Network Topology Effects on the Detectability of Crossfire Attacks

Network Topology Effects on the Detectability of Crossfire Attacks


New strains of Distributed Denial-of-Service (DDoS) attacks have exhibited potential to disconnect communication networks, even cutting off entire countries from the Internet. The “Crossfire” is a new, indirect DDoS link flooding attack, which masks itself as natural congestion, making it very hard to counter. Several studies have proposed online attack detection schemes, whose efficiency has been shown to vary in different network topologies. However, the topology/detection relation has been studied qualitatively, without formal proof or quantification metric. The present study is motivated by the fact that network topology changes are generally expensive and slow. Therefore, network designers should be provided with means of evaluating the effects of topology modifications to the attack detection efficiency. The study fills this gap by contributing a formal proof for the topology-detection efficiency relation, as well as a novel offline metric that quantifies it. Full attack prototypes are implemented and evaluated in real Internet topologies, validating the analytical findings. It is shown that the novel metric expresses the topology detection relation efficiently, while existing and widely-used metrics do not constitute good choices for this task.



  • System :         Pentium Dual Core.
  • Hard Disk : 120 GB.
  • Monitor : 15’’ LED
  • Input Devices : Keyboard, Mouse
  • Ram : 1 GB


  • Operating system : Windows XP/UBUNTU.
  • Implementation : NS2
  • NS2 Version : 2.28
  • Front End : OTCL (Object Oriented Tool Command  Language)
  • Tool : Cygwin (To simulate in Windows OS)


Christos Liaskos, Sotiris Ioannidis, “Network Topology Effects on the Detectability of Crossfire Attacks”, IEEE Transactions on Information Forensics and Security, 2018.

About the Author