Conference PaperPDF Available

Anycast and Its Potential for DDoS Mitigation

Authors:

Abstract and Figures

IP anycast is widely being used to distribute essential Inter-net services, such as DNS, across the globe. One of the main reasons for doing so is to increase the redundancy of the service and reduce the impacts of the growing threat of DDoS attacks. IP anycast can be further used to mitigate DDoS attacks by confining the attack traffic to certain areas. This might cause the targeted service to become unavailable only to a fraction of its users. In this PhD research we aim at investigating how IP anycast can be optimized both statically and dynamically to support the mitigation of DDoS attacks.
Content may be subject to copyright.
author version
Anycast and its potential for DDoS mitigation
Wouter B. de Vries, Ricardo de O. Schmidt and Aiko Pras
University of Twente, The Netherlands
{w.b.devries,r.schmidt,a.pras}@utwente.nl
Abstract. IP anycast is widely being used to distribute essential Inter-
net services, such as DNS, across the globe. One of the main reasons for
doing so is to increase the redundancy of the service and reduce the im-
pacts of the growing threat of DDoS attacks. IP anycast can be further
used to mitigate DDoS attacks by confining the attack traffic to certain
areas. This might cause the targeted service to become unavailable only
to a fraction of its users. In this PhD research we aim at investigating
how IP anycast can be optimized both statically and dynamically to
support the mitigation of DDoS attacks.
1 Introduction
IP anycast is an addressing and routing strategy in which multiple physical
servers in the Internet are configured with the same logical IP address. This
strategy has been widely used to achieve high-availability and redundancy of
services over the Internet, such as DNS and CDNs. IP anycast takes advantage
of the robustness of BGP (Border Gateway Protocol) routing that defines the
catchment of each anycast instance. BGP helps to define the catchment of each
anycast instance by, for example, mapping users to the topologically nearest
anycast instance. However, anycast catchment has proven to be more chaotic
mainly due to routing policies that are defined within and between Autonomous
Systems (ASes) [2,9].
There may be multiple motivations for deploying an anycast service. Nowa-
days, however, redundancy and resilience of Internet services against cyber at-
tacks has gained importance. Particularly resilience against Distributed Denial-
of-Service (DDoS) attacks since their occurence and intensity have significantly
increased in the recent years [1], and essential Internet services are among their
common targets [5]. This problem is exacerbated by the fact that today anyone
can perform DDoS attacks [6].
When a service such as DNS is anycasted, there is no single point of failure.
An anycasted service has the advantage that when being subject to a DDoS
attack, the service might become unavailable to a fraction of the Internet only.
That is, the service might be unreachable to the specific “catchment areas” of
the affected anycast instances.
Although there are clear benefits to using IP anycast, and it generally works
well [3], it alone does not solve the DDoS problem altogether. For example, on
November 2015 [5] the DNS root servers received so many requests (caused by a
author version
DDoS) that it saturated the network connections to some of them. The impact of
this particular attack was limited though, due to the sheer scale of the DNS root
servers; 11 out of 13 root nameservers are anycasted. However, for other (non-
)anycasted services the impact can be more severe. Examples of severe service
degradation were recently reported by RIPE through their DNS-WG mailing-
list1: unusual amount of incoming traffic on the authoritative servers for RIPE
DNS services on 14-Dec-2015 and on 14-Jan-2016. Recently, also the ccTLD DNS
infrastructure of Turkey was attacked, causing severe service degradation [8]
In this PhD research, we will investigate how IP anycast deployments can be
optimally planned and used to support service resilience against DDoS attacks.
In the following we describe our main research goal, research questions, and
planned approaches (§2). We also describe our first steps on building a global
IP anycast service for our research (§3).
2 Goal, Research Questions, and Approach
The goal of this PhD research is to investigate methods to optimize anycast
deployments in order to improve service resilience against DDoS attacks. To
meet our goal we define four research questions.
