Stellar: network attack mitigation using advanced blackholing

Network attacks, including Distributed Denial-of-Service (DDoS), continuously increase in terms of bandwidth along with damage (recent attacks exceed 1.7 Tbps) and have a devastating impact on the targeted companies/governments. Over the years, mitigation techniques, ranging from blackholing to policy-based filtering at routers, and on to traffic scrubbing, have been added to the network operator's toolbox. Even though these mitigation techniques provide some protection, they either yield severe collateral damage, e.g., dropping legitimate traffic (blackholing), are cost-intensive, or do not scale well for Tbps level attacks (ACL filtering, traffic scrubbing), or require cooperation and sharing of resources (Flowspec). In this paper, we propose Advanced Blackholing and its system realization Stellar. Advanced blackholing builds upon the scalability of blackholing while limiting collateral damage by increasing its granularity. Moreover, Stellar reduces the required level of cooperation to enhance mitigation effectiveness. We show that fine-grained blackholing can be realized, e.g., at a major IXP, by combining available hardware filters with novel signaling mechanisms. We evaluate the scalability and performance of Stellar at a large IXP that interconnects more than 800 networks, exchanges more than 6 Tbps traffic, and witnesses many network attacks every day. Our results show that network attacks, e.g., DDoS amplification attacks, can be successfully mitigated while the networks and services under attack continue to operate untroubled.

[1]  Sharon Goldberg,et al.  Why is it taking so long to secure internet routing? , 2014, Commun. ACM.

[2]  Ravishanker Chandra,et al.  BGP Communities Attribute , 1996, RFC.

[3]  Andra Lutu,et al.  The BGP Visibility Scanner , 2013, 2013 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[4]  Russell J. Clark,et al.  SDX , 2014 .

[5]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[6]  Walter F. Stenning,et al.  AN EMPIRICAL STUDY , 2003 .

[7]  Olivier Festor,et al.  Oko: Extending Open vSwitch with Stateful Filters , 2018, SOSR.

[8]  Marcin Nawrocki,et al.  On the Potential of BGP Flowspec for DDoS Mitigation at Two Sources: ISP and IXP , 2018, SIGCOMM Posters and Demos.

[9]  Christoph Dietzel,et al.  BLACKHOLE Community , 2016, RFC.

[10]  Mattijs Jonker,et al.  Measuring exposure in DDoS protection services , 2017, 2017 13th International Conference on Network and Service Management (CNSM).

[11]  Alberto Dainotti,et al.  Millions of targets under attack: a macroscopic characterization of the DoS ecosystem , 2017, Internet Measurement Conference.

[12]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[13]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[14]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[15]  Robert Raszuk,et al.  Dissemination of Flow Specification Rules , 2009, RFC.

[16]  Ross Stapleton-Gray,et al.  National Internet Defense - Small States on the Skirmish Line , 2011, ACM Queue.

[17]  Rami Puzis,et al.  On Network Footprint of Traffic Inspection and Filtering at Global Scrubbing Centers , 2017, IEEE Transactions on Dependable and Secure Computing.

[18]  Yanghee Choi,et al.  AS-level topology collection through looking glass servers , 2013, Internet Measurement Conference.

[19]  M. Melamed Detection , 2021, SETI: Astronomy as a Contact Sport.

[20]  Olivier Bonaventure,et al.  Interdomain traffic engineering with BGP , 2003, IEEE Commun. Mag..

[21]  Vasileios Giotsas,et al.  Inferring multilateral peering , 2013, CoNEXT.

[22]  Susan Hares,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[23]  Aiko Pras,et al.  Booters — An analysis of DDoS-as-a-service attacks , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[24]  Daniel Kopp,et al.  SDN-enabled Traffic Engineering and Advanced Blackholing at IXPs , 2017, SOSR.

[25]  Daniel Walton,et al.  Advertisement of Multiple Paths in BGP , 2016, RFC.

[26]  Nick Feamster,et al.  An empirical study of "bogon" route advertisements , 2005, CCRV.

[27]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[28]  Wouter Joosen,et al.  Maneuvering Around Clouds: Bypassing Cloud-based Security Providers , 2015, CCS.

[29]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[30]  Aiko Pras,et al.  DNSSEC and its potential for DDoS attacks: a comprehensive measurement study , 2014, Internet Measurement Conference.

[31]  Christoph Dietzel,et al.  Inter-domain networking innovation on steroids: empowering ixps with SDN capabilities , 2016, IEEE Communications Magazine.

[32]  Ethan Heilman,et al.  From the consent of the routed , 2014, SIGCOMM.

[33]  Anja Feldmann,et al.  Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses , 2017, Internet Measurement Conference.

[34]  Thomas C. Schmidt,et al.  Amplification and DRDoS Attack Defense - A Survey and New Perspectives , 2015, ArXiv.

[35]  Aiko Pras,et al.  Measuring the Adoption of DDoS Protection Services , 2016, Internet Measurement Conference.

[36]  Anja Feldmann,et al.  Peering at Peerings: On the Role of IXP Route Servers , 2014, Internet Measurement Conference.

[37]  Vasileios Giotsas,et al.  Periscope: Unifying Looking Glass Querying , 2016, PAM.

[38]  Anja Feldmann,et al.  Blackholing at IXPs: On the Effectiveness of DDoS Mitigation in the Wild , 2016, PAM.

[39]  Bruce M. Maggs,et al.  Protecting Websites from Attack with Secure Delivery Networks , 2015, Computer.

[40]  Daniel Kopp,et al.  ENDEAVOUR: A Scalable SDN Architecture For Real-World IXPs , 2017, IEEE Journal on Selected Areas in Communications.

[41]  Anja Feldmann,et al.  There is more to IXPs than meets the eye , 2013, CCRV.

[42]  Nick Feamster,et al.  Authorizing Network Control at Software Defined Internet Exchange Points , 2016, SOSR.

[43]  Anja Feldmann,et al.  BGP Communities: Even more Worms in the Routing Can , 2018, Internet Measurement Conference.

[44]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[45]  Swaroop Ghosh,et al.  Emerging Trends in Design and Applications of Memory-Based Computing and Content-Addressable Memories , 2015, Proceedings of the IEEE.

[46]  Yakov Rekhter,et al.  BGP Extended Communities Attribute , 2006, RFC.

[47]  Marco Canini,et al.  An Industrial-Scale Software Defined Internet Exchange Point , 2016, USENIX Annual Technical Conference.

[48]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[49]  Anja Feldmann,et al.  Detecting Peering Infrastructure Outages in the Wild , 2017, SIGCOMM.

[50]  Anja Feldmann,et al.  Anatomy of a large european IXP , 2012, SIGCOMM '12.

[51]  Alberto Dainotti,et al.  A Survey among Network Operators on BGP Prefix Hijacking , 2018, CCRV.

[52]  Anja Feldmann,et al.  Inferring BGP blackholing activity in the internet , 2017, Internet Measurement Conference.

[53]  Susan Hares,et al.  Dissemination of Flow Specification Rules for IPv6 , 2017, RFC.