@TechReport{Moura16a,
	author = 	{Giovane C. M. Moura and Ricardo de O. Schmidt
                  and John Heidemann and Wouter B. {de Vries} and
                  Moritz M{\"u}ller and Lan Wei and Christian Hesselman},
	title = 	"Anycast vs.~{DDoS}: Evaluating the {November}
                  2015 {Root} {DNS} Event (extended)",
	institution = 	"USC/Information Sciences Institute",
	year = 		2016,
	sortdate = "2016-05-18",
	finaldate = "2016-09-12",
	number = 	"ISI-TR-2016-709b",
	project = "ant, lacrend, lander, retrofuture, researchroot, pinest, nipet",
	jsubject = "network_security",
	month = 	may,
	jlocation = 	"johnh: pafile",
	keywords = 	"anycast, dns, design",
	url =		"https://ant.isi.edu/%7ejohnh/PAPERS/Moura16a.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Moura16a.pdf",
	otherurl = "ftp://ftp.isi.edu/isi-pubs/tr-709.pdf",
	myorganization =	"USC/Information Sciences Institute",
	copyrightholder = "authors",
	abstract = "
Distributed Denial-of-Service (DDoS) attacks continue to be a major
threat in the Internet today.  DDoS attacks overwhelm target services
with requests or other traffic, causing requests from legitimate users
to be shut out.  A common defense against DDoS is to replicate the
service in multiple physical locations or sites.  If all sites
announce a common IP address, BGP will associate users around the
Internet with a nearby site, defining the \emph{catchment} of that
site.  Anycast addresses DDoS both by increasing capacity to the
aggregate of many sites, and allowing each catchment to contain attack
traffic leaving other sites unaffected.  IP anycast is widely used for
commercial CDNs and essential infrastructure such as DNS, but there is
little evaluation of anycast under stress.  This paper provides the
\emph{first evaluation of several anycast services under stress with
public data}.  Our subject is the Internet's Root Domain Name Service,
made up of 13 independently designed services (``letters'', 11 with IP
anycast) running at more than 500 sites.  Many of these services were
stressed by sustained traffic at $100\times$ normal load on Nov.~30
and Dec.~1, 2015.  We use public data for most of our analysis to
examine how different services respond to the these events.  We see
how different anycast deployments respond to stress, and identify two
policies: sites may \emph{absorb} attack traffic, containing the
damage but reducing service to some users, or they may \emph{withdraw}
routes to shift both good and bad traffic to other sites.  We study
how these deployments policies result in different levels of service
to different users.  We also show evidence of \emph{collateral damage}
on other services located near the attacks.",
}

{"_id":"4DZKa9mb7PKHmuXwm","bibbaseid":"moura-deoschmidt-heidemann-devries-mller-wei-hesselman-anycastvsddosevaluatingthenovember2015rootdnseventextended-2016","author_short":["Moura, G. C. M.","de O. Schmidt, R.","Heidemann, J.","de Vries , W. B.","Müller, M.","Wei, L.","Hesselman, C."],"bibdata":{"bibtype":"techreport","type":"techreport","author":[{"firstnames":["Giovane","C.","M."],"propositions":[],"lastnames":["Moura"],"suffixes":[]},{"firstnames":["Ricardo"],"propositions":["de"],"lastnames":["O.","Schmidt"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]},{"firstnames":["Wouter","B."],"propositions":["de Vries"],"lastnames":[],"suffixes":[]},{"firstnames":["Moritz"],"propositions":[],"lastnames":["Müller"],"suffixes":[]},{"firstnames":["Lan"],"propositions":[],"lastnames":["Wei"],"suffixes":[]},{"firstnames":["Christian"],"propositions":[],"lastnames":["Hesselman"],"suffixes":[]}],"title":"Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event (extended)","institution":"USC/Information Sciences Institute","year":"2016","sortdate":"2016-05-18","finaldate":"2016-09-12","number":"ISI-TR-2016-709b","project":"ant, lacrend, lander, retrofuture, researchroot, pinest, nipet","jsubject":"network_security","month":"May","jlocation":"johnh: pafile","keywords":"anycast, dns, design","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Moura16a.