First, to gain a more complete understanding of how operators currently
mitigate DDoS attacks we define (RQ1) as what are the current DDoS miti-
gation strategies in use by operators of critical Internet infrastructure. Our ap-
proach will be focused on talking with operators, mainly those involved in the
research, to understand their procedures and to be able to tailor improvements
to them. To gain insight into the routing changes that will affect the catchment
of anycast network when instances are added or removed, we define our second
research question as (RQ2):what impact does the deployment of an anycast
node in a given anycast network have on the overall catchment?. To answer this
question we will perform active and passive measurements on a real anycast
deployment. We are deploying our own experimental anycast testbed, compa-
rable to PEERING[7]. This testbed will allow us to announce and withdraw
IP prefixes (both IPv4 and IPv6) from each anycast location. We will use the
RIPE Atlas [4] framework to perform the active measurements This framework
will allow us to closely monitor the effects of anycast node deployment from
the perspective of thousands of vantage points worldwide. In addition, we will
analyze the deployment from the BGP perspective using passive measurement
data, provided by services such as BGPmon, and RIPE’s Routing Information
Service (RIS).
The knowledge obtained from RQ1 and RQ2 will be used to support anycast
planning and instances placement targeting resilience against DDoS attacks.
This leads us to our third question (RQ3):in what ways can the catchment of
an anycast network be influenced to increase resilience against DDoS attacks?.
By analyzing the data obtained from RQ2 we attempt to find ways of optimizing
1https://www.ripe.net/mailman/listinfo/dns-wg/
author version
the placement of nodes, aiming at increasing resilient against DDoS attacks.
The key challenge is the fact that BGP routing is influenced by many, both
technical and non-technical, factors. Potential methods will be verified in practice
by implementing them using the anycast testbed and performing attacks on our
own infrastructure. In addition, we will analyze the source of major DDoS attacks
to determine if these are mostly located in certain areas. This will further assist
in optimizing the anycast catchment for mitigation.
Finally, we determine if it is possible, and to what extent, the anycast catch-
ment can be changed dynamically to further strengthen the DDoS mitigating
property of an anycast network. For example by actively adding and/or remov-
ing instances during a DDoS attack near the source of attack traffic. Therefore,
we define our fourth and final research question (RQ4) as: how can service re-
silience be positively influenced by dynamically changing the composition of the
anycast network?. The results from RQ1, RQ2 and RQ3 as well as the operational
experience gained using the anycast testbed will all contribute to answering RQ4.
A potential solution is the deployment of inactive (ie, sleeping) instances that
are activated on demand in the case of an attack. This setup can potentially
lead to reduced operational costs as compared to the static approach of RQ3.
The challenge lies in the fact that setting up anycast instances is not trivial
because it might depend on routing policies and peering agreements involved in
the anycast IP prefix announcement.
3 Preliminary Steps
As described above, one of the key components of this research plan is the any-
cast testbed. There is an existing testbed called PEERING [7], which provides
the sort of functionality that is required for the research that we intend to carry
out. However, access is limited in duration and in functionality, in the sense that
experiments are very bandwidth limited. Therefore, we have started the devel-
opment of a new anycast testbed in collaboration with SURFnet (the Dutch
NREN). Having access to this testbed will allow us to perform experiments
without having to rely on models that may or may not be an accurate repre-
sentation of reality. During the past months we have obtained a /24 IPv4 prefix
and a /48 IPv6 prefix, which are of a sufficient size to be announcable through
BGP. Furthermore, we have started development of an anycast management
webinterface (TANGLER) that will allow for easy control of the IP prefixes an-
nouncement from our anycast instances. The intention is that it will also allow
advanced experiments to be performed by scheduling route announcements and
withdrawals.
Figure 1 shows the locations of the (planned) anycast instaces of our testbed.
Nodes are configured using an orchestration tool (Ansible), which makes it trivial
to add new instances. In the future we will also focus on creating a more local
anycast network in Europe, constisting solely of European nodes. This will allow
for studies on local impacts of DDoS mitigation and routing policies. Once our
author version
anycast testbed is fully operational, we plan to open the access (restricted by
request and nature of research) to other researchers.
Operational
Planned
In progress
Fig. 1. Map of (planned) anycast nodes
4 Final Considerations
The PhD research outlined in this paper is planned to be carried out in a period
of four years, which has started in late 2015 and will end in 2019. The prelimi-
nary steps (§3) have been carried out in the first six months.
Acknowledgements. This research is partially funded by SIDN and NL-
net Labs through the projects DAS (http://www.das-project.nl) and SAND
(http://www.sand-project.nl), by the EU FP7 FLAMINGO NoE (318488),
and the SURFnet Research on Networks project.
