Anycast Agility: Adaptive Routing to Manage DDoS

IP Anycast is used for services such as DNS and Content Delivery Networks to provide the capacity to handle Distributed Denial-of-Service (DDoS) attacks. During a DDoS attack service operators may wish to redistribute traffic between anycast sites to take advantage of sites with unused or greater capacity. Depending on site traffic and attack size, operators may instead choose to concentrate attackers in a few sites to preserve operation in others. Previously service operators have taken these actions during attacks, but how to do so has not been described publicly. This paper meets that need, describing methods to use BGP to shift traffic when under DDoS that can build a "response playbook". Operators can use this playbook, with our new method to estimate attack size, to respond to attacks. We also explore constraints on responses seen in an anycast deployment.Comment: 18 pages, 15 figure

Artifacts - Anycast Agility: Network Playbooks to Fight DDoS

In this document, we provide datasets and software tools related to our paper “Anycast Agility: Network Playbooks to Fight DDoS”. Our artifact contains several datasets generated from our anycast experiments and analysis. Our datasets provide a snapshot of the results that we generated during our experiments. Some of our experimental results are dependent on the current state of the network interconnections and policies. However, due to the anycast stability, we expect to get similar results if we redo the experiments now. Our published datasets support our key results and are publicly available. We also provide tools and scripts that can be useful for other researchers. We provide datasets and tools for measuring anycast agility against DDoS. Our datasets are available upon request. We provide datasets about the traffic distribution after BGP changes in testbeds, attack data from a DNS root server and from the Dutch National Scrubbing Center, other data related to anycast catchment stability, and other supporting data for our software tools. We provide codes for traffic estimation, for reproducing experiments, and for parsing the collected data.This work is supported, in part, by the DHS HSARPA Cyber Security Division via contract number HSHQDC-17-R-B0004-TTA.02-0006-I and Netherlands Organisation for scientific research (4019020199)

Sensing the Noise: Uncovering Communities in Darknet Traffic

Darknets are ranges of IP addresses advertised without answering any traffic. Darknets help to uncover inter- esting network events, such as misconfigurations and network scans. Interpreting darknet traffic helps against cyber-attacks – e.g., malware often reaches darknets when scanning the Internet for vulnerable devices. The traffic reaching darknets is however voluminous and noisy, which calls for efficient ways to represent the data and highlight possibly important events. This paper evaluates a methodology to summarize packets reaching darknets. We represent the darknet activity as a graph, which captures remote hosts contacting the darknet nodes ports, as well as the frequency at which each port is reached. From these representations, we apply community detection algorithms in the search for patterns that could represent coordinated activity. By highlighting such activities we are able to group together, for example, groups of IP addresses that predominantly engage in contacting specific targets, or, vice versa, to identify targets which are frequently contacted together, for exploiting the vulnerabilities of a given service. The network analyst can recognize from the community detection results, for example, that a group of hosts has been infected by a botnet and it is currently scanning the network in search of vulnerable services (e.g., SSH and Telnet among the most commonly targeted). Such piece of information is impossible to obtain when analyzing the behavior of single sources, or packets one by one. All in all, our work is a first step towards a comprehensive aggregation methodology to automate the analysis of darknet traffic, a fundamental aspect for the recognition of coordinated and anomalous events

Controle de SPAM baseado em pré-detecção da vulnerabilidade de Mail Relay

Este artigo descreve as atividades desenvolvidas junto ao CERT-RS / POP-RS no tratamento de ocorrências de SPAM. Como metodologia de ação, buscou-se criar um sistema de pré-detecção de hosts vulneráveis a mail relay que são os maiores amplificadores de SPAM por toda a Internet. Relatamse aqui as experiências e resultados obtidos ao longo de um ano de utilização deste sistema