The Maestro Attack: Orchestrating Malicious Flows with BGP

We present the Maestro Attack, a Link Flooding Attack (LFA) that leverages Border Gateway Protocol (BGP) engineering techniques to improve the flow density of botnet-sourced Distributed Denial of Service (DDoS) on transit links. Specific-prefix routes poisoned for certain Autonomous Systems (ASes) are advertised by a compromised network operator to channel bot-to-bot ows over a target link. Publicly available AS relationship data feeds a greedy heuristic that iteratively builds a poison set of ASes to perform the attack. Given a compromised BGP speaker with advantageous positioning relative to the target link in the Internet topology, an adversary can expect to enhance flow density by more than 30 percent. For a large botnet (e.g., Mirai), the bottom line result is augmenting the DDoS by more than a million additional infected hosts. Interestingly, the size of the adversary-controlled AS plays little role in this effect; attacks on large core links can be effected by small, resource-limited ASes. Link vulnerability is evaluated across several metrics, including BGP betweenness and botnet flow density, and we assess where an adversary must be positioned to execute the attack most successfully. Mitigations are presented for network operators seeking to insulate themselves from this attack

Taking Back the Internet: Defeating DDoS and Adverse Network Conditions via Reactive BGP Routing

In this work, we present Nyx, a system for mitigating Distributed Denial of Service (DDoS) attacks by routing critical traffic from known benign networks around links under attack from a massively distributed botnet. Nyx alters how Autonomous Systems (ASes) handle route selection and advertisement in the Border Gateway Protocol (BGP) in order to achieve isolation of critical traffic away from congested links onto alternative, less congested paths. Our system controls outbound paths through the normal process of BGP path selection, while return paths from critical ASes are controlled through the use of existing traffic engineering techniques. To prevent alternative paths from including attacked network links, Nyx employs strategic lying in a manner that is functional in the presence of RPKI. Our system only exposes the alternate path to the networks needed for forwarding and those networks\u27 customer cones, thus strategically reducing the number of ASes outside of the critical AS that receive the alternative path. By leaving the path taken by malicious traffic unchanged and limiting the amount of added traffic load placed on the alternate path, our system causes less than 10 ASes on average to be disturbed by our inbound traffic migration.Nyx is the first system that scalably and effectively mitigates transit-link DDoS attacks that cannot be handled by existing and costly traffic filtering or prioritization techniques. Unlike the prior state of the art, Nyx is highly deployable, requiring only minor changes to router policies at the deployer, and requires no assistance from external networks. Using our own Internet-scale simulator, we find that in more than 98% of cases our system can successfully migrate critical traffic off of the network segments under transit-link DDoS. In over 98% of cases, the alternate path provides some degree of relief over the original path. Finally, in over 70% of cases where Nyx can migrate critical traffic off attacked segments, the new path has sufficient capacity to handle the entire traffic load without congestion

Understanding and Advancing the Status Quo of DDoS Defense

Two decades after the first distributed denial-of-service (DDoS) attack, the Internet remains challenged by DDoS attacks as they evolve. Not only is the scale of attacks larger than ever, but they are also harder to detect and mitigate. Nevertheless, the Internet's fundamental design, based on which machines are free to send traffic to any other machines, remains the same. This thesis reinvestigates the prior DDoS defense solutions to find less studied but critical issues in existing defense solutions. It proposes solutions to improve the input, design, and evaluation of DDoS defense. Specifically, we show why DDoS defense systems need a better view of the Internet's traffic at the autonomous system (AS) level. We use a novel attack to expose the inefficiencies in the existing defense systems. Finally, we reason why a defense solution needs a sound empirical evaluation and provide a framework that mimics real-world networks to facilitate DDoS defense evaluation. This dissertation includes published and unpublished co-authored materials

A Deception Planning Framework for Cyber Defense

The role and significance of deception systems such as honeypots for slowing down attacks and collecting their signatures are well-known. However, the focus has primarily been on developing individual deception systems, and very few works have focused on developing strategies for a synergistic and strategic combination of these systems to achieve more ambitious deception goals. The objective of this paper is to lay a scientific foundation for cyber deception planning, by (1) presenting a formal deception logic for modeling cyber deception, and (2) introducing a deception framework that augments this formal modeling with necessary quantitative reasoning tools to generate coordinated deception plans. To show expressiveness and evaluate effectiveness and overhead of the framework, we use it to model and solve two important deception planning problems: (1) strategic honeypot planning, and (2) deception planning against route identification. Through these case studies, we show that the generated deception plans are highly effective and outperform alternative random and unplanned deception strategies