down the black hole dismantling operational practices of
play

Down the Black Hole: Dismantling Operational Practices of BGP - PowerPoint PPT Presentation

Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin Nawrocki, Jeremias Blendin, Christoph Dietzel, Thomas C. Schmidt, Matthias Whlisch Christmas is near!


  1. Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin Nawrocki, Jeremias Blendin, Christoph Dietzel, Thomas C. Schmidt, Matthias Wählisch

  2. Christmas is near! https://www.shutterstock.com/video/clip-1584091-small-red-christmas-present-looping-on-white 2

  3. 3

  4. I hate Christmas ... https://indac.org/blog/the-grinch-official-trailer-3/ 4

  5. I hate Christmas ... https://indac.org/blog/the-grinch-official-trailer-3/ https://blogvaronis2.wpengine.com/wp-content/uploads/2019/09/ddos-attack-hero-1200x401.png 5

  6. 6

  7. The Internet suffers DDoS Black ckholi oling The problem! The solution? 7

  8. Common (mis) belief Blackholing is an effective measure to mitigate DDoS 8

  9. Common (mis) belief ? Blackholing is an effective measure to mitigate DDoS ? 9

  10. Our results. In a nutshell. Efficiency Use Cases Blackholing drops only Only 27% of Blackhole 50% of unwanted traffic. Events correlate with DDoS . Fine-grained blacklisting of Other use cases exist for attack signatures is an Blackholing but are very rare. effective mitigation strategy. 10

  11. Agenda I. Background How does BGP Blackholing work at IXPs? II. Deployment Status How well deployed is Blackholing in the real world? III. Future Enhancements How should we configure fine-grained filtering? 11

  12. https://www.hasepost.de/freiwillige-feuerwehr-sammelt-tannenbaeume-ein-2114/ I. How does BGP Blackholing work at IXPs? 12

  13. Remotely-Triggered Blackholing at IXPs Peer AS 1 Victim AS Routeserver Webserver Peer AS 2 Peering platform IXP Peer AS 3 13

  14. Remotely-Triggered Blackholing at IXPs Peer AS 1 DDoS Traffic Victim AS Routeserver Webserver Peer AS 2 Peering platform Legitimate Traffic IXP Peer AS 3 14

  15. Remotely-Triggered Blackholing at IXPs Peer AS 1 BGP Signal: RTBH for 1.2.3.4/32 Victim AS Routeserver Webserver Peer AS 2 IP: 1.2.3.4 Peering platform IXP Blackhole Peer AS 3 15

  16. Remotely-Triggered Blackholing at IXPs Peer AS 1 BGP Signal: RTBH for /32 That's the simple case. Victim AS Routeserver Webserver BGP policies apply in the real world. Peer AS 2 Peering platform IXP Blackhole Peer AS 3 16

  17. Remotely-Triggered Blackholing and BGP Policies BGP Rejection Policy Peer AS 1 BGP Signal: RTBH for 1.2.3.4/32 Victim AS Routeserver Webserver Peer AS 2 Peering platform IXP Peer AS 3 17

  18. Remotely-Triggered Blackholing and BGP Policies BGP Rejection Policy Peer AS 1 Victim AS Routeserver Webserver Peer AS 2 Peering platform IXP Blackhole Peer AS 3 18

  19. https://unternehmensberatungralfmueller .wordpress.com/ 2011/12/15/weihnachten-einfach-weihnachten/ II. How well deployed is BGP Blackholing in the real world? 19

  20. Our measurement approach One of the worlds-largest IXPs as a central vantage point Wholistic view: >100 days, all related data - no exceptions! 20

  21. Our measurement approach One of the worlds-largest IXPs as a central vantage point Wholistic view: >100 days, all related data - no exceptions! BGP data BGP Signal: All RTBH messages from all route- • RTBH for 1.2.3.4/32 servers RTBH announcements identifiable • by BGP community and next-hop-IP 21

  22. Our measurement approach One of the worlds-largest IXPs as a central vantage point Wholistic view: >100 days, all related data - no exceptions! Flow data All packets from/to prefixes, which • DDoS Traffic have been blackholedat least once All packets which traverse the public • switch-fabric (Sampling: 1/10000) Legitimate Traffic Dropped packets identifiable by • special MAC-address 22

  23. Our measurement approach One of the worlds-largest IXPs as a central vantage point Wholistic view: >100 days, all related data - no exceptions! BGP data Flow data All RTBH messages from all route- All packets from/to prefixes, which • • servers have been blackholedat least once RTBH announcements identifiable All packets which traverse the public • • by BGP community and next-hop-IP switch-fabric (Sampling: 1/10000) Dropped packets identifiable by • special MAC-address We verified: Time is in sync! 23

  24. Do all IXP member accept RTBH announcements ? 24

  25. Successful mitigation depends on the announced RTBH prefix length 25

  26. Successful mitigation depends on the announced RTBH prefix length 26

  27. Successful mitigation depends on the announced RTBH prefix length /32-RTBHs have a mean drop rate of 50%. But they cover 99% of the to-be-blackholed traffic. 27

