Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event

Distributed Denial-of-Service (DDoS) attacks continue to be a major threat on the Internet today. DDoS attacks overwhelm target services with requests or other traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate a service in multiple physical locations/sites. If all sites announce a common prefix, BGP will associate users around the Internet with a nearby site, defining the catchment of that site. Anycast defends against DDoS both by increasing aggregate capacity across many sites, and allowing each site's catchment to contain attack traffic, leaving other sites unaffected. IP anycast is widely used by commercial CDNs and for essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This paper provides the first evaluation of several IP anycast services under stress with public data. Our subject is the Internet's Root Domain Name Service, made up of 13 independently designed services ("letters", 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at 100× normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our analysis to examine how different services respond to stress, and identify two policies: sites may absorb attack traffic, containing the damage but reducing service to some users, or they may withdraw routes to shift both good and bad traffic to other sites. We study how these deployment policies resulted in different levels of service to different users during the events. We also show evidence of collateral damage on other services located near the attacks.

[1]  Andreas Terzis,et al.  On the Use of Anycast in DNS , 2005, Proceedings of 15th International Conference on Computer Communications and Networks.

[2]  Randy Bush,et al.  Quantifying Interference between Measurements on the RIPE Atlas Platform , 2015, Internet Measurement Conference.

[3]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[4]  Aiko Pras,et al.  Booters — An analysis of DDoS-as-a-service attacks , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[5]  Paul Francis,et al.  Towards a global IP anycast service , 2005, SIGCOMM '05.

[6]  V. Rich Personal communication , 1989, Nature.

[7]  Randy Bush,et al.  Selection and Operation of Secondary DNS Servers , 1997, RFC.

[8]  Duane Wessels,et al.  RSSAC002 - RSSAC Advisory on Measurements of the Root Server System , 2015 .

[9]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[10]  Bobby Bhattacharjee,et al.  D-mystifying the D-root address change , 2013, Internet Measurement Conference.

[11]  kc claffy,et al.  DNS Root/gTLD Performance Measurements , 2001 .

[12]  kc claffy,et al.  On the problem of optimization of DNS root servers' placement , 2003 .

[13]  David Conrad,et al.  Requirements for a Mechanism Identifying a Name Server Instance , 2007, RFC.

[14]  Jie Liu,et al.  FastRoute: A Scalable Load-Aware Anycast Routing Architecture for Modern CDNs , 2015, NSDI.

[15]  Ramesh Govindan,et al.  Evaluating anycast in the domain name system , 2013, 2013 Proceedings IEEE INFOCOM.

[16]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[17]  Randy Bush,et al.  Root Name Server Operational Requirements , 2000, RFC.

[18]  Aman Shaikh,et al.  Routing stability in congested networks: experimentation and analysis , 2000 .

[19]  Duane Wessels,et al.  RSSAC002 version 2 - RSSAC Advisory on Measurements of the Root Server System , 2016 .

[20]  Duane Wessels,et al.  Authority server selection in DNS caching resolvers , 2012, CCRV.

[21]  Kimberly C. Claffy,et al.  Two Days in the Life of the DNS Anycast Root Servers , 2007, PAM.

[22]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[23]  Arvind Krishnamurthy,et al.  Studying Spamming Botnets Using Botlab , 2009, NSDI.

[24]  Herbert Bos,et al.  On measuring the impact of DDoS botnets , 2014, EuroSec '14.

[25]  Donald E. Eastlake,et al.  Domain Name System (DNS) Cookies , 2016, RFC.

[26]  Ratul Mahajan,et al.  Analyzing the Performance of an Anycast CDN , 2015, Internet Measurement Conference.

[27]  David Moore,et al.  Macroscopic Internet Topology and Performance Measurements from the DNS Root Name Servers , 2001, LISA.

[28]  Bu-Sung Lee,et al.  Availability and effectiveness of root DNS servers: A long term study , 2010, 2010 IEEE Network Operations and Management Symposium - NOMS 2010.

[29]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[30]  Paul Francis,et al.  A measurement-based deployment proposal for IP anycast , 2006, IMC '06.

[31]  J Gettys,et al.  Bufferbloat: Dark Buffers in the Internet , 2011, IEEE Internet Computing.

[32]  Nevil Brownlee,et al.  Response time distributions for global name servers , 2002 .

[33]  Duane Wessels,et al.  A day at the root of the internet , 2008, CCRV.

[34]  Bill Lin,et al.  Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks , 2009, IEEE/ACM Transactions on Networking.

[35]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[36]  Joe Abley,et al.  Operation of Anycast Services , 2006, RFC.

[37]  Bruce M. Maggs,et al.  Protecting Websites from Attack with Secure Delivery Networks , 2015, Computer.

[38]  Aiko Pras,et al.  DNSSEC and its potential for DDoS attacks: a comprehensive measurement study , 2014, Internet Measurement Conference.

[39]  John S. Heidemann,et al.  Connection-Oriented DNS to Improve Privacy and Security , 2015, 2015 IEEE Symposium on Security and Privacy.

[40]  Lixia Zhang,et al.  BGPmon: A Real-Time, Scalable, Extensible Monitoring System , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[41]  Jianping Wu,et al.  Measuring Query Latency of Top Level DNS Servers , 2013, PAM.