Anycast vs. DDoS: Evaluating Nov. 30. Heidemann, J., Moura, G. C. M., de O. Schmidt, R., , de Vries, W. B., Muller, M., Wei, L., & Hesselman, C. Presentation at DNS-OARC Meeting, October, 2016. Based on the paper [Moura16b]Paper abstract bibtex Distributed Denial-of-Service (DDoS) attacks continue to be a major threat in the Internet today. DDoS attacks overwhelm target services with requests or other ``bogus'' traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate the service in multiple physical locations or sites. If all sites announce a common IP address, BGP will associate users around the Internet with a nearby site, defining the \emphcatchment of that site. Anycast adds resilience against DDoS both by increasing capacity to the aggregate of many sites, and allowing each catchment to contain attack traffic leaving other sites unaffected. IP anycast is widely used for commercial CDNs and essential infrastructure such as DNS, but there is little evaluation of anycast under stress. \newline∈dent This talk will provide a \emphfirst evaluation of several anycast services under stress with public data. Our subject is the Internet's Root Domain Name Service, made up of 13 independently designed services (``letters'', 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at 100x normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our analysis to examine how different services respond to the these events. In our analysis we identify two policies by operators: (1) sites may \emphabsorb attack traffic, containing the damage but reducing service to some users, or (2) they may \emphwithdraw routes to shift both legitimate and bogus traffic to other sites. We study how these deployment policies result in different levels of service to different users, during and immediately after the attacks. \newline∈dent We also show evidence of \emphcollateral damage on other services located near the attack targets. The work is based on analysis of DNS response from around 9000 RIPE Atlas vantage points (or ``probes''), agumented by RSSAC-002 reports from 5 root letters and BGP data from BGPmon. We examine DNS performance for each Root Letter, for anycast sites inside specific letters, and for specific servers at one site.
@Misc{Heidemann16c,
author = "John Heidemann and Giovane C. M. Moura and
Ricardo de O. Schmidt and and Wouter B. de Vries and
Moritz Muller and Lan Wei and Christian Hesselman",
title = "Anycast vs. {DDoS}: Evaluating {Nov.} 30",
howpublished = "Presentation at DNS-OARC Meeting",
note = "Based on the paper [Moura16b]",
month = oct,
year = 2016,
address = "Dallas, Texas, USA",
sortdate = "2016-10-16",
project = "ant, lacrend, retrofuture, researchroot, pinest, nipet",
jsubject = "network_security",
jlocation = "johnh: pafile",
keywords = "based on [Moura16b]",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Heidemann16b.html",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Heidemann16b.pdf",
myorganization = "USC/Information Sciences Institute",
copyrightholder = "authors",
abstract = "
Distributed Denial-of-Service (DDoS) attacks continue to be a major
threat in the Internet today. DDoS attacks overwhelm target services
with requests or other ``bogus'' traffic, causing requests from legitimate users
to be shut out. A common defense against DDoS is to replicate the
service in multiple physical locations or sites. If all sites
announce a common IP address, BGP will associate users around the
Internet with a nearby site, defining the \emph{catchment} of that
site. Anycast adds resilience against DDoS both by increasing capacity to the
aggregate of many sites, and allowing each catchment to contain attack
traffic leaving other sites unaffected. IP anycast is widely used for
commercial CDNs and essential infrastructure such as DNS, but there is
little evaluation of anycast under stress. \newline\indent
This talk will provide a \emph{first evaluation of several anycast services
under stress with public data}. Our subject is the Internet's Root
Domain Name Service, made up of 13 independently designed services
(``letters'', 11 with IP anycast) running at more than 500 sites.
Many of these services were stressed by sustained traffic at 100x
normal load on Nov. 30 and Dec. 1, 2015. We use public data for most
of our analysis to examine how different services respond to the these
events. In our analysis we identify two policies by operators:
(1) sites may \emph{absorb} attack traffic,
containing the damage but reducing service to some users, or (2) they may
\emph{withdraw} routes to shift both legitimate and bogus traffic to other sites.
