3 research outputs found

    Improving Anycast with Measurements

    Get PDF
    Since the first Distributed Denial-of-Service (DDoS) attacks were launched, the strength of such attacks has been steadily increasing, from a few megabits per second to well into the terabit/s range. The damage that these attacks cause, mostly in terms of financial cost, has prompted researchers and operators alike to investigate and implement mitigation strategies. Examples of such strategies include local filtering appliances, Border Gateway Protocol (BGP)-based blackholing and outsourced mitigation in the form of cloud-based DDoS protection providers. Some of these strategies are more suited towards high bandwidth DDoS attacks than others. For example, using a local filtering appliance means that all the attack traffic will still pass through the owner's network. This inherently limits the maximum capacity of such a device to the bandwidth that is available. BGP Blackholing does not have such limitations, but can, as a side-effect, cause service disruptions to end-users. A different strategy, that has not attracted much attention in academia, is based on anycast. Anycast is a technique that allows operators to replicate their service across different physical locations, while keeping that service addressable with just a single IP-address. It relies on the BGP to effectively load balance users. In practice, it is combined with other mitigation strategies to allow those to scale up. Operators can use anycast to scale their mitigation capacity horizontally. Because anycast relies on BGP, and therefore in essence on the Internet itself, it can be difficult for network engineers to fine tune this balancing behavior. In this thesis, we show that that is indeed the case through two different case studies. In the first, we focus on an anycast service during normal operations, namely the Google Public DNS, and show that the routing within this service is far from optimal, for example in terms of distance between the client and the server. In the second case study, we observe the root DNS, while it is under attack, and show that even though in aggregate the bandwidth available to this service exceeds the attack we observed, clients still experienced service degradation. This degradation was caused due to the fact that some sites of the anycast service received a much higher share of traffic than others. In order for operators to improve their anycast networks, and optimize it in terms of resilience against DDoS attacks, a method to assess the actual state of such a network is required. Existing methodologies typically rely on external vantage points, such as those provided by RIPE Atlas, and are therefore limited in scale, and inherently biased in terms of distribution. We propose a new measurement methodology, named Verfploeter, to assess the characteristics of anycast networks in terms of client to Point-of-Presence (PoP) mapping, i.e. the anycast catchment. This method does not rely on external vantage points, is free of bias and offers a much higher resolution than any previous method. We validated this methodology by deploying it on a testbed that was locally developed, as well as on the B root DNS. We showed that the increased \textit{resolution} of this methodology improved our ability to assess the impact of changes in the network configuration, when compared to previous methodologies. As final validation we implement Verfploeter on Cloudflare's global-scale anycast Content Delivery Network (CDN), which has almost 200 global Points-of-Presence and an aggregate bandwidth of 30 Tbit/s. Through three real-world use cases, we demonstrate the benefits of our methodology: Firstly, we show that changes that occur when withdrawing routes from certain PoPs can be accurately mapped, and that in certain cases the effect of taking down a combination of PoPs can be calculated from individual measurements. Secondly, we show that Verfploeter largely reinstates the ping to its former glory, showing how it can be used to troubleshoot network connectivity issues in an anycast context. Thirdly, we demonstrate how accurate anycast catchment maps offer operators a new and highly accurate tool to identify and filter spoofed traffic. Where possible, we make datasets collected over the course of the research in this thesis available as open access data. The two best (open) dataset awards that were awarded for these datasets confirm that they are a valued contribution. In summary, we have investigated two large anycast services and have shown that their deployments are not optimal. We developed a novel measurement methodology, that is free of bias and is able to obtain highly accurate anycast catchment mappings. By implementing this methodology and deploying it on a global-scale anycast network we show that our method adds significant value to the fast-growing anycast CDN industry and enables new ways of detecting, filtering and mitigating DDoS attacks

    Anycast and its potential for DDoS mitigation

    Get PDF
    IP anycast is widely being used to distribute essential Internet services, such as DNS, across the globe. One of the main reasons for doing so is to increase the redundancy of the service and reduce the impacts of the growing threat of DDoS attacks. IP anycast can be further used to mitigate DDoS attacks by confining the attack traffic to certain areas. This might cause the targeted service to become unavailable only to a fraction of its users. In this PhD research we aim at investigating how IP anycast can be optimized both statically and dynamically to support the mitigation of DDoS attacks

    Genetic Dissection of a Super Enhancer Controlling the Nppa-Nppb Cluster in the Heart

    No full text
    RATIONALE: ANP (atrial natriuretic peptide) and BNP (B-type natriuretic peptide), encoded by the clustered genes Nppa and Nppb, are important prognostic, diagnostic, and therapeutic proteins in cardiac disease. The spatiotemporal expression pattern and stress-induction of the Nppa and Nppb are tightly regulated, possibly involving their coregulation by an evolutionary conserved enhancer cluster. OBJECTIVE: To explore the physiological functions of the enhancer cluster and elucidate the genomic mechanism underlying Nppa-Nppb coregulation in vivo. METHODS AND RESULTS: By analyzing epigenetic data we uncovered an enhancer cluster with super enhancer characteristics upstream of Nppb. Using CRISPR/Cas9 genome editing, the enhancer cluster or parts thereof, Nppb and flanking regions or the entire genomic block spanning Nppa-Nppb, respectively, were deleted from the mouse genome. The impact on gene regulation and phenotype of the respective mouse lines was investigated by transcriptomic, epigenomic, and phenotypic analyses. The enhancer cluster was essential for prenatal and postnatal ventricular expression of Nppa and Nppb but not of any other gene. Enhancer cluster-deficient mice showed enlarged hearts before and after birth, similar to Nppa-Nppb compound knockout mice we generated. Analysis of the other deletion alleles indicated the enhancer cluster engages the promoters of Nppa and Nppb in a competitive rather than a cooperative mode, resulting in increased Nppa expression when Nppb and flanking sequences were deleted. The enhancer cluster maintained its active epigenetic state and selectivity when its target genes are absent. In enhancer cluster-deficient animals, Nppa was induced but remained low in the postmyocardial infarction border zone and in the hypertrophic ventricle, involving regulatory sequences proximal to Nppa. CONCLUSIONS: Coordinated ventricular expression of Nppa and Nppb is controlled in a competitive manner by a shared super enhancer, which is also required to augment stress-induced expression and to prevent premature hypertrophy
    corecore