![Page 1: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/1.jpg)
1www.de-cix.net
Dr. Matthias
Wichtlhuber
DE-CIX
New dimensions of DDoS
protection
Christoph Dietzel §*, Matthias Wichtlhuber*, Georgios Smaragdakis §, Anja Feldmann #
§TU Berlin, *DE-CIX, #MPI
![Page 2: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/2.jpg)
3www.de-cix.net
Volumetric DDoS Attacks
‘19‘18‘16‘15
1.7 Tbps
200 Gbps
1 Tbps
? Tbps
![Page 3: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/3.jpg)
4www.de-cix.net
ISP DDoS Defense Toolbox
ACL
• Filters at arbitrary granularity
• Vendor-specific
• Per device config
TSS(Traffic Scrubbing
Services)
• Carefree service
• Redirects traffic to scrubbing centers
• On-demand vs. always on
Flowspec
• Configures rules at neighbor network
• Filters at arbitrary granularity
• Cooperation required
RTBH
• Configures rules at neighbor network
• Filters at IP granularity
• Cooperation required
![Page 4: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/4.jpg)
5www.de-cix.net
DDoS Defense at IXPs
Combine good properties of existing solutions
Eradicate current shortcomings
+ IXPs offer services to hundreds of Ases
+ IXPs have multiple Tbps capacity
+ Trusted part of the Internet community
![Page 5: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/5.jpg)
6www.de-cix.net
Blackholing at IXPs
①
②
![Page 6: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/6.jpg)
7www.de-cix.net
Blackholing at IXPs
①② ③
![Page 7: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/7.jpg)
8www.de-cix.net
Blackholing – Limitations
Blocks unwanted and wanted traffic
Behavior is hard to predict
No effect on a subset of peerings
③
![Page 8: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/8.jpg)
9www.de-cix.net
Blackholing – Limitations
Relative traffic of 40GE IXP port
Mostly web traffic (80, 443, …)
Attack 70% memcached traffic
Still significant share of web traffic
Collateral damage!
![Page 9: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/9.jpg)
10www.de-cix.net
Blackholing – Limitations
All or nothing approach
Prefix granularity
Per peer selection at IXPs
Blackholing traffic:
99.94% UDP
Expected L4 ports (NTP, LDAP, …)
More granularity needed!
![Page 10: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/10.jpg)
11www.de-cix.net
Blackholing – Limitations
How “ineffective“ can it be?
NTP DDoS attack
AS at IXP via ML peering
Attacks for 10 min to /32
Drop all traffic to /32
Traffic: 800 to 600 Mbps
Peers: 38 to 26
Signaling too complex!
![Page 11: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/11.jpg)
12www.de-cix.net
Advanced Blackholing Requirements
Granularity
Fine-grained filtering (src/dst header
fields)
Signaling complexity
Easy to use, short setup time
Cooperation
Lower levels of cooperation among the
involved parties
Telemetry
Feedback on the state of the attack at any
time
Scalability
Scale in terms of performance, filters,
reaction time, config complexity
Cost
Meeting all requirements with min. invest
(CAPEX & OPEX)
![Page 12: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/12.jpg)
13www.de-cix.net
Advanced Blackholing System
③
①
②
④
![Page 13: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/13.jpg)
14www.de-cix.net
Advanced Blackholing System
![Page 14: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/14.jpg)
15www.de-cix.net
Advanced Blackholing Signaling (BGP part)
![Page 15: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/15.jpg)
16www.de-cix.net
Building Blocks
Granularity
- UDP, TCP, Ports, …
Signaling complexity
- BGP communities or API
Cooperation
- Enforced by IXP
Telemetry
- Monitoring with statistics
Scalability
- Line-rate in hardware
Cost
- Implemented in existing hardware
![Page 16: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/16.jpg)
17www.de-cix.net
Implementation Challenges
BGP processing
Integration with existing configuration proxy
Why not FlowSpec?
![Page 17: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/17.jpg)
18www.de-cix.net
Does it Scale?
Scalability wrt. number of filters & IXP ports (of switches/routers)
TCAM to match header fields
System limits & port limits (total/max no. of filters per port)
Results on next slide
Scalability wrt. configuration update frequency limits (of config proxy)
Allows 4.33 filter updates per second
70% of BH updates below 1 second
![Page 18: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/18.jpg)
19www.de-cix.net
Stress Test on IXP‘s Hardware
20% of IXP member ASesusing the service
60% of IXP member ASesusing the service
100% of IXP member ASesusing the service
This defines our configured limits
![Page 19: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/19.jpg)
20www.de-cix.net
Measurement Experiment
How “effective“ is it
NTP DDoS attack
AS at IXP via ML peering
Attacks for 10 min to /32
Drop / shape UDP NTP
Traffic: 1000 to 200 to 0 Mbps
Peers: 60 to (almost) 0
![Page 20: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/20.jpg)
21www.de-cix.net
Summary A number of DDoS mitigation solutions exist, but …
We identify and measure Blackholing limitations
We propose Advanced Blackholing, combining the benefits and overcome
problems of today’s DDoS defense
We implement a new system with a BGP and API interface
We evaluated and proved scalability
![Page 21: Dr. Matthias Wichtlhuber DE-CIXFlowspec •Configures rules at neighbor network •Filters at arbitrary granularity •Cooperation required ... Advanced Blackholing Signaling (BGP](https://reader033.vdocument.in/reader033/viewer/2022052804/604b43a802e7d863d348e50e/html5/thumbnails/21.jpg)
Q & A
matthias (dot) wichtlhuber(at) de-cix.net