References
1. Akamai: Q3 2015 state of the internet security report (2015),
https://www.akamai.com/us/en/about/news/press/2015-press/
akamai-releases-third-quarter- 2015-state-of- the-internet-security- report.
jsp
2. Anwar, R., Niaz, H., Choffnes, D., Cunha, I., Gill, P., Katz-Bassett, E.: Investi-
gating interdomain routing policies in the wild. In: Proceedings of the 2015 ACM
Conference on Internet Measurement Conference. pp. 71–77. IMC ’15, ACM, New
York, NY, USA (2015), http://doi.acm.org/10.1145/2815675.2815712
3. Liu, Z., Huffaker, B., Fomenkov, M., Brownlee, N., claffy, k.: Two days in the life of
the dns anycast root servers. In: Uhlig, S., Papagiannaki, K., Bonaventure, O. (eds.)
Passive and Active Network Measurement, Lecture Notes in Computer Science,
author version
vol. 4427, pp. 125–134. Springer Berlin Heidelberg (2007), http://dx.doi.org/10.
1007/978-3-540-71617- 4_13
4. NCC, R.: Ripe atlas (2016), https://ripe.atlas.net
5. Root Server Operators: Events of 2015-11-30 (2015), http://root-servers.org/
news/events-of-20151130.txt
6. Santanna, J.J., Sperotto, A.: Characterizing and mitigating the ddos-as-a-service
phenomenon. In: Monitoring and Securing Virtualized Networks and Services, pp.
74–78. Springer (2014)
7. Schlinker, B., Zarifis, K., Cunha, I., Feamster, N., Katz-Bassett, E.: Peering: An
as for us. In: Proceedings of the 13th ACM Workshop on Hot Topics in Networks.
p. 18. ACM (2014)
8. Sozeri, E.K.: Turkish internet hit with massive ddos attack (2015), http://www.
dailydot.com/politics/turkey-ddos-attack-tk- universities/
9. Teixeira, R., Shaikh, A., Griffin, T., Rexford, J.: Dynamics of hot-potato routing in
ip networks. SIGMETRICS Perform. Eval. Rev. 32(1), 307–319 (Jun 2004), http:
//doi.acm.org/10.1145/1012888.1005723
... There are routers between anycast servers and the client networks. If any of the anycast servers fails, another one can take over for it using route updates between anycasting routers to distribute routing information [15]. Anycasting allows users to connect to the closest (fastest) available Internet service; therefore expanding service resilience [10]. ...
... An anycast server is determined through routing protocols that respond to queries about anycasting nodes and their availability. This protocol allows users to connect to any one of several physical locations via an address that is shared among those locations [15]. The advantage of anycast is that it makes content delivery more resilient and efficient by delivering the content as close to the user as possible [10]. ...
Full-text available
Research
As the internet continues to grow, preventing DDoS attacks will continue to grow more prominent. There are numerous mitigation techniques available, but they're often unknown or there is little research surrounding them. This paper explores the different types of mitigation techniques along with the complications that are involved.
... Initially proposed in 1993, IP anycast was originally used to help clients find the best application server in the Internet [2]. Since then, IP anycast has been widely employed for load balancing [3] [4] [5], in the DNS infrastructure [6] [7] [8], and CDN cloud providers [9] [10] [11] [12], and, more recently, it has also been studied and deployed for DDoS mitigation [13] [14] [15] [16] [17]. Today, anycast is used to support hundreds of services across the Internet [18] [19]. ...
... In the following years, we expanded our community network around the testbed, deploying anycast sites around the world. Several researches were carried out along the years using the TANGLED network: anycast catchment studies [26] and the tool called VERFPLOETER [27]; and several anti-DDoS studies from [14], [15] were carried out using our testbed. Moreover, the TANGLED testbed is actively being used in the projects SAND [28] and PaaDDoS [29]. ...
Preprint
Anycast routing is an area of studies that has been attracting interest of several researchers in recent years. Most anycast studies conducted in the past relied on coarse measurement data, mainly due to the lack of infrastructure where it is possible to test and collect data at same time. In this paper we present Tangled, an anycast test environment where researchers can run experiments and better understand the impacts of their proposals on a global infrastructure connected to the Internet.
... We believe that a graph-theoretic approach, based on the R-graph, could complement and enhance existing measurement-based approaches, e.g., [16]. (iv) Network security: IP anycast is used by DDoS protection organizations to attract and scrub DDoS traffic destined to a victim network [14], or to mitigate hijacking attacks [47]. These organizations can select where to deploy ingress points in order to maximize their catchment (e.g., by mapping potential attackers to "illegitimate" ingress points), and thus best protect their customers. ...
