Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs

Large Distributed Denial-of-Service (DDoS) attacks pose a major threat not only to end systems but also to the Internet infrastructure as a whole. Remote Triggered Black Hole filtering (RTBH) has been established as a tool to mitigate inter-domain DDoS attacks by discarding unwanted traffic early in the network, e.g., at Internet eXchange Points (IXPs). As of today, little is known about the kind and effectiveness of its use, and about the need for more fine-grained filtering. In this paper, we present the first in-depth statistical analysis of all RTBH events at a large European IXP by correlating measurements of the data and the control plane for a period of 104 days. We identify a surprising practice that significantly deviates from the expected mitigation use patterns. First, we show that only one third of all 34k visible RTBH events correlate with indicators of DDoS attacks. Second, we witness over 2000 blackhole events announced for prefixes not of servers but of clients situated in DSL networks. Third, we find that blackholing on average causes dropping of only 50% of the unwanted traffic and is hence a much less reliable tool for mitigating DDoS attacks than expected. Our analysis gives also rise to first estimates of the collateral damage caused by RTBH-based DDoS mitigation.

[1]  Georges G. Grinstein,et al.  Dimensional anchors: a graphic primitive for multidimensional multivariate information visualizations , 1999, NPIVM '99.

[2]  Thomas Engel,et al.  The state of affairs in BGP security: A survey of attacks and defenses , 2018, Comput. Commun..

[3]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[4]  Anja Feldmann,et al.  Inferring BGP blackholing activity in the internet , 2017, Internet Measurement Conference.

[5]  Doughan Turk,et al.  Configuring BGP to Block Denial-of-Service Attacks , 2004, RFC.

[6]  Robert Raszuk,et al.  Dissemination of Flow Specification Rules , 2009, RFC.

[7]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[8]  Aiko Pras,et al.  A First Joint Look at DoS Attacks and BGP Blackholing in the Wild , 2018, Internet Measurement Conference.

[9]  Alberto Dainotti,et al.  Millions of targets under attack: a macroscopic characterization of the DoS ecosystem , 2017, Internet Measurement Conference.

[10]  Alastair R. Beresford,et al.  1000 days of UDP amplification DDoS attacks , 2017, 2017 APWG Symposium on Electronic Crime Research (eCrime).

[11]  Prasant Mohapatra,et al.  QRPp1-4: Characterizing Quality of Time and Topology in a Time Synchronization Network , 2006, IEEE Globecom 2006.

[12]  Georgios Theodoridis,et al.  Visual analytics for BGP monitoring and prefix hijacking identification , 2012, IEEE Network.

[13]  Marc Dacier,et al.  Mind Your Blocks: On the Stealthiness of Malicious BGP Hijacks , 2015, NDSS.

[14]  Anja Feldmann,et al.  Blackholing at IXPs: On the Effectiveness of DDoS Mitigation in the Wild , 2016, PAM.

[15]  Christoph Dietzel,et al.  BLACKHOLE BGP Community for Blackholing , 2015 .

[16]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[17]  Giovane C. M. Moura,et al.  When the Dike Breaks: Dissecting DNS Defenses During DDoS , 2018, Internet Measurement Conference.

[18]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[19]  台灣電腦網路危機處理暨協調中心 Mutually Agreed Norms for Routing Security , 2019 .

[20]  Cristel Pelsser,et al.  A Taxonomy of Attacks Using BGP Blackholing , 2019, ESORICS.

[21]  Anja Feldmann,et al.  Anatomy of a large european IXP , 2012, SIGCOMM '12.

[22]  Danny McPherson,et al.  Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (uRPF) , 2009, RFC.

[23]  Ítalo S. Cunha,et al.  Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering , 2017, CCRV.

[24]  Marcin Nawrocki,et al.  On the Potential of BGP Flowspec for DDoS Mitigation at Two Sources: ISP and IXP , 2018, SIGCOMM Posters and Demos.

[25]  Jens Mache,et al.  Hands-on denial of service lab exercises using SlowLoris and RUDY , 2012, InfoSecCD.

[26]  Alberto Dainotti,et al.  ARTEMIS: Neutralizing BGP Hijacking Within a Minute , 2018, IEEE/ACM Transactions on Networking.

[27]  Anthony Kirkham Issues with Private IP Addressing in the Internet , 2012, RFC.

[28]  Anja Feldmann,et al.  Stellar: network attack mitigation using advanced blackholing , 2018, CoNEXT.