We study how these deployment policies result in different levels of
service to different users, during and immediately after the attacks. \newline\indent
We also show evidence of \emph{collateral damage} on other services located near the attack targets.
The work is based on analysis of DNS response from around 9000 RIPE
Atlas vantage points (or ``probes''), agumented by RSSAC-002 reports
from 5 root letters and BGP data from BGPmon. We examine DNS
performance for each Root Letter, for anycast sites inside specific
letters, and for specific servers at one site.
",
}
Downloads: 0
{"_id":"DudNMF2wmuxzQuBH9","bibbaseid":"heidemann-moura-deoschmidt--devries-muller-wei-hesselman-anycastvsddosevaluatingnov30-2016","author_short":["Heidemann, J.","Moura, G. C. M.","de O. Schmidt, R.","","de Vries, W. B.","Muller, M.","Wei, L.","Hesselman, C."],"bibdata":{"bibtype":"misc","type":"misc","author":[{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]},{"firstnames":["Giovane","C.","M."],"propositions":[],"lastnames":["Moura"],"suffixes":[]},{"firstnames":["Ricardo"],"propositions":["de"],"lastnames":["O.","Schmidt"],"suffixes":[]},{"firstnames":[],"propositions":[],"lastnames":[""],"suffixes":[]},{"firstnames":["Wouter","B."],"propositions":["de"],"lastnames":["Vries"],"suffixes":[]},{"firstnames":["Moritz"],"propositions":[],"lastnames":["Muller"],"suffixes":[]},{"firstnames":["Lan"],"propositions":[],"lastnames":["Wei"],"suffixes":[]},{"firstnames":["Christian"],"propositions":[],"lastnames":["Hesselman"],"suffixes":[]}],"title":"Anycast vs. DDoS: Evaluating Nov. 30","howpublished":"Presentation at DNS-OARC Meeting","note":"Based on the paper [Moura16b]","month":"October","year":"2016","address":"Dallas, Texas, USA","sortdate":"2016-10-16","project":"ant, lacrend, retrofuture, researchroot, pinest, nipet","jsubject":"network_security","jlocation":"johnh: pafile","keywords":"based on [Moura16b]","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Heidemann16b.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Heidemann16b.pdf","myorganization":"USC/Information Sciences Institute","copyrightholder":"authors","abstract":"Distributed Denial-of-Service (DDoS) attacks continue to be a major threat in the Internet today. DDoS attacks overwhelm target services with requests or other ``bogus'' traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate the service in multiple physical locations or sites. If all sites announce a common IP address, BGP will associate users around the Internet with a nearby site, defining the \\emphcatchment of that site. Anycast adds resilience against DDoS both by increasing capacity to the aggregate of many sites, and allowing each catchment to contain attack traffic leaving other sites unaffected. IP anycast is widely used for commercial CDNs and essential infrastructure such as DNS, but there is little evaluation of anycast under stress. \\newline∈dent This talk will provide a \\emphfirst evaluation of several anycast services under stress with public data. Our subject is the Internet's Root Domain Name Service, made up of 13 independently designed services (``letters'', 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at 100x normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our analysis to examine how different services respond to the these events. In our analysis we identify two policies by operators: (1) sites may \\emphabsorb attack traffic, containing the damage but reducing service to some users, or (2) they may \\emphwithdraw routes to shift both legitimate and bogus traffic to other sites. We study how these deployment policies result in different levels of service to different users, during and immediately after the attacks. \\newline∈dent We also show evidence of \\emphcollateral damage on other services located near the attack targets. The work is based on analysis of DNS response from around 9000 RIPE Atlas vantage points (or ``probes''), agumented by RSSAC-002 reports from 5 root letters and BGP data from BGPmon. We examine DNS performance for each Root Letter, for anycast sites inside specific letters, and for specific servers at one site. ","bibtex":"@Misc{Heidemann16c,\n\tauthor = \t\"John Heidemann and Giovane C. M. Moura and\n Ricardo de O. Schmidt and and Wouter B. de Vries and\n Moritz Muller and Lan Wei and Christian Hesselman\",\n\ttitle = \t\"Anycast vs. {DDoS}: Evaluating {Nov.