SDN-enabled Traffic Engineering and Advanced Blackholing at IXPs

Dietzel, Christoph; Antichi, Gianni; Castro, Ignacio; Fernandes, Eder Leão; Chiesa, Marco; Kopp, Daniel

doi:10.1145/3050220.3060601

Cited by 10 publications

(14 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Thus, potential customers may shy away from providers with IP address space that is too frequently blackholed. Indeed, ongoing work investigates ne-grained blackholing, where additional restrictions, such as a given port number, are imposed [14,24]. Thus, our tools and analysis of blackholing activity can be used to enhance existing reputation systems, e.g., IP reputation based on previous malicious activity.…”

Section: Discussionmentioning

confidence: 99%

Inferring BGP blackholing activity in the internet

Giotsas

Smaragdakis

Dietzel³

et al. 2017

Proceedings of the 2017 Internet Measurement Conference

Self Cite

View full text Add to dashboard Cite

The Border Gateway Protocol (BGP) has been used for decades as the de facto protocol to exchange reachability information among networks in the Internet. However, little is known about how this protocol is used to restrict reachability to selected destinations, e.g., that are under attack. While such a feature, BGP blackholing, has been available for some time, we lack a systematic study of its Internet-wide adoption, practices, and network ecacy, as well as the prole of blackholed destinations. In this paper, we develop and evaluate a methodology to automatically detect BGP blackholing activity in the wild. We apply our method to both public and private BGP datasets. We nd that hundreds of networks, including large transit providers, as well as about 50 Internet exchange points (IXPs) oer blackholing service to their customers, peers, and members. Between 2014-2017, the number of blackholed prexes increased by a factor of 6, peaking at 5K concurrently blackholed prexes by up to 400 Autonomous Systems. We assess the eect of blackholing on the data plane using both targeted active measurements as well as passive datasets, nding that blackholing is indeed highly eective in dropping trac before it reaches its destination, though it also discards legitimate trac. We augment our ndings with an analysis of the target IP addresses of blackholing. Our tools and insights are relevant for operators considering oering or using BGP blackholing services as well as for researchers studying DDoS mitigation in the Internet.

show abstract

Section: Discussionmentioning

confidence: 99%

Inferring BGP blackholing activity in the internet

Giotsas

Smaragdakis

Dietzel³

et al. 2017

Proceedings of the 2017 Internet Measurement Conference

Self Cite

View full text Add to dashboard Cite

show abstract

“…Cooperative‐based defense techniques deployed in the control plane can also work jointly with other internal systems and export to or import information from them ( controller‐system ) 90,112,125,135 . Aleroud et al 71 .…”

Section: Solutions Focused On the Control Planementioning

confidence: 99%

A systematic review on distributed denial of service attack defense mechanisms in programmable networks

Dalmazo¹,

Marques

Costa

et al. 2021

Int J Network Mgmt

View full text Add to dashboard Cite

Summary Design flaws and vulnerabilities inherent to network protocols, devices, and services make Distributed Denial of Service (DDoS) a persisting threat in the cyberspace, despite decades of research efforts in the area. The historical vertical integration of traditional IP networks limited the solution space, forcing researchers to tweak network protocols while maintaining global compatibility and proper service to legitimate flows. The advent of Software‐Defined Networking (SDN) and advances in Programmable Data Planes (PDP) changed the state of affairs and brought novel possibilities to deal with such attacks. In summary, the ability of bringing together network intelligence to a control plane, and offloading flow processing tasks to the forwarding plane, opened up interesting opportunities for network security researchers unlike ever. In this article, we dive into recent research that relies on SDN and PDP to detect, mitigate, and prevent DDoS attacks. Our literature review takes into account the SDN layered view as defined in RFC7426 and focuses on the data, control, and application planes. We follow a systematic methodology to capture related articles and organize them into a taxonomy of DDoS defense mechanisms focusing on three facets: activity level, deployment location, and cooperation degree. From the analysis of existing work, we also highlight key research gaps that may foster future research in the field.

show abstract

“…The introduction of SDN at IXPs (SDXs) [43] and a number of refinements and extensions [9,21,42] aim to offer operators more fine-grained control over their routing policies. They also simplify more complex usage scenarios, e.g., improved traffic engineering or advanced DDoS mitigation [27] and allow the use of economic aspects in the policy configuration at IXPs [41]. These proposals can work together with Dynam-IX and enable network operators to optimize route configuration after the establishment of the interconnection agreement.…”

Section: Related Workmentioning

confidence: 99%

Dynam-IX

Marcos

Chiesa

Müller

et al. 2018

Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies

Self Cite

View full text Add to dashboard Cite

Autonomous Systems (ASes) can reach hundreds of networks via Internet eXchange Points (IXPs), allowing improvements in traffic delivery performance and competitiveness. Despite the benefits, any pair of ASes needs first to agree on exchanging traffic. By surveying 100+ network operators, we discovered that most interconnection agreements are established through ad-hoc and lengthy processes heavily influenced by personal relationships and brand image. As such, ASes prefer long-term agreements at the expense of a potential mismatch between actual delivery performance and current traffic dynamics. ASes also miss interconnection opportunities due to trust reasons. To improve wide-area traffic delivery performance, we propose Dynam-IX, a framework that allows operators to build trust cooperatively and implement traffic engineering policies to exploit the rich interconnection opportunities at IXPs quickly. Dynam-IX offers a protocol to automate the interconnection process, an intent abstraction to express interconnection policies, a legal framework to digitally handle contracts, and a distributed tamper-proof ledger to create trust among ASes. We build and evaluate a Dynam-IX prototype and show that an AS can establish tens of agreements per minute with negligible overhead for ASes and IXPs.

show abstract

SDN-enabled Traffic Engineering and Advanced Blackholing at IXPs

Cited by 10 publications

References 5 publications

Inferring BGP blackholing activity in the internet

Inferring BGP blackholing activity in the internet

A systematic review on distributed denial of service attack defense mechanisms in programmable networks

Dynam-IX

Contact Info

Product

Resources

About