With large-scale, disruptive cyber-attacks on the rise, USC’s Information Sciences Institute (ISI) PhD student Rizvi — along with co-authors Leandro Bertholdo of the University of Twente (Netherlands), João Ceron (SIDN Labs), and John Heidemann, ISI Principal Scientist — set out to create a playbook for defending against them.
The resulting paper, Anycast Agility: Network Playbooks to Fight DDoS, was published at the 31st USENIX Security Symposium, one of the premier conferences in the cybersecurity space, held in August 2022 in Boston, Massachusetts.
The Problem: Hackers Are on the Attack
A denial-of-service (DoS) attack is a cyber-attack that floods a target – usually a computer or network – with fake requests in order to overload the system. The target can’t handle the high volume of traffic and becomes unresponsive to its real users. In a DoS attack, the barrage of traffic emanates from a single source.
When the flood of traffic comes from many different sources, it’s called a distributed denial-of-service (DDoS) attack. DDoS attacks can be much larger and more serious, and they are used by hackers for extortion, state-sponsored cyber warfare, hacktivism, financial gain, and more.
Some of the world’s largest companies and organizations have been “DDoSed”. Google, Amazon, the code management service GitHub, the country of Estonia – these are just a few examples of targets of the most massive DDoS attacks in recent years.
And the difficulty in mitigating DDoS attacks lies in their very definition – they are distributed. There is no single source of traffic to attempt to block.
Anycast Routing to the Rescue
One way to soften the blow of DDoS attacks is the use of anycast routing. Widely deployed starting in the early-2000s, anycast is an addressing and routing methodology where a single IP address is shared by multiple geographically distributed servers.
With anycast, each network is routed to a particular anycast site, dividing the world into “catchments.” Internet traffic is distributed across these catchments, usually associating networks with nearby anycast sites. In general, this helps with “latency” (how long it takes for your device to respond to a request from the host server), but it’s also great when it comes to DDoS attacks.
Why? Because each anycast site is independent, so if a DDoS attack overwhelms one site, the sites that are not overloaded remain unaffected.
During a DDoS attack, service operators depend on anycast to provide capacity to handle the attack and to isolate attackers in catchments. Operators use traffic engineering (TE) to adapt to an ongoing attack in real-time. For example, they might shift traffic from overloaded sites to other sites that have excess capacity.
Rizvi explained how this was the motivation for the project, “We knew network operators have been using traffic engineering techniques for a long time. However, there was no systematic, well-defined way to use these techniques during a DDoS attack. Also, there was no formal discussion about the success of these methods and possible limitations.”
So Rizvi and the team set out to create and test a defined system for operators using TE to balance traffic across anycast during a DDoS attack
Creating a DDoS Defense System
They came up with a two-step approach.
First, they proposed a novel mechanism to estimate loads. Estimating the load on each site is crucial so that the operator can match load to the capacities of different sites, or decide that some sites should absorb more of the attack than others.
They calculated load by starting with the known legitimate traffic of a site and estimating how much of that legitimate traffic dropped during the attack. This allowed the team to infer upstream loss which can be used to estimate the amount of illegitimate traffic being sent to the site due to the DDoS attack.
Second, they developed a playbook, a guide that allows operators to anticipate how TE actions will rebalance the load across an anycast system. With knowledge of the load, the operator can select an overall defense strategy that will drive TE decisions. This can be fully automated or the system can give the human operator recommendations for possible actions, as well as their consequences.
Putting the Playbook to the Test
“Testing our idea and evaluating its effectiveness in the real world was the biggest challenge of this project,” said Rizvi.
The challenge paid off. The team worked closely with the B-Root team at USC, which runs one of the 13 systems around the world that provide the Domain Name System (DNS), operated by ISI since the inception of the DNS in 1987.
The team demonstrated successful defenses in practice as they replayed real-world attacks in a testbed. They used several actual DDoS events that took place in the past five years and found the playbook to be remarkably effective in mitigating the attacks. The team was happily surprised by just how successful the network playbook was against these diverse attack events.
“We’re hopeful that these approaches will help anycast operators be better prepared to react to DDoS attacks. They’re particularly important to operators who primarily use their own infrastructure,” said Heidemann.
Moving forward, Rizvi said the team would like to possibly include the location of the origin of the attackers into the playbook. “For future work, we can use such information to improve defense selection.”
The paper, which provides the first public evaluation of multiple anycast methods for DDoS defense, was one of 256 papers accepted by to the 31st USENIX Security Symposium, the largest USENIX Security in history. This year, USENIX had an acceptance rate of 18%.
Published on November 15th, 2022
Last updated on November 16th, 2022