Anycast Agility: Network Playbooks to Fight DDoS. Rizvi, A., Bertholdo, L., Ceron, J., & Heidemann, J. In Proceedings of the 31stUSENIX Security Symposium , pages 4201–4218, August, 2022. USENIX.
Anycast Agility: Network Playbooks to Fight DDoS [link]Paper  doi  abstract   bibtex   
IP anycast is used for services such as DNS and Content Delivery Networks (CDN) to provide the capacity to handle Distributed Denial-of-Service (DDoS) attacks. During a DDoS attack service operators redistribute traffic between anycast sites to take advantage of sites with unused or greater capacity. Depending on site traffic and attack size, operators may instead concentrate attackers in a few sites to preserve operation in others. Operators use these actions during attacks, but how to do so has not been described systematically or publicly. This paper describes several methods to use BGP to shift traffic when under DDoS, and shows that a \emphresponse playbook can provide a menu of responses that are options during an attack. To choose an appropriate response from this playbook, we also describe a new method to estimate true attack size, even though the operator's view during the attack is incomplete. Finally, operator choices are constrained by distributed routing policies, and not all are helpful. We explore how specific anycast deployment can constrain options in this playbook, and are the first to measure how generally applicable they are across multiple anycast networks.
@InProceedings{Rizvi22a,
        author =        "{A S M} Rizvi and Leandro Bertholdo and
 Jo{\~a}o Ceron and John Heidemann",
 title = "Anycast Agility: Network Playbooks to Fight {DDoS}",
        booktitle =     "Proceedings of the " # "31st" # " {USENIX} Security Symposium ",
        year =          2022,
	sortdate = 		"2022-08-10", 
	project = "ant, ddidd, paaddos, sabres",
	jsubject = "network_security",
        pages =      "4201--4218",
        month =      aug,
        publisher =  "{USENIX}",
        jlocation =   "johnh: pafile",
        keywords =   "anycast, ddos, routing",
        doi =        "to appear",
	blogurl = "https://ant.isi.edu/blog/?p=1829",
	url =	"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi22a.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi22a.pdf",
	oldotherurl = "https://www.usenix.org/system/files/sec22fall_rizvi.pdf",
	otherurl = "https://www.usenix.org/conference/usenixsecurity22/presentation/rizvi",
	dataurl =	"https://zenodo.org/record/6473023",
	talkurl = "https://www.usenix.org/conference/usenixsecurity22/presentation/rizvi",
	abstract = "IP anycast is used for services such as DNS and Content Delivery
Networks (CDN) to provide the capacity to handle Distributed
Denial-of-Service (DDoS) attacks.  During a DDoS attack service
operators redistribute traffic between anycast sites to take advantage
of sites with unused or greater capacity.  Depending on site traffic
and attack size, operators may instead concentrate attackers in a few
sites to preserve operation in others.  Operators use these actions
during attacks, but how to do so has not been described systematically
or publicly.  This paper describes several methods to use BGP to shift
traffic when under DDoS, and shows that a \emph{response playbook} can
provide a menu of responses that are options during an attack.  To
choose an appropriate response from this playbook, we also describe a
new method to estimate true attack size, even though the operator's
view during the attack is incomplete.  Finally, operator choices are
constrained by distributed routing policies, and not all are helpful.
We explore how specific anycast deployment can constrain options in
this playbook, and are the first to measure how generally applicable
they are across multiple anycast networks.
",
}

Downloads: 0