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Moura16a.pdf","otherurl":"ftp://ftp.isi.edu/isi-pubs/tr-709.pdf","myorganization":"USC/Information Sciences Institute","copyrightholder":"authors","abstract":"Distributed Denial-of-Service (DDoS) attacks continue to be a major threat in the Internet today. DDoS attacks overwhelm target services with requests or other traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate the service in multiple physical locations or sites. If all sites announce a common IP address, BGP will associate users around the Internet with a nearby site, defining the \\emphcatchment of that site. Anycast addresses DDoS both by increasing capacity to the aggregate of many sites, and allowing each catchment to contain attack traffic leaving other sites unaffected. IP anycast is widely used for commercial CDNs and essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This paper provides the \\emphfirst evaluation of several anycast services under stress with public data. Our subject is the Internet's Root Domain Name Service, made up of 13 independently designed services (``letters'', 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at $100×$ normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our analysis to examine how different services respond to the these events. We see how different anycast deployments respond to stress, and identify two policies: sites may \\emphabsorb attack traffic, containing the damage but reducing service to some users, or they may \\emphwithdraw routes to shift both good and bad traffic to other sites. We study how these deployments policies result in different levels of service to different users. We also show evidence of \\emphcollateral damage on other services located near the attacks.","bibtex":"@TechReport{Moura16a,\n\tauthor = \t{Giovane C. M. Moura and Ricardo de O. Schmidt\n and John Heidemann and Wouter B. {de Vries} and\n Moritz M{\\\"u}ller and Lan Wei and Christian Hesselman},\n\ttitle = \t\"Anycast vs.~{DDoS}: Evaluating the {November}\n 2015 {Root} {DNS} Event (extended)\",\n\tinstitution = \t\"USC/Information Sciences Institute\",\n\tyear = \t\t2016,\n\tsortdate = \"2016-05-18\",\n\tfinaldate = \"2016-09-12\",\n\tnumber = \t\"ISI-TR-2016-709b\",\n\tproject = \"ant, lacrend, lander, retrofuture, researchroot, pinest, nipet\",\n\tjsubject = \"network_security\",\n\tmonth = \tmay,\n\tjlocation = \t\"johnh: pafile\",\n\tkeywords = \t\"anycast, dns, design\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Moura16a.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Moura16a.pdf\",\n\totherurl = \"ftp://ftp.isi.edu/isi-pubs/tr-709.pdf\",\n\tmyorganization =\t\"USC/Information Sciences Institute\",\n\tcopyrightholder = \"authors\",\n\tabstract = \"\nDistributed Denial-of-Service (DDoS) attacks continue to be a major\nthreat in the Internet today. DDoS attacks overwhelm target services\nwith requests or other traffic, causing requests from legitimate users\nto be shut out. A common defense against DDoS is to replicate the\nservice in multiple physical locations or sites. If all sites\nannounce a common IP address, BGP will associate users around the\nInternet with a nearby site, defining the \\emph{catchment} of that\nsite. Anycast addresses DDoS both by increasing capacity to the\naggregate of many sites, and allowing each catchment to contain attack\ntraffic leaving other sites unaffected. IP anycast is widely used for\ncommercial CDNs and essential infrastructure such as DNS, but there is\nlittle evaluation of anycast under stress. This paper provides the\n\\emph{first evaluation of several anycast services under stress with\npublic data}. Our subject is the Internet's Root Domain Name Service,\nmade up of 13 independently designed services (``letters'', 11 with IP\nanycast) running at more than 500 sites. Many of these services were\nstressed by sustained traffic at $100\\times$ normal load on Nov.~30\nand Dec.~1, 2015. We use public data for most of our analysis to\nexamine how different services respond to the these events. We see\nhow different anycast deployments respond to stress, and identify two\npolicies: sites may \\emph{absorb} attack traffic, containing the\ndamage but reducing service to some users, or they may \\emph{withdraw}\nroutes to shift both good and bad traffic to other sites. We study\nhow these deployments policies result in different levels of service\nto different users. We also show evidence of \\emph{collateral damage}\non other services located near the attacks.\",\n}\n\n","author_short":["Moura, G. C. M.","de O. Schmidt, R.","Heidemann, J.","de Vries , W. B.","Müller, M.","Wei, L.","Hesselman, C."],"bibbaseid":"moura-deoschmidt-heidemann-devries-mller-wei-hesselman-anycastvsddosevaluatingthenovember2015rootdnseventextended-2016","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Moura16a.html"},"keyword":["anycast","dns","design"],"metadata":{"authorlinks":{}}},"bibtype":"techreport","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["anycast","dns","design"],"search_terms":["anycast","ddos","evaluating","november","2015","root","dns","event","extended","moura","de o. schmidt","heidemann","de vries ","müller","wei","hesselman"],"title":"Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event (extended)","year":2016}