down the black hole dismantling operational practices of
play

Down the Black Hole: Dismantling Operational Practices of BGP - PowerPoint PPT Presentation

Jun 03, 2023 •346 likes •1.15k views

Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin Nawrocki, Jeremias Blendin, Christoph Dietzel, Thomas C. Schmidt, Matthias Whlisch Christmas is near!

  1. Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin Nawrocki, Jeremias Blendin, Christoph Dietzel, Thomas C. Schmidt, Matthias Wählisch

  2. Christmas is near! https://www.shutterstock.com/video/clip-1584091-small-red-christmas-present-looping-on-white 2

  3. 3

  4. I hate Christmas ... https://indac.org/blog/the-grinch-official-trailer-3/ 4

  5. I hate Christmas ... https://indac.org/blog/the-grinch-official-trailer-3/ https://blogvaronis2.wpengine.com/wp-content/uploads/2019/09/ddos-attack-hero-1200x401.png 5

  6. 6

  7. The Internet suffers DDoS Black ckholi oling The problem! The solution? 7

  8. Common (mis) belief Blackholing is an effective measure to mitigate DDoS 8

  9. Common (mis) belief ? Blackholing is an effective measure to mitigate DDoS ? 9

  10. Our results. In a nutshell. Efficiency Use Cases Blackholing drops only Only 27% of Blackhole 50% of unwanted traffic. Events correlate with DDoS . Fine-grained blacklisting of Other use cases exist for attack signatures is an Blackholing but are very rare. effective mitigation strategy. 10

  11. Agenda I. Background How does BGP Blackholing work at IXPs? II. Deployment Status How well deployed is Blackholing in the real world? III. Future Enhancements How should we configure fine-grained filtering? 11

  12. https://www.hasepost.de/freiwillige-feuerwehr-sammelt-tannenbaeume-ein-2114/ I. How does BGP Blackholing work at IXPs? 12

  13. Remotely-Triggered Blackholing at IXPs Peer AS 1 Victim AS Routeserver Webserver Peer AS 2 Peering platform IXP Peer AS 3 13

  14. Remotely-Triggered Blackholing at IXPs Peer AS 1 DDoS Traffic Victim AS Routeserver Webserver Peer AS 2 Peering platform Legitimate Traffic IXP Peer AS 3 14

  15. Remotely-Triggered Blackholing at IXPs Peer AS 1 BGP Signal: RTBH for 1.2.3.4/32 Victim AS Routeserver Webserver Peer AS 2 IP: 1.2.3.4 Peering platform IXP Blackhole Peer AS 3 15

  16. Remotely-Triggered Blackholing at IXPs Peer AS 1 BGP Signal: RTBH for /32 That's the simple case. Victim AS Routeserver Webserver BGP policies apply in the real world. Peer AS 2 Peering platform IXP Blackhole Peer AS 3 16

  17. Remotely-Triggered Blackholing and BGP Policies BGP Rejection Policy Peer AS 1 BGP Signal: RTBH for 1.2.3.4/32 Victim AS Routeserver Webserver Peer AS 2 Peering platform IXP Peer AS 3 17

  18. Remotely-Triggered Blackholing and BGP Policies BGP Rejection Policy Peer AS 1 Victim AS Routeserver Webserver Peer AS 2 Peering platform IXP Blackhole Peer AS 3 18

  19. https://unternehmensberatungralfmueller .wordpress.com/ 2011/12/15/weihnachten-einfach-weihnachten/ II. How well deployed is BGP Blackholing in the real world? 19

  20. Our measurement approach One of the worlds-largest IXPs as a central vantage point Wholistic view: >100 days, all related data - no exceptions! 20

  21. Our measurement approach One of the worlds-largest IXPs as a central vantage point Wholistic view: >100 days, all related data - no exceptions! BGP data BGP Signal: All RTBH messages from all route- • RTBH for 1.2.3.4/32 servers RTBH announcements identifiable • by BGP community and next-hop-IP 21

  22. Our measurement approach One of the worlds-largest IXPs as a central vantage point Wholistic view: >100 days, all related data - no exceptions! Flow data All packets from/to prefixes, which • DDoS Traffic have been blackholedat least once All packets which traverse the public • switch-fabric (Sampling: 1/10000) Legitimate Traffic Dropped packets identifiable by • special MAC-address 22

  23. Our measurement approach One of the worlds-largest IXPs as a central vantage point Wholistic view: >100 days, all related data - no exceptions! BGP data Flow data All RTBH messages from all route- All packets from/to prefixes, which • • servers have been blackholedat least once RTBH announcements identifiable All packets which traverse the public • • by BGP community and next-hop-IP switch-fabric (Sampling: 1/10000) Dropped packets identifiable by • special MAC-address We verified: Time is in sync! 23

  24. Do all IXP member accept RTBH announcements ? 24

  25. Successful mitigation depends on the announced RTBH prefix length 25

  26. Successful mitigation depends on the announced RTBH prefix length 26

  27. Successful mitigation depends on the announced RTBH prefix length /32-RTBHs have a mean drop rate of 50%. But they cover 99% of the to-be-blackholed traffic. 27

