Routing Around Congestion: Defeating DDoS Attacks and Adverse Network Conditions via Reactive BGP Routing

Abstract: In this paper, we present Nyx, the first system to both effectively mitigate modern Distributed Denial of Service (DDoS) attacks regardless of the amount of traffic under adversarial control and function without outside cooperation or an Internet redesign. Nyx approaches the problem of DDoS mitigation as a routing problem rather than a filtering problem. This conceptual shift allows Nyx to avoid many of the common shortcomings of existing academic and commercial DDoS mitigation systems. By leveraging how Auton… Show more

“…In detail, AS-level operators may use BGP poisoning to prevent one or more ASes from installing, utilizing, and propagating a particular path [52], [23], [1]. The AS utilizing the technique (poisoning AS) determines a set of ASes they want inbound traffic to route around (poisoned ASes).…”

“…In particular, Smith et al uses BGP poisoning to provide DDoS resistance with Nyx [52] and Katz-Bassett et al uses poisoning for link failure avoidance with LIFEGUARD [23]. Nyx uses poisoning to alter the return paths of remote ASes to a poisoning AS, in an attempt to route the remote ASes' traffic around Link Flooding DDoS Attacks.…”

“…In partial deployments of BGPSec, routers will simply prefer routes that conform to BGPSec validation over routes which do not, rather than strictly dropping non-conforming routes. As a result, systems which use poisoning as a primitive, such as Nyx [52], may continue to operate so long as a strict full global deployment of BGPSec is not realized.…”

“…al. presented Nyx, a DDoS defense system that leveraged the ability to manipulate inbound traffic paths with BGP for a security purpose: to route around attacked links on the Internet [52]. Nyx relies on altering paths on the Internet to circumvent links affected by DDoS, and is evaluated on the entire Internet via simulation.…”

Withdrawing the BGP Re-Routing Curtain: Understanding the Security Impact of BGP Poisoning through Real-World Measurements

“…In detail, AS-level operators may use BGP poisoning to prevent one or more ASes from installing, utilizing, and propagating a particular path [52], [23], [1]. The AS utilizing the technique (poisoning AS) determines a set of ASes they want inbound traffic to route around (poisoned ASes).…”

“…In particular, Smith et al uses BGP poisoning to provide DDoS resistance with Nyx [52] and Katz-Bassett et al uses poisoning for link failure avoidance with LIFEGUARD [23]. Nyx uses poisoning to alter the return paths of remote ASes to a poisoning AS, in an attempt to route the remote ASes' traffic around Link Flooding DDoS Attacks.…”

“…In partial deployments of BGPSec, routers will simply prefer routes that conform to BGPSec validation over routes which do not, rather than strictly dropping non-conforming routes. As a result, systems which use poisoning as a primitive, such as Nyx [52], may continue to operate so long as a strict full global deployment of BGPSec is not realized.…”

“…al. presented Nyx, a DDoS defense system that leveraged the ability to manipulate inbound traffic paths with BGP for a security purpose: to route around attacked links on the Internet [52]. Nyx relies on altering paths on the Internet to circumvent links affected by DDoS, and is evaluated on the entire Internet via simulation.…”

Withdrawing the BGP Re-Routing Curtain: Understanding the Security Impact of BGP Poisoning through Real-World Measurements

“…Although heavyweight (and proven to be effective compared with Braga et al [41]), their comparison against SPIFFY lacks the quantitative evidence required to understand how the system compares. Smith and Schuchard [42] use AS-level routing to tackle both transit-link and flooding-based attacks. This view is taken due to the perceived cost of per-stream classification and inherent sensitivity to adversarial examples.…”

Per-Host DDoS Mitigation by Direct-Control Reinforcement Learning

AI Methods for Neutralizing Cyber Threats at Unmanned Vehicular Ecosystem of Smart City