Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event

Giovane Moreira Moura, R. de Oliveira Schmidt, John Heidemann, Wouter Bastiaan de Vries, Moritz Müller, Lan Wei, C.E.W. Hesselman

Research output: Book/ReportReportOther research output

21 Citations (Scopus)
24 Downloads (Pure)

Abstract

Distributed Denial-of-Service (DDoS) attacks continue to be a major threat in the Internet today. DDoS attacks over- whelm target services with requests or other traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate the service in multiple physical locations or sites. If all sites announce a common IP address, BGP will associate users around the Internet with a nearby site, defining the catchment of that site. Anycast ad- dresses DDoS both by increasing capacity to the aggregate of many sites, and allowing each catchment to contain attack traffic leaving other sites unaffected. IP anycast is widely used for commercial CDNs and essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This paper provides the first evaluation of several anycast services under stress with public data. Our subject is the Internet’s Root Domain Name Service, made up of 13 inde- pendently designed services (“letters‿, 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at 100× normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our anal- ysis to examine how different services respond to the these events. We see how different anycast deployments respond to stress, and identify two policies: sites may absorb attack traffic, containing the damage but reducing service to some users, or they may withdraw routes to shift both good and bad traffic to other sites. We study how these deployments policies result in different levels of service to different users. We also show evidence of collateral damage on other services located near the attacks.
Original languageUndefined
Place of PublicationLos Angeles-CA, USA
PublisherUniversity of Southern California
Number of pages15
Publication statusPublished - May 2016

Publication series

NameInformation Sciences Institute technical report
PublisherInformation Sciences Institute, University of Southern California
No.ISI-TR-2016-709b

Keywords

  • IR-104109
  • DDoS
  • EWI-27641
  • Anycast
  • DNS

Cite this

Moreira Moura, G., de Oliveira Schmidt, R., Heidemann, J., de Vries, W. B., Müller, M., Wei, L., & Hesselman, C. E. W. (2016). Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. (Information Sciences Institute technical report; No. ISI-TR-2016-709b). Los Angeles-CA, USA: University of Southern California.
Moreira Moura, Giovane ; de Oliveira Schmidt, R. ; Heidemann, John ; de Vries, Wouter Bastiaan ; Müller, Moritz ; Wei, Lan ; Hesselman, C.E.W. / Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. Los Angeles-CA, USA : University of Southern California, 2016. 15 p. (Information Sciences Institute technical report; ISI-TR-2016-709b).
@book{d3aa7137efda47bdb567ada9fa209f65,
title = "Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event",
abstract = "Distributed Denial-of-Service (DDoS) attacks continue to be a major threat in the Internet today. DDoS attacks over- whelm target services with requests or other traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate the service in multiple physical locations or sites. If all sites announce a common IP address, BGP will associate users around the Internet with a nearby site, defining the catchment of that site. Anycast ad- dresses DDoS both by increasing capacity to the aggregate of many sites, and allowing each catchment to contain attack traffic leaving other sites unaffected. IP anycast is widely used for commercial CDNs and essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This paper provides the first evaluation of several anycast services under stress with public data. Our subject is the Internet’s Root Domain Name Service, made up of 13 inde- pendently designed services (“letters‿, 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at 100× normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our anal- ysis to examine how different services respond to the these events. We see how different anycast deployments respond to stress, and identify two policies: sites may absorb attack traffic, containing the damage but reducing service to some users, or they may withdraw routes to shift both good and bad traffic to other sites. We study how these deployments policies result in different levels of service to different users. We also show evidence of collateral damage on other services located near the attacks.",
keywords = "IR-104109, DDoS, EWI-27641, Anycast, DNS",
author = "{Moreira Moura}, Giovane and {de Oliveira Schmidt}, R. and John Heidemann and {de Vries}, {Wouter Bastiaan} and Moritz M{\"u}ller and Lan Wei and C.E.W. Hesselman",
year = "2016",
month = "5",
language = "Undefined",
series = "Information Sciences Institute technical report",
publisher = "University of Southern California",
number = "ISI-TR-2016-709b",
address = "United States",

}

Moreira Moura, G, de Oliveira Schmidt, R, Heidemann, J, de Vries, WB, Müller, M, Wei, L & Hesselman, CEW 2016, Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. Information Sciences Institute technical report, no. ISI-TR-2016-709b, University of Southern California, Los Angeles-CA, USA.

Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. / Moreira Moura, Giovane; de Oliveira Schmidt, R.; Heidemann, John; de Vries, Wouter Bastiaan; Müller, Moritz; Wei, Lan; Hesselman, C.E.W.

Los Angeles-CA, USA : University of Southern California, 2016. 15 p. (Information Sciences Institute technical report; No. ISI-TR-2016-709b).

Research output: Book/ReportReportOther research output

TY - BOOK

T1 - Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event

AU - Moreira Moura, Giovane

AU - de Oliveira Schmidt, R.

AU - Heidemann, John

AU - de Vries, Wouter Bastiaan

AU - Müller, Moritz

AU - Wei, Lan

AU - Hesselman, C.E.W.

PY - 2016/5

Y1 - 2016/5

N2 - Distributed Denial-of-Service (DDoS) attacks continue to be a major threat in the Internet today. DDoS attacks over- whelm target services with requests or other traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate the service in multiple physical locations or sites. If all sites announce a common IP address, BGP will associate users around the Internet with a nearby site, defining the catchment of that site. Anycast ad- dresses DDoS both by increasing capacity to the aggregate of many sites, and allowing each catchment to contain attack traffic leaving other sites unaffected. IP anycast is widely used for commercial CDNs and essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This paper provides the first evaluation of several anycast services under stress with public data. Our subject is the Internet’s Root Domain Name Service, made up of 13 inde- pendently designed services (“letters‿, 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at 100× normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our anal- ysis to examine how different services respond to the these events. We see how different anycast deployments respond to stress, and identify two policies: sites may absorb attack traffic, containing the damage but reducing service to some users, or they may withdraw routes to shift both good and bad traffic to other sites. We study how these deployments policies result in different levels of service to different users. We also show evidence of collateral damage on other services located near the attacks.

AB - Distributed Denial-of-Service (DDoS) attacks continue to be a major threat in the Internet today. DDoS attacks over- whelm target services with requests or other traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate the service in multiple physical locations or sites. If all sites announce a common IP address, BGP will associate users around the Internet with a nearby site, defining the catchment of that site. Anycast ad- dresses DDoS both by increasing capacity to the aggregate of many sites, and allowing each catchment to contain attack traffic leaving other sites unaffected. IP anycast is widely used for commercial CDNs and essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This paper provides the first evaluation of several anycast services under stress with public data. Our subject is the Internet’s Root Domain Name Service, made up of 13 inde- pendently designed services (“letters‿, 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at 100× normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our anal- ysis to examine how different services respond to the these events. We see how different anycast deployments respond to stress, and identify two policies: sites may absorb attack traffic, containing the damage but reducing service to some users, or they may withdraw routes to shift both good and bad traffic to other sites. We study how these deployments policies result in different levels of service to different users. We also show evidence of collateral damage on other services located near the attacks.

KW - IR-104109

KW - DDoS

KW - EWI-27641

KW - Anycast

KW - DNS

M3 - Report

T3 - Information Sciences Institute technical report

BT - Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event

PB - University of Southern California

CY - Los Angeles-CA, USA

ER -

Moreira Moura G, de Oliveira Schmidt R, Heidemann J, de Vries WB, Müller M, Wei L et al. Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. Los Angeles-CA, USA: University of Southern California, 2016. 15 p. (Information Sciences Institute technical report; ISI-TR-2016-709b).