IP Anycast is used for services such as DNS and Content Delivery Networks to
provide the capacity to handle Distributed Denial-of-Service (DDoS) attacks.
During a DDoS attack service operators may wish to redistribute traffic between
anycast sites to take advantage of sites with unused or greater capacity.
Depending on site traffic and attack size, operators may instead choose to
concentrate attackers in a few sites to preserve operation in others.
Previously service operators have taken these actions during attacks, but how
to do so has not been described publicly. This paper meets that need,
describing methods to use BGP to shift traffic when under DDoS that can build a
"response playbook". Operators can use this playbook, with our new method to
estimate attack size, to respond to attacks. We also explore constraints on
responses seen in an anycast deployment.Comment: 18 pages, 15 figure