Stellar: Network Attack Mitigation using Advanced Blackholing

© ACM 2018. This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies - CoNEXT ’18, http://dx.doi.org/10.1145/3281411.3281413.Network attacks, including Distributed Denial-of-Service (DDoS), continuously increase in terms of bandwidth along with damage (recent attacks exceed 1.7 Tbps) and have a devastating impact on the targeted companies/governments. Over the years, mitigation techniques, ranging from blackholing to policy-based filtering at routers, and on to traffic scrubbing, have been added to the network operator’s toolbox. Even though these mitigation techniques pro- vide some protection, they either yield severe collateral damage, e.g., dropping legitimate traffic (blackholing), are cost-intensive, or do not scale well for Tbps level attacks (ACL filltering, traffic scrubbing), or require cooperation and sharing of resources (Flowspec). In this paper, we propose Advanced Blackholing and its system realization Stellar. Advanced blackholing builds upon the scalability of blackholing while limiting collateral damage by increasing its granularity. Moreover, Stellar reduces the required level of cooperation to enhance mitigation effectiveness. We show that fine-grained blackholing can be realized, e.g., at a major IXP, by combining available hardware filters with novel signaling mechanisms. We evaluate the scalability and performance of Stellar at a large IXP that interconnects more than 800 networks, exchanges more than 6 Tbps tra c, and witnesses many network attacks every day. Our results show that network attacks, e.g., DDoS amplification attacks, can be successfully mitigated while the networks and services under attack continue to operate untroubled.EC/H2020/679158/EU/Resolving the Tussle in the Internet: Mapping, Architecture, and Policy Making/ResolutioNetDFG, FE 570/4-1, Gottfried Wilhelm Leibniz-Preis 201

Kirin: Hitting the Internet with Millions of Distributed IPv6 Announcements

The Internet is a critical resource in the day-to-day life of billions ofusers. To support the growing number of users and their increasing demands,operators have to continuously scale their network footprint -- e.g., byjoining Internet Exchange Points -- and adopt relevant technologies -- such asIPv6. IPv6, however, has a vastly larger address space compared to itspredecessor, which allows for new kinds of attacks on the Internet routinginfrastructure. In this paper, we present Kirin: a BGP attack that sources millions of IPv6routes and distributes them via thousands of sessions across various IXPs tooverflow the memory of border routers within thousands of remote ASes. Kirin'shighly distributed nature allows it to bypass traditional route-floodingdefense mechanisms, such as per-session prefix limits or route flap damping. Weanalyze the theoretical feasibility of the attack by formulating it as aInteger Linear Programming problem, test for practical hurdles by deploying theinfrastructure required to perform a small-scale Kirin attack using 4 IXPs, andvalidate our assumptions via BGP data analysis, real-world measurements, androuter testbed experiments. Despite its low deployment cost, we find Kirincapable of injecting lethal amounts of IPv6 routes in the routers of thousandsof ASes.<br