] OpenFlow specification 1.3, Open Networking Foundation Std, 2012. Google Scholar

[7] Riley G F, Henderson T R. The NS-3 network simulator. In: Modeling and Tools for Network Simulation. Berlin: Springer, 2010. 15--34. Google Scholar

[8] Lantz B, Heller B, Mckeown N. A network in a laptop: rapid prototyping for software-defined networks. In: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks, New York, 2010. Google Scholar

[9] Zhou B, Gao P, Wu C, et al. Multi-variant network address hopping to defend stealthy crossfire attack (full paper). In: Proceedings of the 1st National Conference on Advanced Computing and Defense, 2018. 540--556. Google Scholar

  • Figure 1

    (Color online) Defense effectiveness evaluation of MVNAH. (a), (b) and (c) are the TCP packet receiving rate and congestion window (CWnd) size changes at the target side, tested in NS-3 with $|Y|=2000$, where the variants and suppressing policies are enforced at 15 s in (a) and between 10–20 s in (c), respectively; (d), (e) and (f) are tested in Mininet with $|Y|=50$. (a) rate changes for variants; (b) decreased rate changes for reroute; (c) rate changes for suppressing; bandiwdth & CWnd changes for (d) variants, (e) reroute, and (f) suppressing.


    Algorithm 1 genVariants


    $Q~=~\mathrm{PriorityQueue}()$, $N~=~Y~\cup~H$, ${\rm~torch}~=~\mathrm{int}[|N|]$;


    for $w^{c,d}_i~\in~W^{c,d}$



    ${\rm~torch}[1\cdots]=-1$, ${\rm~visited}[1\cdots]=\mathrm{false}$;

    while $|Q|>0$ do


    for $l_j~\in~\mathrm{edges}(u)$


    if $l_j~\notin~\tilde{L}~\vee~{\rm~visited}[v]$ then continue;

    if $l_j~\in~\Theta$ then




    end if


    $Q.\mathrm{add}(v)$, ${\rm~visited}[v]~=~\mathrm{true}$;

    end for

    end while


    end for

    return $\Upsilon.V~=~\cup_{w^{c,d}_i~\in~\widetilde{W^{c,d}}}V_{w^{c,d}_j}$.


    Algorithm 2 genTrafficSteerings


    if $\Lambda~=~\emptyset$ then return $\emptyset$

    $\Upsilon.R~=~\emptyset,~\Upsilon.S~=~\emptyset$, $N~=~Y~\cup~H$;

    for $w_i~\in~W^{c,d}$


    for $w_j~\in~W$

    if $P'(w_i,~w_j)~=~\emptyset$ then $\Upsilon.S~=~\Upsilon.S~\cup~\{(w_i,~w_j)\}$;

    end for



    end for

    return $(\Upsilon.R,~\Upsilon.S)$.