Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event

Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. Moura, G. C. M., de O. Schmidt, R., Heidemann, J., de Vries , W. B., Müller, M., Wei, L., & Hesselman, C. In Proceedings of the ACM Internet Measurement Conference, November, 2016.

Paper doi abstract bibtex

Distributed Denial-of-Service (DDoS) attacks continue to be a major threat on the Internet today. DDoS attacks overwhelm target services with requests or other traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate a service in multiple physical locations/sites. If all sites announce a common prefix, BGP will associate users around the Internet with a nearby site, defining the \emphcatchment of that site. Anycast defends against DDoS both by increasing aggregate capacity across many sites, and allowing each site's catchment to contain attack traffic, leaving other sites unaffected. IP anycast is widely used by commercial CDNs and for essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This paper provides the \emphfirst evaluation of several IP anycast services under stress with public data. Our subject is the Internet's Root Domain Name Service, made up of 13 independently designed services (``letters'', 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at $100×$ normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our analysis to examine how different services respond to stress, and identify two policies: sites may \emphabsorb attack traffic, containing the damage but reducing service to some users, or they may \emphwithdraw routes to shift both good and bad traffic to other sites. We study how these deployment policies resulted in different levels of service to different users during the events. We also show evidence of \emphcollateral damage on other services located near the attacks.

@InProceedings{Moura16b,
	author = 	{Giovane C. M. Moura and Ricardo de O. Schmidt
                  and John Heidemann and Wouter B. {de Vries} and
                  Moritz M{\"u}ller and Lan Wei and Christian Hesselman},
	title = 	"Anycast vs.~{DDoS}: Evaluating the {November}
                  2015 Root {DNS} Event",
	booktitle = 	"Proceedings of the " # "ACM Internet Measurement Conference",
	year = 		2016,
	sortdate = "2016-11-15",
	project = "ant, lacrend, lander, retrofuture, researchroot, pinest, nipet",
	jsubject = "network_security",
	month = 	nov,
	jlocation = 	"johnh: pafile",
	keywords = 	"anycast, dns, design, ddos",
	url =		"https://ant.isi.edu/%7ejohnh/PAPERS/Moura16b.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Moura16b.pdf",
	doi = 	"http://dx.doi.org/10.1145/2987443.2987446",
	myorganization =	"USC/Information Sciences Institute",
	copyrightholder = "authors",
	abstract = "
Distributed Denial-of-Service (DDoS) attacks continue to be a major
threat on the Internet today.  DDoS attacks overwhelm target services
with requests or other traffic, causing requests from legitimate users
to be shut out.  A common defense against DDoS is to replicate a
service in multiple physical locations/sites.  If all sites announce a
common prefix, BGP will associate users around the Internet with a
nearby site, defining the \emph{catchment} of that site.  Anycast
defends against DDoS both by increasing aggregate capacity across many
sites, and allowing each site's catchment to contain attack traffic,
leaving other sites unaffected.  IP anycast is widely used by
commercial CDNs and for essential infrastructure such as DNS, but
there is little evaluation of anycast under stress.  This paper
provides the \emph{first evaluation of several IP anycast services
  under stress with public data}.  Our subject is the Internet's Root
Domain Name Service, made up of 13 independently designed services
(``letters'', 11 with IP anycast) running at more than 500 sites.
Many of these services were stressed by sustained traffic at
$100\times$ normal load on Nov.~30 and Dec.~1, 2015.  We use public
data for most of our analysis to examine how different services
respond to stress, and identify two policies: sites may \emph{absorb}
attack traffic, containing the damage but reducing service to some
users, or they may \emph{withdraw} routes to shift both good and bad
traffic to other sites.  We study how these deployment policies
resulted in different levels of service to different users during the
events.  We also show evidence of \emph{collateral damage} on other
services located near the attacks.",
}