  28. How fast do IXP members react to DDoS events? 28

  29. Measurement challenge Multiple RTBHs cover the same attack 29

  30. Measurement chall llen enge Multiple RTBHs cover the same attack 30

  31. Measurement chall llen enge Multiple RTBHs cover the same attack Multiple RTBHs! 31

  32. Measurement challenge Multiple RTBHs cover the same attack Time-based clustering of RTBHs 32

  33. Measurement challenge Multiple RTBHs cover the same attack What happens before RTBH Events? 33

  34. Analysis of 72 72 hours bef efore an RTBH Event Use a sliding window algorithm (EWMA) to infer whether one of the monitored features exhibits an anomalous peak: i. number of packets ii. number of unique destination ports iii. number of flows iv. number of unique source IP addresses v. number of non-TCP flows 34

  35. Analysis of 72 72 hours bef efore an RTBH Event Use a sliding window algorithm (EWMA) to infer whether one of the monitored features exhibits an anomalous peak: i. number of packets Amplification Attacks ii. number of unique destination ports iii. number of flows TCP SYN Attacks iv. number of unique source IP addresses v. number of non-TCP flows GRE Floods 35

  36. Most anomalies occur up to 10 minutes before an RTBH Event 36

  37. Most anomalies occur up to 10 minutes before an RTBH Event This short reaction time indicates automatic DDoS mitigation. 37

  38. But: Anomalie ies bef efore RTBH are uncommon! Traffic ≤ 72 hours Anomaly ≤ 10 min % RTBH Events ✓ ✓ 27% ✓ ✗ 27% ✗ - 46% 38

  39. WHY? Y? 39

  40. Other use-cases? Prefix Squatting Content Protection Blocking Prevent hijacking of address space that is Deploy censorship by blackholing assigned but not announced. traffic to content servers. Prefix squatting is easy to deploy because Block malicious clients, e.g., port & there is no competitive announcement. vulnerability scanners. 40

  41. Prefix Squatting Protection Prefix Length [bits] RTBH Events (log10) 41

  42. Other use-cases? Prefix Squatting Content Protection Blocking New use-cases are infrequent. 70% of RTBH Events still inexplicable. Prevent hijacking of address space that Deploy censorship by blackholing is assigned but not announced. traffic to content servers. Prefix squatting is easy to deploy because Block malicious clients, e.g., port & there is no competitive announcement. vulnerability scanners. 42

  43. Vantage point bias? 1. Packet sampling and private-network- interconnectionshide traffic. 43 https://de.wikipedia.org/wiki/Datei:Iceberg.jpg

  44. Vantage point bias? 1. Packet sampling and private-network- interconnectionshide traffic. 2. ASes might announce RTBHs at all point-of- presence despite local attacks. 44 https://de.wikipedia.org/wiki/Datei:Iceberg.jpg

  45. Vantage point bias? 1. Packet sampling and private-network- interconnectionshide traffic. 2. ASes might announce RTBHs at all point-of- presence despite local attacks. But: Related work [IMC'18] using distributed measurements reached similar results! 45 Jonker et al, A First Joint Look at DoS Attacks and BGP Blackholing, IMC 2018 https://de.wikipedia.org/wiki/Datei:Iceberg.jpg

  46. https://community.today.com/parentingteam/post/what-are-the-best-christmas-gifts-for-kids-this-year https://www.youtube.com/watch?v=-pH9VX324rI III. How should we configure fine-grained filtering? 46

  47. RTBH - Pro and Con THE GOOD THE UGLY RTBHs drop DDoS traffic RTBHs complete the attack, early in the network. the victim is unreachable. 47

  48. RTBH - Pro and Con THE GOOD THE UGLY RTBHs drop DDoS traffic RTBHs complete the attack, early in the network. the victim is unreachable. Fine-grained filtering would keep a service reachable. 48

  49. Wh Whit itel elistin ing vs. blacklisting of ports Peer AS 1 Victim AS Routeserver Webserver Legitimate Traffic: Port 80 and 443 Peer AS 2 IP: 1.2.3.4 Peering platform IXP Blackhole Peer AS 3 49

  50. Challenge We cannot whitelist client traffic, because client traffic is highly variable. 50

  51. RadViz Projection Visualizing multidimensional port information allows a classification into clients and servers 51 https://de.wikipedia.org/wiki/Datei:Jahn-Bergturnfest_2006_tug_of_war .jpg

  52. RadViz Projection FEATURE 1: number of different destination ports Visualizing multidimensional port information allows a classification into clients and servers FEATURE 2: number of different 52 source ports https://de.wikipedia.org/wiki/Datei:Jahn-Bergturnfest_2006_tug_of_war .jpg

  53. Many blackholed IP addresses exhibit high port fluctuations 53

  54. Many blackholed IP addresses exhibit high port fluctuations Most of the protected IP addresses are clients. 54

  55. Cross-validation using PeeringDB 55

Recommend


More recommend