inferring bgp blackholing in the internet
play

Inferring BGP Blackholing in the Internet Vasileios Giotsas, - PowerPoint PPT Presentation

Mar 27, 2023 •399 likes •956 views

Inferring BGP Blackholing in the Internet Vasileios Giotsas, Georgios Smaragdakis, Christoph Dietzel, Philipp Richter, Anja Feldmann, and Arthur Berger TU Berlin CAIDA MIT DE-CIX Akamai DDoS A&acks are a Serious Threat 2 AS1

  1. Inferring BGP Blackholing in the Internet Vasileios Giotsas, Georgios Smaragdakis, Christoph Dietzel, Philipp Richter, Anja Feldmann, and Arthur Berger TU Berlin CAIDA MIT DE-CIX Akamai

  2. DDoS A&acks are a Serious Threat 2

  3. AS1 172.18.192.1 AS4 AS3 Server AS2 3

  4. Networks under A&ack AS1 172.18.192.1 AS4 AS3 AQack Target Server AS2 4

  5. Blackholing AS1 172.18.192.1 AS4 AS3 AQack Target Server AS2 5

  6. BGP Blackholing AS1 BGP 172.18.192.1 AS4 AS3 AQack Target Server AS2 6

  7. BGP Blackholing AS1 172.18.192.1 AS4 AS3 AQack Target Server AS2 7

  8. Agenda • BGP Blackholing in Detail • Inference Methodology for BGP Blackholing • Trends in BGP Blackholing AcEvity • Visibility of BGP Blackholing • BGP Blackholing Network Efficacy • Profile of BGP Blackholing Adopters 8

  9. Agenda • BGP Blackholing in Detail • Inference Methodology for BGP Blackholing • Trends in BGP Blackholing AcEvity • Visibility of BGP Blackholing • BGP Blackholing Network Efficacy • Profile of BGP Blackholing Adopters 9

  10. BGP Blackholing in the Internet AS1 172.18.192.1 AS4 AS3 AQack Target Server AS2 10

  11. BGP Blackholing in the Internet AS3:666 Blackholing Community 172.18.192.1/32 Community = AS3:666 AS1 172.18.192.1 AS4 172.18.192.1/32 AS3 AQack Blackholed Target Prefix Server AS2 RFC1997, RFC5635, RFC7999 11

  12. BGP Blackholing in the Internet AS1 172.18.192.1 AS4 AS3 AQack Target Server AS2 RFC1997, RFC5635, RFC7999 12

  13. BGP Blackholing in the Internet 172.18.192.1/32 Community = AS3:666 AS1 172.18.192.1 AS4 AS3 AQack Target Server AS2 RFC1997, RFC5635, RFC7999 13

  14. BGP Blackholing in the Internet AS1 172.18.192.1 AS4 AS3 AQack Target Server AS2 RFC1997, RFC5635, RFC7999 14

  15. Terminology 172.18.192.1/32 Community = AS3:666 AS1 172.18.192.1 AS4 AS3 Blackholing Blackholing User Provider AS4 AQack AS3 Target Server AS2 15

  16. BGP Blackholing in an IXP member AS1 Route Server member AS2 172.18.192.1 member AS4 member AS3 AQack Target IXP Server 16

  17. BGP Blackholing in an IXP member AS1 172.18.192.1/32 Route Server Community = IXP:666 member AS2 172.18.192.1 member AS4 member AS3 AQack Target IXP Server 17

  18. BGP Blackholing in an IXP 172.18.192.1/32 Next hop: 80.81.192.66 (blackhole) member AS1 Community = IXP:666 Route Server member AS2 172.18.192.1 member AS4 member AS3 AQack Target IXP Server 18

  19. BGP Blackholing in an IXP member AS1 Route Server member AS2 172.18.192.1 member AS4 member AS3 AQack Target IXP Server 19

  20. BGP Blackholing in an IXP member AS1 Route Server member AS2 172.18.192.1 IXP Blackholing Provider member AS4 member AS3 AQack AS4 Target IXP Blackholing Server User 20

  21. Agenda • BGP Blackholing in Detail • Inference Methodology for BGP Blackholing • Trends in BGP Blackholing AcEvity • Visibility of BGP Blackholing • BGP Blackholing Network Efficacy • Profile of BGP Blackholing Adopters 21

  22. BGP Blackhole Community DicEonary • BGP CommuniEes are standardized • We mine Internet Registries, NOC webpages etc. for keywords like “blackhole”, “null route” using Natural Language Processing Level3 DE-CIX 22

  23. Methodology BGP 172.18.192.1/32 Collector AS3 AS1 Community = AS3:666 AS1 172.18.192.1 AS4 AQack AS3 Target Server AS2 23

