TRAFFIC REDIRECTION WITH DISTRIBUTED DENIAL OF SERVICE SEGMENT IDENTIFIERS

Distributed Denial of Service (DDoS) information is extended to a network Path Computation Element (PCE). The PCE uses a network function Segment Identifier (SID), referred to herein as a DDoS SID, imposed on the edge routers by the PCE, to identify potentially suspicious DDoS traffic. The DDoS SID is used in Segment Routing (SR) routers to direct suspicious traffic to nearby or specially optimized DDoS scrubbing engines so that traffic may be cleaned. Other traffic flows proceed unchanged through the network. DETAILED DESCRIPTION Distributed Denial of Service (DDoS) attacks are difficult to solve through traditional methods (e.g., Border Gateway Protocol (BGP) black holing, Access Control Lists (ACLs), rate limiters, etc.). These methods tend to filter out both legitimate traffic and the offending DDoS traffic at the same time. New high performance in line traffic scrubbers have appeared on the market that attempt to better filter traffic by removing the offending traffic and forwarding the legitimate traffic. However, filters still present the limitation of redirecting all traffic intended for a potential DDoS victim to the scrubber. With the emergence of new routing architectures, in particular, Segment Routing, network automation and Network Functions Virtualization (NFV) capabilities may greatly enhance the efficiency of redirection, by building on the ability to quickly identify and remove offending DDoS flows. In one example, a DDoS detection system detects that a DDoS attack is occurring. The DDoS detection system may be on-premise or otherwise, and may be in a firewall, NetFlow analyzer, etc.). After detection, the attack is reported to a cloud-based central DDoS prevention controller. At this point, the DDoS prevention controller communicates 2 Barton et al.: TRAFFIC REDIRECTION WITH DISTRIBUTED DENIAL OF SERVICE SEGMENT ID Published by Technical Disclosure Commons, 2018 2 5515X details of the attack to the SR Path Computation Element (PCE). This may be accomplished through normal SR PCE communication models such as PCE Protocol (PCEP). After receiving DDoS flow information, the PCE gains insight into the attack vector (e.g., destination IP, destination port, etc.), along with valuable flow and application-layer information. The PCE then forwards an identifier for the suspicious traffic to the SR edge routers, and instructs them to impose a DDoS SID. The DDoS SID is embedded in the packet header as part of the overall SID label stack. As the packet passes through the network, they are observed by transit routers as “DDoS suspicious”. The DDoS SID is not a simple packet forwarding SID label. Instead, the DDoS SID represents a network function in which the function is DDoS scrubbing. When an SR router receives a packet with the DDoS SID in the label stack, the router performs a lookup in its binding SID table for instructions based on the DDoS SID. The binding SID table is a set of instructions for network function SIDs that is part of the SR process in every router. In this case, the table includes instructions indicating that the router should forward the “DDoS suspicious” traffic for further investigation and cleaning. This traffic may be forwarded the closest scrubber. The intention is to identify the offending traffic streams at the entry points of the network and then use SR to steer (via SR Traffic Engineering) only the offending flows to a nearby or optimized traffic scrubber for deeper analysis. Here, the offending traffic will be removed and the good traffic will be kept. There may be multiple scrubbers in different locations. Flagging traffic as suspicious with the DDoS SID at the entry points of the network enables redirecting that traffic to the closest scrubber, thus load balancing traffic across scrubbers (as DDoS traffic typically is sourced from multiple addresses, and therefore enters the network through multiple points). Redirection may also occur before the suspicious traffic reaches the attacked segment, thus limiting the attack surface. The combination of PCE traffic engineering and SR binding SIDs on the router may facilitate the DDoS SID function. At the entry point of the network, it is not possible to identify with absolute certainty whether a particular traffic flow is part of the DDoS attack, because the DDoS traffic may be mixed with clean traffic. However, using SR, a packet may initially be labeled as DDoS suspicious (meaning it requires further investigation 3 Defensive Publications Series, Art. 1200 [2018] https://www.tdcommons.org/dpubs_series/1200 3 5515X through an in line traffic scrubber). This information may then be distributed, and associated instructions provided to the SR routers throughout the network. Figure 1 below illustrates an example overview diagram.