Article
BGP is the de-facto Internet routing protocol for exchanging prefix reachability information between Autonomous Systems (AS). It is a dynamic, distributed, path-vector protocol that enables rich expressions of network policies (typically treated as secrets). In this regime, where complexity is interwoven with information hiding, answering questions such as "what is the expected catchment of the anycast sites of a content provider on the AS-level, if new sites are deployed?", or "how will load-balancing behave if an ISP changes its routing policy for a prefix?", is a hard challenge. In this work, we present a formal model and methodology that takes into account policy-based routing and topological properties of the Internet graph, to predict the routing behavior of networks. We design algorithms that provide new capabilities for informative route inference (e.g., isolating the effect of randomness that is present in prior simulation-based approaches). We analyze the properties of these inference algorithms, and evaluate them using publicly available routing datasets and real-world experiments. The proposed framework can be useful in a number of applications: measurements, traffic engineering, network planning, Internet routing models, etc. As a use case, we study the problem of selecting a set of measurement vantage points to maximize route inference. Our methodology is general and can capture standard valley-free routing, as well as more complex topological and routing setups appearing in practice.
Full-text available
Article
A cognitive networking approach to the anycast routing problem for delay-tolerant networking (DTN) is proposed. The method is suitable for the space–ground and other domains where communications are recurrently challenged by diverse link impairments, including long propagation delays, communication asymmetry, and lengthy disruptions. The proposed method delivers data bundles achieving low delays by avoiding, whenever possible, link congestion and long wait times for contacts to become active, and without the need of duplicating data bundles. Network gateways use a spiking neural network (SNN) to decide the optimal outbound link for each bundle. The SNN is regularly updated to reflect the expected cost of the routing decisions, which helps to fine-tune future decisions. The method is decentralized and selects both the anycast group member to be used as the sink and the path to reach that node. A series of experiments were carried out on a network testbed to evaluate the method. The results demonstrate its performance advantage over unicast routing, as anycast routing is not yet supported by the current DTN standard (Contact Graph Routing). The proposed approach yields improved performance for space applications that require as-fast-as-possible data returns.
Full-text available
Conference Paper
Distributed Denial of Service (DDoS) attacks are an increasing threat on the Internet. Until a few years ago, these types of attacks were only launched by people with advanced knowledge of computer networks. However, nowadays the ability to launch attacks have been offered as a service to everyone, even to those without any advanced knowledge. Booters are online tools that offer DDoS-as-a-Service. Some of them advertise, for less than U$ 5, up to 25 Gbps of DDoS traffic, which is more than enough to make most hosts and services on the Internet unavailable. Booters are increasing in popularity and they have shown the success of attacks against third party services, such as government websites; however, there are few mitigation proposals. In addition, existing literature in this area provides only a partial understanding of the threat, for example by analyzing only a few aspects of one specific Booter. In this paper, we propose mitigation solutions against DDoS-as-a-Service that will be achieved after an extensive characterization of Booters. Early results show 59 different Booters, which some of them do not deliver what is offered. This research is still in its initial phase and will contribute to a Ph.D. thesis after four years.
Full-text available
Conference Paper
Despite the architectural separation between intradomain and interdomain routing in the Internet, intradomain protocols do influence the path-selection process in the Border Gateway Protocol (BGP). When choosing between multiple equally-good BGP routes, a router selects the one with the seconds or more behind the intradomain event, (iii) the number of BGP path changes triggered by hot-potato routing has a nearly uniform distribution across destination prefixes, and (iv) the fraction of BGP messages triggered by intradomain changes varies significantly across time and router locations. We show that hot-potato routing changes lead to longer delays in forwarding-plane convergence, shifts in the flow of traffic to neighboring domains, extra externally-visible BGP update messages, and inaccuracies in Internet performance measurements.
