Anycast Agility: Network Playbooks to Fight DDoS. Rizvi, A., Bertholdo, L., Ceron, J., & Heidemann, J. In Proceedings of the 31stUSENIX Security Symposium , pages 4201–4218, August, 2022. USENIX. Paper doi abstract bibtex IP anycast is used for services such as DNS and Content Delivery Networks (CDN) to provide the capacity to handle Distributed Denial-of-Service (DDoS) attacks. During a DDoS attack service operators redistribute traffic between anycast sites to take advantage of sites with unused or greater capacity. Depending on site traffic and attack size, operators may instead concentrate attackers in a few sites to preserve operation in others. Operators use these actions during attacks, but how to do so has not been described systematically or publicly. This paper describes several methods to use BGP to shift traffic when under DDoS, and shows that a \emphresponse playbook can provide a menu of responses that are options during an attack. To choose an appropriate response from this playbook, we also describe a new method to estimate true attack size, even though the operator's view during the attack is incomplete. Finally, operator choices are constrained by distributed routing policies, and not all are helpful. We explore how specific anycast deployment can constrain options in this playbook, and are the first to measure how generally applicable they are across multiple anycast networks.
@InProceedings{Rizvi22a,
author = "{A S M} Rizvi and Leandro Bertholdo and
Jo{\~a}o Ceron and John Heidemann",
title = "Anycast Agility: Network Playbooks to Fight {DDoS}",
booktitle = "Proceedings of the " # "31st" # " {USENIX} Security Symposium ",
year = 2022,
sortdate = "2022-08-10",
project = "ant, ddidd, paaddos, sabres",
jsubject = "network_security",
pages = "4201--4218",
month = aug,
publisher = "{USENIX}",
jlocation = "johnh: pafile",
keywords = "anycast, ddos, routing",
doi = "to appear",
blogurl = "https://ant.isi.edu/blog/?p=1829",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi22a.html",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi22a.pdf",
oldotherurl = "https://www.usenix.org/system/files/sec22fall_rizvi.pdf",
otherurl = "https://www.usenix.org/conference/usenixsecurity22/presentation/rizvi",
dataurl = "https://zenodo.org/record/6473023",
talkurl = "https://www.usenix.org/conference/usenixsecurity22/presentation/rizvi",
abstract = "IP anycast is used for services such as DNS and Content Delivery
Networks (CDN) to provide the capacity to handle Distributed
Denial-of-Service (DDoS) attacks. During a DDoS attack service
operators redistribute traffic between anycast sites to take advantage
of sites with unused or greater capacity. Depending on site traffic
and attack size, operators may instead concentrate attackers in a few
sites to preserve operation in others. Operators use these actions
during attacks, but how to do so has not been described systematically
or publicly. This paper describes several methods to use BGP to shift
traffic when under DDoS, and shows that a \emph{response playbook} can
provide a menu of responses that are options during an attack. To
choose an appropriate response from this playbook, we also describe a
new method to estimate true attack size, even though the operator's
view during the attack is incomplete. Finally, operator choices are
constrained by distributed routing policies, and not all are helpful.
We explore how specific anycast deployment can constrain options in
this playbook, and are the first to measure how generally applicable
they are across multiple anycast networks.