  24. Methodology Starts at t 0 : A|172.18.192.1/32| BGP provider:AS3|user:AS4|communiaes Collector AS1 172.18.192.1 AS4 AQack AS3 Target Server AS2 24

  25. Methodology Starts at t 0 : A|172.18.192.1/32| BGP provider:AS3|user:AS4|communiaes Collector Ends at t 1 : W|172.18.192.1/32 AS1 172.18.192.1/32 172.18.192.1 AS4 AQack AS3 Target Server AS2 25

  26. Methodology Starts at t 0 : A|172.18.192.1/32| BGP provider:AS3|user:AS4|communiaes Collector Ends at t 1 : W|172.18.192.1/32 AS1 172.18.192.1 AS4 AQack AS3 Target Server AS2 26

  27. Methodology Starts at t 0 : A|172.18.192.1/32| BGP t 3 : A|151.18.192.1/32|provider: AS13|user: AS9|communiaes provider:AS3| user:AS4|communiaes Collector t 4 : W|151.18.192.1/32 Ends at t 1 : W|172.18.192.1/32 AS1 172.18.192.1 AS4 AS3 t 7 : A|125.20.191.1/32|provider: AQack AS3 AS30| user: AS11|communiaes t 8 : W|125.20.191.1/32 Target Server AS2 27

  28. Agenda • BGP Blackholing in Detail • Inference Methodology for BGP Blackholing • Trends in BGP Blackholing Acavity • Visibility of BGP Blackholing • BGP Blackholing Network Efficacy • Profile of BGP Blackholing Adopters 28

  29. BGP Datasets Source #IP peers #AS peers RIPE 425 313 Route Views 269 197 PCH 8,897 1,721 CDN 3,349 1,282 Total 12,940 2,798 CDN and PCH infer 3x more blackholed prefixes than RIPE and Route Views 29

  30. The Rise of BGP Blackholing 2.5x 30

  31. The Rise of BGP Blackholing 4x 31

  32. The Rise of BGP Blackholing 6x 32

  33. The Rise of BGP Blackholing Mirai 33

  34. Agenda • BGP Blackholing in Detail • Inference Methodology for BGP Blackholing • Trends in BGP Blackholing AcEvity • Visibility of BGP Blackholing • BGP Blackholing Network Efficacy • Profile of BGP Blackholing Adopters 34

  35. BGP Blackholing Inference StaEsEcs 35

  36. BGP Blackholing PropagaEon 172.18.192.1/32 AS1 172.18.192.1/32 Community = AS3:666 Community = AS3:666 172.18.192.1 BGP Collector AS4 AS3 BGP AQack AS120 Collector Target Server AS130 AS140 36

  37. BGP Blackholing Inference StaEsEcs Due to Blackholing Propagaaon 37

  38. BGP Blackhole Bundling BGP 172.18.192.1/32 Collector Community = AS3:666, AS20:666, AS30:99, AS40:66 AS1 172.18.192.1 AS4 AS3 AQack AS20 Target Server AS30 AS40 38

  39. BGP Blackholing Inference StaEsEcs Due to Blackholing Bundling 39

  40. Agenda • BGP Blackholing in Detail • Inference Methodology for BGP Blackholing • Trends in BGP Blackholing AcEvity • Visibility of BGP Blackholing • BGP Blackholing Network Efficacy • Profile of BGP Blackholing Adopters 40

  41. BGP Blackholing Efficacy: AcEve Measurements AS1 172.18.192.1 AS4 AS3 AQack Target Server 41

  42. BGP Blackholing Efficacy: AcEve Measurements AS1 172.18.192.1 AS4 AS3 AQack Target Server 42

  43. BGP Blackholing Efficacy: AcEve Measurements AS1 172.18.192.1 AS4 AS3 AQack Target Server 43

  44. BGP Blackholing Efficacy: AcEve Measurements Reducaon by 5 IP hops (on average) 44

  45. BGP Blackholing Efficacy: AcEve Measurements Reducaon by 3 AS hops (on average) 45

  46. Agenda • BGP Blackholing in Detail • Inference Methodology for BGP Blackholing • Trends in BGP Blackholing AcEvity • Visibility of BGP Blackholing • BGP Blackholing Network Efficacy • Profile of BGP Blackholing Adopters 46

  47. Popularity of Blackholing Providers 47

  48. Popularity of Blackholing Providers 48

  49. Popularity of Blackholing Users 49

  50. Popularity of Blackholing Users 43% of bh prefixes belong to content providers/hosters 50

  51. Profile of Blackholed Prefixes 50% 40% 30% 20% 10% 0 • Open ports in hosts in 60% of the blackholed prefixes • In many cases default hosEng so`ware configuraEons • Serve ephemeral or low-ranked domains 51

