Recent research discovered a new class of Target Link Flooding Attack (LFA) in the DDoS (Distributed Denial of Service) that can effectively cut off the Internet connections of a target area (or guard area) without being detected. More precisely, an attacker first selects persistent links that connect the target area to the Internet and have high flow density, and then instructs bots to generate legitimate traffic between themselves and public servers for congesting those links. If the paths among bots cover the target area, an attacker can also send traffic among themselves to clog the network.
It is difficult to detect LFA because (1) the target links are selected by an attacker. Since the target links may be located in an AS different from that containing the target area and the attack traffic will not reach the target area, the victim may not even know he/she is under attack; (2) each bot sends low-rate protocol-conforming traffic to public servers, thus rendering signature-based detection systems useless; (3) bots can change their traffic patterns to evade the detection based on abnormal traffic patterns. Although a few router-based approaches have been proposed to defend against such attacks, their effectiveness may be limited because they cannot be widely deployed to the Internet immediately.