",
}
Downloads: 0
{"_id":"phJGB56g4r6nnXbBT","bibbaseid":"rizvi-bertholdo-ceron-heidemann-anycastagilitynetworkplaybookstofightddos-2022","author_short":["Rizvi, A.","Bertholdo, L.","Ceron, J.","Heidemann, J."],"bibdata":{"bibtype":"inproceedings","type":"inproceedings","author":[{"firstnames":["A S M"],"propositions":[],"lastnames":["Rizvi"],"suffixes":[]},{"firstnames":["Leandro"],"propositions":[],"lastnames":["Bertholdo"],"suffixes":[]},{"firstnames":["João"],"propositions":[],"lastnames":["Ceron"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]}],"title":"Anycast Agility: Network Playbooks to Fight DDoS","booktitle":"Proceedings of the 31stUSENIX Security Symposium ","year":"2022","sortdate":"2022-08-10","project":"ant, ddidd, paaddos, sabres","jsubject":"network_security","pages":"4201–4218","month":"August","publisher":"USENIX","jlocation":"johnh: pafile","keywords":"anycast, ddos, routing","doi":"to appear","blogurl":"https://ant.isi.edu/blog/?p=1829","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi22a.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi22a.pdf","oldotherurl":"https://www.usenix.org/system/files/sec22fall_rizvi.pdf","otherurl":"https://www.usenix.org/conference/usenixsecurity22/presentation/rizvi","dataurl":"https://zenodo.org/record/6473023","talkurl":"https://www.usenix.org/conference/usenixsecurity22/presentation/rizvi","abstract":"IP anycast is used for services such as DNS and Content Delivery Networks (CDN) to provide the capacity to handle Distributed Denial-of-Service (DDoS) attacks. During a DDoS attack service operators redistribute traffic between anycast sites to take advantage of sites with unused or greater capacity. Depending on site traffic and attack size, operators may instead concentrate attackers in a few sites to preserve operation in others. Operators use these actions during attacks, but how to do so has not been described systematically or publicly. This paper describes several methods to use BGP to shift traffic when under DDoS, and shows that a \\emphresponse playbook can provide a menu of responses that are options during an attack. To choose an appropriate response from this playbook, we also describe a new method to estimate true attack size, even though the operator's view during the attack is incomplete. Finally, operator choices are constrained by distributed routing policies, and not all are helpful. We explore how specific anycast deployment can constrain options in this playbook, and are the first to measure how generally applicable they are across multiple anycast networks. ","bibtex":"@InProceedings{Rizvi22a,\n author = \"{A S M} Rizvi and Leandro Bertholdo and\n Jo{\\~a}o Ceron and John Heidemann\",\n title = \"Anycast Agility: Network Playbooks to Fight {DDoS}\",\n booktitle = \"Proceedings of the \" # \"31st\" # \" {USENIX} Security Symposium \",\n year = 2022,\n\tsortdate = \t\t\"2022-08-10\", \n\tproject = \"ant, ddidd, paaddos, sabres\",\n\tjsubject = \"network_security\",\n pages = \"4201--4218\",\n month = aug,\n publisher = \"{USENIX}\",\n jlocation = \"johnh: pafile\",\n keywords = \"anycast, ddos, routing\",\n doi = \"to appear\",\n\tblogurl = \"https://ant.isi.edu/blog/?p=1829\",\n\turl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi22a.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi22a.pdf\",\n\toldotherurl = \"https://www.usenix.org/system/files/sec22fall_rizvi.pdf\",\n\totherurl = \"https://www.usenix.org/conference/usenixsecurity22/presentation/rizvi\",\n\tdataurl =\t\"https://zenodo.org/record/6473023\",\n\ttalkurl = \"https://www.usenix.org/conference/usenixsecurity22/presentation/rizvi\",\n\tabstract = \"IP anycast is used for services such as DNS and Content Delivery\nNetworks (CDN) to provide the capacity to handle Distributed\nDenial-of-Service (DDoS) attacks. During a DDoS attack service\noperators redistribute traffic between anycast sites to take advantage\nof sites with unused or greater capacity. Depending on site traffic\nand attack size, operators may instead concentrate attackers in a few\nsites to preserve operation in others. Operators use these actions\nduring attacks, but how to do so has not been described systematically\nor publicly. This paper describes several methods to use BGP to shift\ntraffic when under DDoS, and shows that a \\emph{response playbook} can\nprovide a menu of responses that are options during an attack. To\nchoose an appropriate response from this playbook, we also describe a\nnew method to estimate true attack size, even though the operator's\nview during the attack is incomplete. Finally, operator choices are\nconstrained by distributed routing policies, and not all are helpful.\nWe explore how specific anycast deployment can constrain options in\nthis playbook, and are the first to measure how generally applicable\nthey are across multiple anycast networks.\n\",\n}\n\n","author_short":["Rizvi, A.","Bertholdo, L.","Ceron, J.","Heidemann, J."],"bibbaseid":"rizvi-bertholdo-ceron-heidemann-anycastagilitynetworkplaybookstofightddos-2022","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi22a.html"},"keyword":["anycast","ddos","routing"],"metadata":{"authorlinks":{}}},"bibtype":"inproceedings","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["anycast","ddos","routing"],"search_terms":["anycast","agility","network","playbooks","fight","ddos","rizvi","bertholdo","ceron","heidemann"],"title":"Anycast Agility: Network Playbooks to Fight DDoS","year":2022}