  52. BGP Blackholing DuraEon 52

  53. Conclusion • The first Internet-wide study on the AdopEon and State of BGP Blackholing • Methodology to infer Blackholing acEvity from BGP data • BGP Blackholing on the rise in all three metrics (Providers, Users, Prefixes) • BGP Blackholing is EffecEve in dropping traffic early • Profile of Blackholed adopters and Insights on Usage 53

  54. Thank you! 54

Recommend

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies Internet Routing Policies Feng Wang Lixin Gao Department of Electrical and Computer Engineering University of Massachusetts, Amherst MA 01002, USA 1

450 views • 18 slides
Blackholing the Internet: A Live Demo Adam Rapley me@adamrapley.com @admrply

Blackholing the Internet: A Live Demo Adam Rapley me@adamrapley.com @admrply

Blackholing the Internet: A Live Demo Adam Rapley me@adamrapley.com @admrply keybase.io/admrply Who am I? 3nd year Ethical Hacking student at Abertay. Does web things. Artist/Musician. Building and Breaking IoT. What is BGP

334 views • 29 slides
A Taxonomy of Attacks Using BGP Blackholing Loc Miller and Cristel Pelsser September 23, 2019

A Taxonomy of Attacks Using BGP Blackholing Loc Miller and Cristel Pelsser September 23, 2019

A Taxonomy of Attacks Using BGP Blackholing Loc Miller and Cristel Pelsser September 23, 2019 University of Strasbourg AS 20 AS 10 AS 30 P: 192.0.2.0/24 BGP Blackholing Blackholing is a DDoS mitigation technique signaled via BGP 1 . 1

1.19k views • 93 slides
Inferring Internet Inferring Internet Denial- -of of- -Service Activity Service Activity

Inferring Internet Inferring Internet Denial- -of of- -Service Activity Service Activity

Inferring Internet Inferring Internet Denial- -of of- -Service Activity Service Activity Denial Geoffrey M. Voelker Geoffrey M. Voelker University of California, San Diego University of California, San Diego Joint work with David Moore

369 views • 32 slides
Measuring and Inferring Weather's Effect on Residential Internet Infrastructure Ramakrishna

Measuring and Inferring Weather's Effect on Residential Internet Infrastructure Ramakrishna

Measuring and Inferring Weather's Effect on Residential Internet Infrastructure Ramakrishna Padmanabhan, Aaron Schulman, Ramakrishnan Sundara Raman, Reethika Ramesh, Dave Levin, Neil Spring 1 Residential Internet infrastructure is

369 views • 23 slides
Inferring Autonomous System Relationships in the Internet Lixin Gao Motivation Routing

Inferring Autonomous System Relationships in the Internet Lixin Gao Motivation Routing

Inferring Autonomous System Relationships in the Internet Lixin Gao Motivation Routing policies are constrained by the contractual commercial agreements between administrative domains For example : AS sets policy so that it does not

558 views • 23 slides
CHALLENGES IN INFERRING INTERNET CONGESTION USING THROUGHPUT TESTS Amogh Dhamdhere

CHALLENGES IN INFERRING INTERNET CONGESTION USING THROUGHPUT TESTS Amogh Dhamdhere

CHALLENGES IN INFERRING INTERNET CONGESTION USING THROUGHPUT TESTS Amogh Dhamdhere amogh@caida.org with Srikanth Sundaresan (Princeton) Danny Lee (Georgia Tech) Xiaohong Deng, Yun Feng (UNSW) 1 w w w . cai da. or In the Press

570 views • 54 slides
Inferring Internet Server IPv4 and IPv6 Address Relationships Robert Beverly, Arthur Berger ,

Inferring Internet Server IPv4 and IPv6 Address Relationships Robert Beverly, Arthur Berger ,

Inferring Internet Server IPv4 and IPv6 Address Relationships Robert Beverly, Arthur Berger , Nicholas Weaver , Larry Campbell Naval Postgraduate School Akamai ICSI/UCSD rbeverly@nps.edu, awberger@mit.edu February 7, 2013

323 views • 19 slides
Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey

Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey

Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey M. Voelker Alex C. Snoeren On account compromise Compromise of email/social network/etc is devastating Personal/professional reputational, financial

798 views • 49 slides
Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin

Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin

Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin Nawrocki, Jeremias Blendin, Christoph Dietzel, Thomas C. Schmidt, Matthias Whlisch Christmas is near!

