Abstract
DDoS attacks remain a serious threat not only to the edge of the Internet but also to the core peering links at Internet Exchange Points (IXPs). Currently, the main mitigation technique is to blackhole traffic to a specific IP prefix at upstream providers. Blackholing is an operational technique that allows a peer to announce a prefix via BGP to another peer, which then discards traffic destined for this prefix. However, as far as we know there is only anecdotal evidence of the success of blackholing.
Largely unnoticed by research communities, IXPs have deployed blackholing as a service for their members. In this first-of-its-kind study, we shed light on the extent to which blackholing is used by the IXP members and what effect it has on traffic.
Within a 12 week period we found that traffic to more than 7, 864 distinct IP prefixes was blackholed by 75 ASes. The daily patterns emphasize that there are not only a highly variable number of new announcements every day but, surprisingly, there are a consistently high number of announcements (\(>1000\)). Moreover, we highlight situations in which blackholing succeeds in reducing the DDoS attack traffic.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Abdelsayed, S., Glimsholt, D., Leckie, C., Ryan, S., Shami, S.: An efficient filter for denial-of-service bandwidth attacks. In: GOLBECOM (2003)
Adler, M.: Trade-offs in probabilistic packet marking for IP traceback. JACM 52(2), 217–244 (2005)
Agarwal, S., Dawson, T., Tryfonas, C.: DDoS Mitigation via Regional Cleaning Centers. Technical report, Sprint ATL Research Report (2003)
Andersen, D., Balakrishnan, H., Kaashoek, F., Morris, R.: Resilient overlay networks. In: ACM SOSP (2001)
Battles, T., McPherson, D., Morrow, C.: Customer-triggered real-time blackholes. In: NANOG 30 (2004)
Chatzis, N., Smaragdakis, G., Böttger, J., Krenc, T., Feldmann, A.: On the benefits of using a large IXP as an internet vantage point. In: ACM IMC (2013)
Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., Karir, M.: Taming the 800 pound gorilla: the rise and decline of NTP DDoS attacks. In: ACM IMC (2014)
DE-CIX: DE-CIX Blackholing Support. www.de-cix.net/products-services/de-cix-frankfurt/blackholing/
Deutsche Telekom: AS3320 BGP Communities, August 2005. www.onesc.net/communities/as3320/AS3320_BGP_Communities_v1.1.pdf
Gil, T.M., Poletto, M.: MULTOPS: A data-structure for bandwidth attack detection. In: USENIX Security Symposium (2001)
Gonzalez, J.M., Anwar, M., Joshi, J.: A trust-based approach against ip-spoofing attacks. In: IEEE PST (2011)
Greene, B.R.: Remote triggering black hole filtering. Cisco Systems (2002)
Greene, B.R., Smith, P.: Cisco ISP Essentials. Cisco Press, Indianapolis (2002)
Hu, Y., Choi, H., Choi, H.-A.: Packet filtering to defend flooding-based DDoS attacks. In: Advances in Wired and Wireless Communication (2004)
Hurricane Electric: Customer Blackhole Community (2006). www.he.net/adm/blackhole.html
Ioannidis, J., Bellovin, S.M.: Implementing Pushback: Router-Based Defense Against DDoS Attacks. Columbia University Academic Commons (2002)
Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: an effective defense against spoofed DDoS traffic. In: ACM CCS (2003)
Keshariya, A., Foukia, N.: DDoS defense mechanisms: a new taxonomy. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., Roudier, Y. (eds.) DPM 2009. LNCS, vol. 5939, pp. 222–236. Springer, Heidelberg (2010)
Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? reducing the impact of amplification DDoS attacks. In: USENIX Security Symposium (2001)
MacFarland, D.C., Shue, C.A., Kalafut, A.J.: Characterizing optimal DNS amplification attacks and effective mitigation. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 15–27. Springer, Heidelberg (2015)
Mahajan, R., Bellovin, S.M., Floyd, S., Ioannidis, J., Paxson, V., Shenker, S.: Controlling high bandwidth aggregates in the network. ACM SIGCOMM CCR (2002)
Mirkovic, J., Prier, G., Reiher, P.: Source-end DDoS defense. In: IEEE NCA (2003)
Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. In: ACM SIGCOMM CCR (2004)
Mizrak, A.T., Savage, S., Marzullo, K.: Detecting compromised routers via packet forwarding behavior. IEEE Netw. 22(2), 34–39 (2008)
MSK-IX: Protection against DDoS-attacks by blackholing. www.msk-ix.ru/eng/routeserver.html#blackhole
NETIX: Blackholing. www.netix.net/services/14/NetIX-Blackholing
NTT Communications: Terms and conditions for use of global IP network services, August 2007. http://www.ntt.net/english/library/pdf/terms.pdf
Park, K., Lee, H.: On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. In: ACM SIGCOMM CCR (2001)
Peng, T., Leckie, C., Ramamohanarao, K.: Protection from distributed denial of service attacks using history-based IP filtering. In: IEEE ICC (2003)
Prince, M.: The DDoS that almost broke the internet, March 2013. www.blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/
Richter, P., Smaragdakis, G., Feldmann, A., Chatzis, N., Boettger, J., Willinger, W.: Peering at peerings: on the role of IXP route servers. In: ACM IMC (2014)
Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: NDSS (2014)
Ryba, F., Orlinski, M., Wählisch, M., Rossow, C., Schmidt, T.: Amplification and DRDoS Attack Defense - A Survey and New Perspectives. arXiv preprint (2015). arxiv:1505.07892
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Network support for IP traceback. IEEE/ACM Trans. Netw. 9(3), 226–237 (2001)
Shi, E., Stoica, I., Andersen, D.G., Perrig, A.: OverDoSe: A Generic DDoS Protection Service Using an Overlay Network. Computer Science Department (2006)
Sipgate: The Sipgate DDoS Story, October 2014. https://medium.com/@sipgate/ddos-attacke-auf-sipgate-a7d18bf08c03
Specht, S.M., Lee, R.B.: Distributed denial of service: taxonomies of attacks, tools, and countermeasures. In: ISCA PDCS, pp. 543–550 (2004)
van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In: ACM IMC (2014)
Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Com. Surv. Tutorials 15(4), 2046–2069 (2013)
Acknowledgments
We thank all our colleagues for their feedback, and the reviewers for their suggestions. This work is supported by European Unions Horizon 2020 research and innovation programme under the ENDEAVOUR project (grant agreement 644960) and by the German Federal Ministry of Education and Research (BMBF Grant 01IS14009D BDSec).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Dietzel, C., Feldmann, A., King, T. (2016). Blackholing at IXPs: On the Effectiveness of DDoS Mitigation in the Wild. In: Karagiannis, T., Dimitropoulos, X. (eds) Passive and Active Measurement. PAM 2016. Lecture Notes in Computer Science(), vol 9631. Springer, Cham. https://doi.org/10.1007/978-3-319-30505-9_24
Download citation
DOI: https://doi.org/10.1007/978-3-319-30505-9_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30504-2
Online ISBN: 978-3-319-30505-9
eBook Packages: Computer ScienceComputer Science (R0)