} 30\",\n\thowpublished = \"Presentation at DNS-OARC Meeting\",\n\tnote = \"Based on the paper [Moura16b]\",\n\tmonth = \toct,\n\tyear = \t2016,\n\taddress = \"Dallas, Texas, USA\",\n\tsortdate = \t\"2016-10-16\",\n\tproject = \"ant, lacrend, retrofuture, researchroot, pinest, nipet\",\n\tjsubject = \"network_security\",\n\tjlocation = \t\"johnh: pafile\",\n\tkeywords = \t\"based on [Moura16b]\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Heidemann16b.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Heidemann16b.pdf\",\n\tmyorganization =\t\"USC/Information Sciences Institute\",\n\tcopyrightholder = \"authors\",\n\tabstract = \"\nDistributed Denial-of-Service (DDoS) attacks continue to be a major\nthreat in the Internet today. DDoS attacks overwhelm target services\nwith requests or other ``bogus'' traffic, causing requests from legitimate users\nto be shut out. A common defense against DDoS is to replicate the\nservice in multiple physical locations or sites. If all sites\nannounce a common IP address, BGP will associate users around the\nInternet with a nearby site, defining the \\emph{catchment} of that\nsite. Anycast adds resilience against DDoS both by increasing capacity to the\naggregate of many sites, and allowing each catchment to contain attack\ntraffic leaving other sites unaffected. IP anycast is widely used for\ncommercial CDNs and essential infrastructure such as DNS, but there is\nlittle evaluation of anycast under stress. \\newline\\indent\nThis talk will provide a \\emph{first evaluation of several anycast services\nunder stress with public data}. Our subject is the Internet's Root\nDomain Name Service, made up of 13 independently designed services\n(``letters'', 11 with IP anycast) running at more than 500 sites.\nMany of these services were stressed by sustained traffic at 100x\nnormal load on Nov. 30 and Dec. 1, 2015. We use public data for most\nof our analysis to examine how different services respond to the these\nevents. In our analysis we identify two policies by operators:\n(1) sites may \\emph{absorb} attack traffic,\ncontaining the damage but reducing service to some users, or (2) they may\n\\emph{withdraw} routes to shift both legitimate and bogus traffic to other sites.\nWe study how these deployment policies result in different levels of\nservice to different users, during and immediately after the attacks. \\newline\\indent\nWe also show evidence of \\emph{collateral damage} on other services located near the attack targets.\nThe work is based on analysis of DNS response from around 9000 RIPE\nAtlas vantage points (or ``probes''), agumented by RSSAC-002 reports\nfrom 5 root letters and BGP data from BGPmon. We examine DNS\nperformance for each Root Letter, for anycast sites inside specific\nletters, and for specific servers at one site.\n\",\n}\n\n","author_short":["Heidemann, J.","Moura, G. C. M.","de O. Schmidt, R.","","de Vries, W. B.","Muller, M.","Wei, L.","Hesselman, C."],"bibbaseid":"heidemann-moura-deoschmidt--devries-muller-wei-hesselman-anycastvsddosevaluatingnov30-2016","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Heidemann16b.html"},"keyword":["based on [Moura16b]"],"metadata":{"authorlinks":{}}},"bibtype":"misc","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["based on [moura16b]"],"search_terms":["anycast","ddos","evaluating","nov","heidemann","moura","de o. schmidt","","de vries","muller","wei","hesselman"],"title":"Anycast vs. DDoS: Evaluating Nov. 30","year":2016}