1.15k views • 80 slides
A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras

A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras

A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras (UTwente) Alberto Dainotti (CAIDA / UC San Diego) Anna Sperotto (UTwente) Denial-of-Service attacks A conceptually simple, yet effective class of

750 views • 33 slides
The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly and Steve Bauer {rbeverly,bauer}@mit.edu The Spoofer Project Goal: Quantify the extent and nature of source address filtering on the

421 views • 31 slides
Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel *, Matthias

Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel *, Matthias

Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel *, Matthias Wichtlhuber*, Georgios Smaragdakis , Anja Feldmann TU Berlin, *DE-CIX, MPI Volumetric DDoS Attacks ? Tbps 1.7 Tbps 1 Tbps 200 Gbps 15

571 views • 22 slides
No Yes Do you use the Internet to do homework? Do you use the Internet to follow your

No Yes Do you use the Internet to do homework? Do you use the Internet to follow your

No Yes Do you use the Internet to do homework? Do you use the Internet to follow your favourite team? Do you use the internet to watch music videos? Do you use the Internet to read the news? Do you use the Internet to play games? Shared

997 views • 51 slides
TouchLogger: Inferring Keystrokes on Touch Screen from

TouchLogger: Inferring Keystrokes on Touch Screen from

TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Mo:on Liang Cai and Hao Chen UC Davis Security Problems on Smartphones Old

264 views • 15 slides
The Challenge of Cultural The Challenge of Cultural Modeling for Inferring Modeling for

The Challenge of Cultural The Challenge of Cultural Modeling for Inferring Modeling for

WI/IAT Joint Keynote, Silicon Valley, USA, 2007 The Challenge of Cultural The Challenge of Cultural Modeling for Inferring Modeling for Inferring Intentions and Behavior Intentions and Behavior Eugene Santos Jr. Eugene Santos Jr. Thayer

809 views • 55 slides
Inferring Descriptive Generalisations of Formal Languages Dominik D. Freydenberger 1 Daniel

Inferring Descriptive Generalisations of Formal Languages Dominik D. Freydenberger 1 Daniel

Inferring Descriptive Generalisations of Formal Languages Dominik D. Freydenberger 1 Daniel Reidenbach 2 1 Goethe University, Frankfurt 2 Loughborough University, Loughborough COLT 2010 D. Freydenberger, D. Reidenbach Inferring Descriptive

273 views • 10 slides
Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet Server Client Attack vectors MAN DNS LAN Client Internet Back Bone Router Networking WWW overview MITM (Man In The Middle) 3 2 4 5 LAN

244 views • 23 slides
Inferring User Intent for Learning by Observation Kevin R. Dixon krd@cs.cmu.edu Department of

Inferring User Intent for Learning by Observation Kevin R. Dixon krd@cs.cmu.edu Department of

Carnegie Mellon Inferring User Intent for Learning by Observation Kevin R. Dixon krd@cs.cmu.edu Department of Electrical & Computer Engineering Carnegie Mellon University 2004-01-23, Inferring User Intent for LBO p.1 Carnegie Mellon

1.27k views • 125 slides
From Dirt to Shovels: From Dirt to Shovels: Inferring PADS descriptions from ASCII Data ASCII

From Dirt to Shovels: From Dirt to Shovels: Inferring PADS descriptions from ASCII Data ASCII

From Dirt to Shovels: From Dirt to Shovels: Inferring PADS descriptions from ASCII Data ASCII Data Inferring PADS descriptions from Kathleen Fisher David Walker Peter White Kenny Zhu July 2007 Data,Data,everywhere! Data,Data,everywhere!

632 views • 46 slides
Understanding and Aiding Code Evolution by Inferring Change Patterns Miryung Kim Doctoral

Understanding and Aiding Code Evolution by Inferring Change Patterns Miryung Kim Doctoral

Understanding and Aiding Code Evolution by Inferring Change Patterns Miryung Kim Doctoral Symposium ICSE 2007 1. Title: Understand & Aiding Code Evolution by Inferring Change Patterns. (30 sec) My name is Miryung Kim & I am a graduate

571 views • 17 slides
From Uncertainty to Belief: Inferring the Specification Within Stephen McLaughlin Stephen

From Uncertainty to Belief: Inferring the Specification Within Stephen McLaughlin Stephen

From Uncertainty to Belief: Inferring the Specification Within Stephen McLaughlin Stephen McLaughlin From Uncertainty to Belief: Inferring the Specification Within Overview Area: Program analysis and error checking / program specification

469 views • 17 slides
How do you Improve on the Internet? The eXpressive Internet Architecture: The Internet has been

How do you Improve on the Internet? The eXpressive Internet Architecture: The Internet has been

5/15/2012 How do you Improve on the Internet? The eXpressive Internet Architecture: The Internet has been tremendously successful From Architecture to Network Has sustained tremendous growth g Supports very diverse set of applications

484 views • 10 slides
IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites IOC: Internet

IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites IOC: Internet

IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites Robert Bjekovic, University of applied sciences Ravensburg Weingarten, Weingarten, Germany Michael Elwert, University of applied

351 views • 32 slides

More recommend