Full-text available
Article
Despite the architectural separation between intradomain and interdomain routing in the Internet, intradomain protocols do influence the path-selection process in the Border Gateway Protocol (BGP). When choosing between multiple equally-good BGP routes, a router selects the one with the closest egress point, based on the intradomain path cost. Under such hot-potato routing, an intradomain event can trigger BGP routing changes. To characterize the influence of hot-potato routing, we conduct controlled experiments with a commercial router. Then, we propose a technique for associating BGP routing changes with events visible in the intradomain protocol, and apply our algorithm to AT&T's backbone network. We show that (i) hot-potato routing can be a significant source of BGP updates, (ii) BGP updates can lag seconds or more behind the intradomain event, (iii) the number of BGP path changes triggered by hot-potato routing has a nearly uniform distribution across destination prefixes, and (iv) the fraction of BGP messages triggered by intradomain changes varies significantly across time and router locations. We show that hot-potato routing changes lead to longer delays in forwarding-plane convergence, shifts in the flow of traffic to neighboring domains, extra externally-visible BGP update messages, and inaccuracies in Internet performance measurements.
Conference Paper
Models of Internet routing are critical for studies of Internet security, reliability and evolution, which often rely on simulations of the Internet's routing system. Accurate models are difficult to build and suffer from a dearth of ground truth data, as ISPs often treat their connectivity and routing policies as trade secrets. In this environment, researchers rely on a number of simplifying assumptions and models proposed over a decade ago, which are widely criticized for their inability to capture routing policies employed in practice. In this study we put Internet topologies and models under the microscope to understand where they fail to capture real routing behavior. We measure data plane paths from thousands of vantage points, located in eyeball networks around the globe, and find that between 14-35% of routing decisions are not explained by existing models. We then investigate these cases, and identify root causes such as selective prefix announcement, misclassification of undersea cables, and geographic constraints. Our work highlights the need for models that address such cases, and motivates the need for further investigation of evolving Internet connectivity.
Article
Internet routing suffers from persistent and transient failures, circuitous routes, oscillations, and prefix hijacks. A major impediment to progress is the lack of ways to conduct impactful interdomain research. Most research is based either on passive observation of existing routes, keeping researchers from assessing how the Internet will respond to route or policy changes; or simulations, which are restricted by limitations in our understanding of topology and policy. We propose a new class of interdomain research: researchers can instantiate an AS of their choice, including its intradomain topology and interdomain interconnectivity, and connect it with the "live" Internet to exchange routes and traffic with real interdomain neighbors. Instead of being observers of the Internet ecosystem, researchers become members. Towards this end, we present the Peering testbed. In its nascent stage, the testbed has proven extremely useful, resulting in a series of studies that were nearly impossible for researchers to conduct in the past. In this paper, we present a vision of what the testbed can provide. We sketch how to extend the testbed to enable future innovation, taking advantage of the rise of IXPs to expand our testbed.
Conference Paper
The DNS root nameservers routinely use anycast in order to improve their service to clients and increase their resilience against various types of failures. We study DNS trac collected over a two-day period in January 2006 at anycast instances for the C, F and K root nameservers. We analyze how anycast DNS service aects the worldwide population of Internet users. To determine whether clients actually use the instance closest to them, we examine client locations for each root instance, and the geographic distances between a server and its clients. We nd that frequently the choice, which is entirely determined by BGP routing, is not the geographically closest one. We also consider specic AS paths and investigate some cases where local instances have a higher than usual proportion of non-local clients. We conclude that overall, anycast roots signican tly localize DNS trac, thereby improving DNS service to clients worldwide.
Two days in the life of the dns anycast root servers Passive and Active Network Measurement
  • Z Liu
  • B Huffaker
  • M Fomenkov
  • N Brownlee
Liu, Z., Huffaker, B., Fomenkov, M., Brownlee, N., claffy, k.: Two days in the life of the dns anycast root servers. In: Uhlig, S., Papagiannaki, K., Bonaventure, O. (eds.) Passive and Active Network Measurement, Lecture Notes in Computer Science, a u t h o r v e r s i o n vol. 4427, pp. 125-134. Springer Berlin Heidelberg (2007), http://dx.doi.org/10. 1007/978-3-540-71617-4_13
Turkish internet hit with massive ddos attack
  • E K Sozeri
Sozeri, E.K.: Turkish internet hit with massive ddos attack (2015), http://www. dailydot.com/politics/turkey-ddos-attack-tk-universities/
https:// www. akamai. com/ us/ en/ about/ news/ press/ 2015-press/ akamai-releases-third-quarter-2015-state-of-the-internet-security-report
  • Akamai
Ripe atlas (2016). https:// ripe. atlas
  • R Ncc