On the Feasibility of Rerouting-Based DDoS Defenses

Abstract: Large botnet-based flooding attacks have recently demonstrated unprecedented damage. However, the best-known end-to-end availability guarantees against flooding attacks require costly global-scale coordination among autonomous systems (ASes). A recent proposal called routing around congestion (or RAC) attempts to offer strong end-to-end availability to a selected critical flow by dynamically rerouting it to an uncongested detour path without requiring any inter-AS coordination.This paper presents an in-depth a… Show more

“…Our findings on the feasibility of steering return paths impact all security systems mentioned in Section II-C, including Nyx, LIFEGUARD, RAD, Waterfall of Liberty, and Feasible Nyx [52], [23], [50], [36], [60]. Notably, the claims made by systems that leverage BGP poisoning are more in line, but not an exact match, with the behavior of the live Internet.…”

“…Despite their success in simulation and limited sample sizes in practice, these systems assumptions need expansion and further validation at a wider scale to be used effectively for network defense. Tran et al's [60] feasibility study of Nyx raises issues with poisoning needed to steer traffic, but fails to evaluate their assumptions via realworld active measurements. Instead, they rely on passive measurement and simulation.…”

“…Unfortunately, such data is highly sensitive and considered an industry trade secret for an ISP. Our approximation via the link round trip times is our best estimate to link viability, with more realworld applicability than the PeeringDB estimated bandwidth model approach used in simulation by work from Smith and Schuchard, as well as Tran and Kang [52], [60], [51].…”

“…We explore how many ASes propagate poisoned routes, how long of poisoned paths can be propagated, and additionally conduct a rigorous graph-theoretical analysis of the specific ASes by size inferred to be filtering long poisoned paths. We also attempt to reproduce recent work by Tran & Kang et al [60] who used a dataset gathered through passive measurement (as opposed to active BGP measurements). In this analysis, we yet again demonstrate that simulation or passive measurement is not enough to empirically determine the behavior of the Internet.…”

“…added additional security guarantees to Waterfall [7]. In the world of DDoS, Tran & Kang et al presented an adaptive Crossfire/Link-Flooding Attack (LFA) [60] that challenged Nyx, which we term Feasible Nyx, yet their approach is only measured in simulation, supported by passive observations gathered by a single major network. Additionally, Tran's claims about how ASes filter poisoned paths are supported by passive, not active, measurements.…”

Withdrawing the BGP Re-Routing Curtain: Understanding the Security Impact of BGP Poisoning through Real-World Measurements

“…Our findings on the feasibility of steering return paths impact all security systems mentioned in Section II-C, including Nyx, LIFEGUARD, RAD, Waterfall of Liberty, and Feasible Nyx [52], [23], [50], [36], [60]. Notably, the claims made by systems that leverage BGP poisoning are more in line, but not an exact match, with the behavior of the live Internet.…”

“…Despite their success in simulation and limited sample sizes in practice, these systems assumptions need expansion and further validation at a wider scale to be used effectively for network defense. Tran et al's [60] feasibility study of Nyx raises issues with poisoning needed to steer traffic, but fails to evaluate their assumptions via realworld active measurements. Instead, they rely on passive measurement and simulation.…”

“…Unfortunately, such data is highly sensitive and considered an industry trade secret for an ISP. Our approximation via the link round trip times is our best estimate to link viability, with more realworld applicability than the PeeringDB estimated bandwidth model approach used in simulation by work from Smith and Schuchard, as well as Tran and Kang [52], [60], [51].…”

“…We explore how many ASes propagate poisoned routes, how long of poisoned paths can be propagated, and additionally conduct a rigorous graph-theoretical analysis of the specific ASes by size inferred to be filtering long poisoned paths. We also attempt to reproduce recent work by Tran & Kang et al [60] who used a dataset gathered through passive measurement (as opposed to active BGP measurements). In this analysis, we yet again demonstrate that simulation or passive measurement is not enough to empirically determine the behavior of the Internet.…”

“…added additional security guarantees to Waterfall [7]. In the world of DDoS, Tran & Kang et al presented an adaptive Crossfire/Link-Flooding Attack (LFA) [60] that challenged Nyx, which we term Feasible Nyx, yet their approach is only measured in simulation, supported by passive observations gathered by a single major network. Additionally, Tran's claims about how ASes filter poisoned paths are supported by passive, not active, measurements.…”

Withdrawing the BGP Re-Routing Curtain: Understanding the Security Impact of BGP Poisoning through Real-World Measurements

The Maestro Attack: Orchestrating Malicious Flows with BGP

Netter: Probabilistic, Stateful Network Models