Downloads: 0

{"_id":"sz3HtyzsMXSYTTsKQ","bibbaseid":"moura-deoschmidt-heidemann-devries-mller-wei-hesselman-anycastvsddosevaluatingthenovember2015rootdnsevent-2016","author_short":["Moura, G. C. M.","de O. Schmidt, R.","Heidemann, J.","de Vries , W. B.","Müller, M.","Wei, L.","Hesselman, C."],"bibdata":{"bibtype":"inproceedings","type":"inproceedings","author":[{"firstnames":["Giovane","C.","M."],"propositions":[],"lastnames":["Moura"],"suffixes":[]},{"firstnames":["Ricardo"],"propositions":["de"],"lastnames":["O.","Schmidt"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]},{"firstnames":["Wouter","B."],"propositions":["de Vries"],"lastnames":[],"suffixes":[]},{"firstnames":["Moritz"],"propositions":[],"lastnames":["Müller"],"suffixes":[]},{"firstnames":["Lan"],"propositions":[],"lastnames":["Wei"],"suffixes":[]},{"firstnames":["Christian"],"propositions":[],"lastnames":["Hesselman"],"suffixes":[]}],"title":"Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event","booktitle":"Proceedings of the ACM Internet Measurement Conference","year":"2016","sortdate":"2016-11-15","project":"ant, lacrend, lander, retrofuture, researchroot, pinest, nipet","jsubject":"network_security","month":"November","jlocation":"johnh: pafile","keywords":"anycast, dns, design, ddos","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Moura16b.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Moura16b.pdf","doi":"http://dx.doi.org/10.1145/2987443.2987446","myorganization":"USC/Information Sciences Institute","copyrightholder":"authors","abstract":"Distributed Denial-of-Service (DDoS) attacks continue to be a major threat on the Internet today. DDoS attacks overwhelm target services with requests or other traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate a service in multiple physical locations/sites. If all sites announce a common prefix, BGP will associate users around the Internet with a nearby site, defining the \\emphcatchment of that site. Anycast defends against DDoS both by increasing aggregate capacity across many sites, and allowing each site's catchment to contain attack traffic, leaving other sites unaffected. IP anycast is widely used by commercial CDNs and for essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This paper provides the \\emphfirst evaluation of several IP anycast services under stress with public data. Our subject is the Internet's Root Domain Name Service, made up of 13 independently designed services (``letters'', 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at $100×$ normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our analysis to examine how different services respond to stress, and identify two policies: sites may \\emphabsorb attack traffic, containing the damage but reducing service to some users, or they may \\emphwithdraw routes to shift both good and bad traffic to other sites. We study how these deployment policies resulted in different levels of service to different users during the events. We also show evidence of \\emphcollateral damage on other services located near the attacks.","bibtex":"@InProceedings{Moura16b,\n\tauthor = \t{Giovane C. M. Moura and Ricardo de O. Schmidt\n and John Heidemann and Wouter B. {de Vries} and\n Moritz M{\\\"u}ller and Lan Wei and Christian Hesselman},\n\ttitle = \t\"Anycast vs.~{DDoS}: Evaluating the {November}\n 2015 Root {DNS} Event\",\n\tbooktitle = \t\"Proceedings of the \" # \"ACM Internet Measurement Conference\",\n\tyear = \t\t2016,\n\tsortdate = \"2016-11-15\",\n\tproject = \"ant, lacrend, lander, retrofuture, researchroot, pinest, nipet\",\n\tjsubject = \"network_security\",\n\tmonth = \tnov,\n\tjlocation = \t\"johnh: pafile\",\n\tkeywords = \t\"anycast, dns, design, ddos\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Moura16b.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Moura16b.pdf\",\n\tdoi = \t\"http://dx.doi.org/10.1145/2987443.2987446\",\n\tmyorganization =\t\"USC/Information Sciences Institute\",\n\tcopyrightholder = \"authors\",\n\tabstract = \"\nDistributed Denial-of-Service (DDoS) attacks continue to be a major\nthreat on the Internet today. DDoS attacks overwhelm target services\nwith requests or other traffic, causing requests from legitimate users\nto be shut out. A common defense against DDoS is to replicate a\nservice in multiple physical locations/sites. If all sites announce a\ncommon prefix, BGP will associate users around the Internet with a\nnearby site, defining the \\emph{catchment} of that site. Anycast\ndefends against DDoS both by increasing aggregate capacity across many\nsites, and allowing each site's catchment to contain attack traffic,\nleaving other sites unaffected. IP anycast is widely used by\ncommercial CDNs and for essential infrastructure such as DNS, but\nthere is little evaluation of anycast under stress. This paper\nprovides the \\emph{first evaluation of several IP anycast services\n under stress with public data}. Our subject is the Internet's Root\nDomain Name Service, made up of 13 independently designed services\n(``letters'', 11 with IP anycast) running at more than 500 sites.\nMany of these services were stressed by sustained traffic at\n$100\\times$ normal load on Nov.~30 and Dec.~1, 2015. We use public\ndata for most of our analysis to examine how different services\nrespond to stress, and identify two policies: sites may \\emph{absorb}\nattack traffic, containing the damage but reducing service to some\nusers, or they may \\emph{withdraw} routes to shift both good and bad\ntraffic to other sites. We study how these deployment policies\nresulted in different levels of service to different users during the\nevents. We also show evidence of \\emph{collateral damage} on other\nservices located near the attacks.\",\n}\n\n","author_short":["Moura, G. C. M.","de O. Schmidt, R.","Heidemann, J.","de Vries , W. B.","Müller, M.","Wei, L.","Hesselman, C."],"bibbaseid":"moura-deoschmidt-heidemann-devries-mller-wei-hesselman-anycastvsddosevaluatingthenovember2015rootdnsevent-2016","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Moura16b.html"},"keyword":["anycast","dns","design","ddos"],"metadata":{"authorlinks":{}}},"bibtype":"inproceedings","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["anycast","dns","design","ddos"],"search_terms":["anycast","ddos","evaluating","november","2015","root","dns","event","moura","de o. schmidt","heidemann","de vries ","müller","wei","hesselman"],"title":"Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event","year":2016}