Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event

Giovane Moreira Moura, R. de Oliveira Schmidt, John Heidemann, Wouter Bastiaan de Vries, Moritz Müller, Lan Wei, C.E.W. Hesselman

Research output: Contribution to conferencePaperAcademicpeer-review

62 Downloads (Pure)

Abstract

Distributed Denial-of-Service (DDoS) attacks continue to be a major threat on the Internet today. DDoS attacks overwhelm target services with requests or other traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate a service in multiple physical locations/sites. If all sites announce a common prefix, BGP will associate users around the Internet with a nearby site, defining the catchment of that site. Anycast defends against DDoS both by increasing aggregate capacity across many sites, and allowing each site's catchment to contain attack traffic, leaving other sites unaffected. IP anycast is widely used by commercial CDNs and for essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This paper provides the first evaluation of several IP anycast services under stress with public data. Our subject is the Internet's Root Domain Name Service, made up of 13 independently designed services ("letters", 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at 100× normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our analysis to examine how different services respond to stress, and identify two policies: sites may absorb attack traffic, containing the damage but reducing service to some users, or they may withdraw routes to shift both good and bad traffic to other sites. We study how these deployment policies resulted in different levels of service to different users during the events. We also show evidence of collateral damage on other services located near the attacks.
Original languageUndefined
Pages255-270
Number of pages16
DOIs
Publication statusPublished - Nov 2016

Keywords

  • EWI-27391
  • IR-104108

Cite this

Moreira Moura, G., de Oliveira Schmidt, R., Heidemann, J., de Vries, W. B., Müller, M., Wei, L., & Hesselman, C. E. W. (2016). Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. 255-270. https://doi.org/10.1145/2987443.2987446
Moreira Moura, Giovane ; de Oliveira Schmidt, R. ; Heidemann, John ; de Vries, Wouter Bastiaan ; Müller, Moritz ; Wei, Lan ; Hesselman, C.E.W. / Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. 16 p.
@conference{a60e24a020fc4aebb0fc658d03c406bc,
title = "Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event",
abstract = "Distributed Denial-of-Service (DDoS) attacks continue to be a major threat on the Internet today. DDoS attacks overwhelm target services with requests or other traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate a service in multiple physical locations/sites. If all sites announce a common prefix, BGP will associate users around the Internet with a nearby site, defining the catchment of that site. Anycast defends against DDoS both by increasing aggregate capacity across many sites, and allowing each site's catchment to contain attack traffic, leaving other sites unaffected. IP anycast is widely used by commercial CDNs and for essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This paper provides the first evaluation of several IP anycast services under stress with public data. Our subject is the Internet's Root Domain Name Service, made up of 13 independently designed services ({"}letters{"}, 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at 100× normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our analysis to examine how different services respond to stress, and identify two policies: sites may absorb attack traffic, containing the damage but reducing service to some users, or they may withdraw routes to shift both good and bad traffic to other sites. We study how these deployment policies resulted in different levels of service to different users during the events. We also show evidence of collateral damage on other services located near the attacks.",
keywords = "EWI-27391, IR-104108",
author = "{Moreira Moura}, Giovane and {de Oliveira Schmidt}, R. and John Heidemann and {de Vries}, {Wouter Bastiaan} and Moritz M{\"u}ller and Lan Wei and C.E.W. Hesselman",
year = "2016",
month = "11",
doi = "10.1145/2987443.2987446",
language = "Undefined",
pages = "255--270",

}

Moreira Moura, G, de Oliveira Schmidt, R, Heidemann, J, de Vries, WB, Müller, M, Wei, L & Hesselman, CEW 2016, 'Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event' pp. 255-270. https://doi.org/10.1145/2987443.2987446

Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. / Moreira Moura, Giovane; de Oliveira Schmidt, R.; Heidemann, John; de Vries, Wouter Bastiaan; Müller, Moritz; Wei, Lan; Hesselman, C.E.W.

2016. 255-270.

Research output: Contribution to conferencePaperAcademicpeer-review

TY - CONF

T1 - Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event

AU - Moreira Moura, Giovane

AU - de Oliveira Schmidt, R.

AU - Heidemann, John

AU - de Vries, Wouter Bastiaan

AU - Müller, Moritz

AU - Wei, Lan

AU - Hesselman, C.E.W.

PY - 2016/11

Y1 - 2016/11

N2 - Distributed Denial-of-Service (DDoS) attacks continue to be a major threat on the Internet today. DDoS attacks overwhelm target services with requests or other traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate a service in multiple physical locations/sites. If all sites announce a common prefix, BGP will associate users around the Internet with a nearby site, defining the catchment of that site. Anycast defends against DDoS both by increasing aggregate capacity across many sites, and allowing each site's catchment to contain attack traffic, leaving other sites unaffected. IP anycast is widely used by commercial CDNs and for essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This paper provides the first evaluation of several IP anycast services under stress with public data. Our subject is the Internet's Root Domain Name Service, made up of 13 independently designed services ("letters", 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at 100× normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our analysis to examine how different services respond to stress, and identify two policies: sites may absorb attack traffic, containing the damage but reducing service to some users, or they may withdraw routes to shift both good and bad traffic to other sites. We study how these deployment policies resulted in different levels of service to different users during the events. We also show evidence of collateral damage on other services located near the attacks.

AB - Distributed Denial-of-Service (DDoS) attacks continue to be a major threat on the Internet today. DDoS attacks overwhelm target services with requests or other traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate a service in multiple physical locations/sites. If all sites announce a common prefix, BGP will associate users around the Internet with a nearby site, defining the catchment of that site. Anycast defends against DDoS both by increasing aggregate capacity across many sites, and allowing each site's catchment to contain attack traffic, leaving other sites unaffected. IP anycast is widely used by commercial CDNs and for essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This paper provides the first evaluation of several IP anycast services under stress with public data. Our subject is the Internet's Root Domain Name Service, made up of 13 independently designed services ("letters", 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at 100× normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our analysis to examine how different services respond to stress, and identify two policies: sites may absorb attack traffic, containing the damage but reducing service to some users, or they may withdraw routes to shift both good and bad traffic to other sites. We study how these deployment policies resulted in different levels of service to different users during the events. We also show evidence of collateral damage on other services located near the attacks.

KW - EWI-27391

KW - IR-104108

U2 - 10.1145/2987443.2987446

DO - 10.1145/2987443.2987446

M3 - Paper

SP - 255

EP - 270

ER -

Moreira Moura G, de Oliveira Schmidt R, Heidemann J, de Vries WB, Müller M, Wei L et al. Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. 2016. https://doi.org/10.1145/2987443.2987446