Routing Around Congestion: Defeating DDoS Attacks and Adverse Network Conditions via Reactive BGP Routing

In this paper, we present Nyx, the first system to both effectively mitigate modern Distributed Denial of Service (DDoS) attacks regardless of the amount of traffic under adversarial control and function without outside cooperation or an Internet redesign. Nyx approaches the problem of DDoS mitigation as a routing problem rather than a filtering problem. This conceptual shift allows Nyx to avoid many of the common shortcomings of existing academic and commercial DDoS mitigation systems. By leveraging how Autonomous Systems (ASes) handle route advertisement in the existing Border Gateway Protocol (BGP), Nyx allows the deploying AS to achieve isolation of traffic from a critical upstream AS off of attacked links and onto alternative, uncongested, paths. This isolation removes the need for filtering or de-prioritizing attack traffic. Nyx controls outbound paths through normal BGP path selection, while return paths from critical ASes are controlled through the use of specific techniques we developed using existing traffic engineering principles and require no outside coordination. Using our own realistic Internet-scale simulator, we find that in more than 98% of cases our system can successfully route critical traf?c around network segments under transit-link DDoS attacks; a new form of DDoS attack where the attack traf?c never reaches the victim AS, thus invaliding defensive filtering, throttling, or prioritization strategies. More significantly, in over 95% of those cases, the alternate path provides complete congestion relief from transit-link DDoS. Nyx additionally provides complete congestion relief in over 75% of cases when the deployer is being directly attacked.

[1]  Wanlei Zhou,et al.  Detection and defense of application-layer DDoS attacks in backbone web traffic , 2014, Future Gener. Comput. Syst..

[2]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[3]  G. Manimaran,et al.  Distributed Divide-and-Conquer Techniques for Effective DDoS Attack Defenses , 2008, 2008 The 28th International Conference on Distributed Computing Systems.

[4]  Theodore Tryfonas,et al.  A game theoretic defence framework against DoS/DDoS cyber attacks , 2013, Comput. Secur..

[5]  Ananthram Swami,et al.  Practical Black-Box Attacks against Machine Learning , 2016, AsiaCCS.

[6]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[7]  Farnam Jahanian,et al.  Internet inter-domain traffic , 2010, SIGCOMM '10.

[8]  Sharon Goldberg,et al.  Let the market drive deployment: a strategy for transitioning to BGP security , 2011, SIGCOMM.

[9]  Battista Biggio Machine Learning under Attack: Vulnerability Exploitation and Security Measures , 2016, IH&MMSec.

[10]  Stephen T. Kent,et al.  An Infrastructure to Support Secure Internet Routing , 2012, RFC.

[11]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[12]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[13]  Aziz Mohaisen,et al.  Kindred domains: detecting and clustering botnet domains using DNS traffic , 2014, WWW.

[14]  Sankardas Roy,et al.  Game theory-based defense mechanisms against DDoS attacks on TCP/TCP-friendly flows , 2011, 2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS).

[15]  Miao Ma,et al.  Tabu marking scheme for IP traceback , 2005, 19th IEEE International Parallel and Distributed Processing Symposium.

[16]  Nirwan Ansari,et al.  On deterministic packet marking , 2007, Comput. Networks.

[17]  Wanlei Zhou,et al.  Protecting information infrastructure from DDoS attacks by MADF , 2006, Int. J. High Perform. Comput. Netw..

[18]  Minyi Guo,et al.  Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks , 2009, IEEE Transactions on Parallel and Distributed Systems.

[19]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[20]  Xiaowei Yang,et al.  StopIt: Mitigating DoS Flooding Attacks from Multi-Millio n Botnets , 2008 .

[21]  John Langford,et al.  Telling humans and computers apart automatically , 2004, CACM.

[22]  Yao Zhang,et al.  SIBRA: Scalable Internet Bandwidth Reservation Architecture , 2015, NDSS.

[23]  Guofei Gu,et al.  A Large-Scale Empirical Study of Conficker , 2012, IEEE Transactions on Information Forensics and Security.

[24]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[25]  Vasilios A. Siris,et al.  Provider-based deterministic packet marking against distributed DoS attacks , 2005, 19th IEEE International Parallel and Distributed Processing Symposium.

[26]  Ali A. Ghorbani,et al.  Botnet detection based on traffic behavior analysis and flow intervals , 2013, Comput. Secur..

[27]  S. Hemalatha,et al.  DDoS Attacks Defense System Using Information Metrics , 2013 .

[28]  Xin Zhang,et al.  SCION: Scalability, Control, and Isolation on Next-Generation Networks , 2011, 2011 IEEE Symposium on Security and Privacy.

[29]  Nicholas Hopper,et al.  Routing around decoys , 2012, CCS.

[30]  Tony Bates,et al.  Guidelines for creation, selection, and registration of an Autonomous System (AS) , 1996, RFC.

[31]  Bill Lin,et al.  Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks , 2008, IEEE/ACM Transactions on Networking.

[32]  Thomas E. Anderson,et al.  Phalanx: Withstanding Multimillion-Node Botnets , 2008, NSDI.

[33]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[34]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.