  28. How fast do IXP members react to DDoS events? 28

  29. Measurement challenge Multiple RTBHs cover the same attack 29

  30. Measurement chall llen enge Multiple RTBHs cover the same attack 30

  31. Measurement chall llen enge Multiple RTBHs cover the same attack Multiple RTBHs! 31

  32. Measurement challenge Multiple RTBHs cover the same attack Time-based clustering of RTBHs 32

  33. Measurement challenge Multiple RTBHs cover the same attack What happens before RTBH Events? 33

  34. Analysis of 72 72 hours bef efore an RTBH Event Use a sliding window algorithm (EWMA) to infer whether one of the monitored features exhibits an anomalous peak: i. number of packets ii. number of unique destination ports iii. number of flows iv. number of unique source IP addresses v. number of non-TCP flows 34

  35. Analysis of 72 72 hours bef efore an RTBH Event Use a sliding window algorithm (EWMA) to infer whether one of the monitored features exhibits an anomalous peak: i. number of packets Amplification Attacks ii. number of unique destination ports iii. number of flows TCP SYN Attacks iv. number of unique source IP addresses v. number of non-TCP flows GRE Floods 35

  36. Most anomalies occur up to 10 minutes before an RTBH Event 36

  37. Most anomalies occur up to 10 minutes before an RTBH Event This short reaction time indicates automatic DDoS mitigation. 37

  38. But: Anomalie ies bef efore RTBH are uncommon! Traffic ≤ 72 hours Anomaly ≤ 10 min % RTBH Events ✓ ✓ 27% ✓ ✗ 27% ✗ - 46% 38

  39. WHY? Y? 39

  40. Other use-cases? Prefix Squatting Content Protection Blocking Prevent hijacking of address space that is Deploy censorship by blackholing assigned but not announced. traffic to content servers. Prefix squatting is easy to deploy because Block malicious clients, e.g., port & there is no competitive announcement. vulnerability scanners. 40

  41. Prefix Squatting Protection Prefix Length [bits] RTBH Events (log10) 41

  42. Other use-cases? Prefix Squatting Content Protection Blocking New use-cases are infrequent. 70% of RTBH Events still inexplicable. Prevent hijacking of address space that Deploy censorship by blackholing is assigned but not announced. traffic to content servers. Prefix squatting is easy to deploy because Block malicious clients, e.g., port & there is no competitive announcement. vulnerability scanners. 42

  43. Vantage point bias? 1. Packet sampling and private-network- interconnectionshide traffic. 43 https://de.wikipedia.org/wiki/Datei:Iceberg.jpg

  44. Vantage point bias? 1. Packet sampling and private-network- interconnectionshide traffic. 2. ASes might announce RTBHs at all point-of- presence despite local attacks. 44 https://de.wikipedia.org/wiki/Datei:Iceberg.jpg

  45. Vantage point bias? 1. Packet sampling and private-network- interconnectionshide traffic. 2. ASes might announce RTBHs at all point-of- presence despite local attacks. But: Related work [IMC'18] using distributed measurements reached similar results! 45 Jonker et al, A First Joint Look at DoS Attacks and BGP Blackholing, IMC 2018 https://de.wikipedia.org/wiki/Datei:Iceberg.jpg

  46. https://community.today.com/parentingteam/post/what-are-the-best-christmas-gifts-for-kids-this-year https://www.youtube.com/watch?v=-pH9VX324rI III. How should we configure fine-grained filtering? 46

  47. RTBH - Pro and Con THE GOOD THE UGLY RTBHs drop DDoS traffic RTBHs complete the attack, early in the network. the victim is unreachable. 47

  48. RTBH - Pro and Con THE GOOD THE UGLY RTBHs drop DDoS traffic RTBHs complete the attack, early in the network. the victim is unreachable. Fine-grained filtering would keep a service reachable. 48

  49. Wh Whit itel elistin ing vs. blacklisting of ports Peer AS 1 Victim AS Routeserver Webserver Legitimate Traffic: Port 80 and 443 Peer AS 2 IP: 1.2.3.4 Peering platform IXP Blackhole Peer AS 3 49

  50. Challenge We cannot whitelist client traffic, because client traffic is highly variable. 50

  51. RadViz Projection Visualizing multidimensional port information allows a classification into clients and servers 51 https://de.wikipedia.org/wiki/Datei:Jahn-Bergturnfest_2006_tug_of_war .jpg

  52. RadViz Projection FEATURE 1: number of different destination ports Visualizing multidimensional port information allows a classification into clients and servers FEATURE 2: number of different 52 source ports https://de.wikipedia.org/wiki/Datei:Jahn-Bergturnfest_2006_tug_of_war .jpg

  53. Many blackholed IP addresses exhibit high port fluctuations 53

  54. Many blackholed IP addresses exhibit high port fluctuations Most of the protected IP addresses are clients. 54

  55. Cross-validation using PeeringDB 55

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone Jan 14, 2017, 2nd Fudan Winter School on Black Hole Astrophysics Overview Phenomena associated with binary evolution Formation of close binaries

651 views • 30 slides
Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II.

Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II.

Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II. The First Law of Black Hole Mechanics and Black Hole Entropy III. Dynamic and Thermodynamic Stability of Black Holes IV. Quantum Aspects of Black

1.74k views • 116 slides
Constructing black holes and black hole microstates String theory and the fuzzball proposal Cl

Constructing black holes and black hole microstates String theory and the fuzzball proposal Cl

Introduction : black hole issues and entropy counting The fuzzball proposal Constructing three-charge supersymmetric solutions Non-BPS extremal black holes Conclusion and perspectives Constructing black holes and black hole microstates String

1.37k views • 95 slides
Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin

Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin

Departm ent Physics & Astronom y The University of Texas at Brow nsville Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin Carlos Lousto with Manuela Campanelli & Yosef Zlochower

365 views • 20 slides
Toward Astrophysical Black-Hole Binaries Gregory B. Cook Wake Forest University Mar. 29, 2002

Toward Astrophysical Black-Hole Binaries Gregory B. Cook Wake Forest University Mar. 29, 2002

Toward Astrophysical Black-Hole Binaries Gregory B. Cook Wake Forest University Mar. 29, 2002 Abstract A formalism for constructing initial data representing black-hole binaries in quasi-equilibrium is developed. If each black hole is assumed

322 views • 18 slides
AdS 5 Black Hole Entropy Without SUSY Finn Larsen University of Michigan and Leinweber Center for

AdS 5 Black Hole Entropy Without SUSY Finn Larsen University of Michigan and Leinweber Center for

AdS 5 Black Hole Entropy Without SUSY Finn Larsen University of Michigan and Leinweber Center for Theoretical Physics Yukawa ITP (Kyoto), May 30, 2019 . Microscopics of Black Hole Entropy The Bekenstein-Hawking area law for black hole

315 views • 27 slides
Thermodynamics of a Black Hole with Moon Alexandre Le Tiec Laboratoire Univers et Th eories

Thermodynamics of a Black Hole with Moon Alexandre Le Tiec Laboratoire Univers et Th eories

Thermodynamics of a Black Hole with Moon Alexandre Le Tiec Laboratoire Univers et Th eories Observatoire de Paris / CNRS In collaboration with Sam Gralla Phys. Rev. D 88 (2013) 044021 Stationary black holes Black hole with a corotating moon

793 views • 30 slides
Shaving the Black Hole Yogesh K. Srivastava Work with Dileep Jatkar and Ashoke Sen KEK

Shaving the Black Hole Yogesh K. Srivastava Work with Dileep Jatkar and Ashoke Sen KEK

Prologue String Theory Precision counting of microstates Black Hole Hair Analysis of the BMPV BH Entropy Analysis of the 4D BH Entropy Hair modes in Supergravity Regularity of Hair Modes Conclusion Shaving the Black Hole Yogesh K.

876 views • 54 slides
Some real-time aspects of quantum black hole Masanori Hanada Hana Da Masa Nori

Some real-time aspects of quantum black hole Masanori Hanada Hana Da Masa Nori

Some real-time aspects of quantum black hole Masanori Hanada Hana Da Masa Nori July 12, 2018 @ Vienna Holography Black QFT = Hole Holography Black QFT = Hole For imaginary time, lattice simulation is powerful and probably

829 views • 67 slides
Evaporating Black Hole and Partial Deconfinement Masanori Hanada University of Southampton 28

Evaporating Black Hole and Partial Deconfinement Masanori Hanada University of Southampton 28

Evaporating Black Hole and Partial Deconfinement Masanori Hanada University of Southampton 28 Dec 2018 @ YITP , Kyoto Holographic Principle Black Hole Non-gravitational systems Quantum gravity Equivalent Matrix Model Super

1.23k views • 80 slides
A Black Hole as A Particle Zhenbin Yang Princeton University ArXiv:1809.08647 What is a Black

A Black Hole as A Particle Zhenbin Yang Princeton University ArXiv:1809.08647 What is a Black

A Black Hole as A Particle Zhenbin Yang Princeton University ArXiv:1809.08647 What is a Black Hole? The Black Hole I understand is: -1.40135791465086 -1.40135791465086 -1.40135791465080 -1.39627342166226 -1.39627342166226

1.81k views • 152 slides
Massive Black Hole Growth and Formation: Implications for LISA P.Coppi, Yale 1. Supermassive

Massive Black Hole Growth and Formation: Implications for LISA P.Coppi, Yale 1. Supermassive

Massive Black Hole Growth and Formation: Implications for LISA P.Coppi, Yale 1. Supermassive Black Holes: When, Where, and How? Theoretical Issues Observational Constraints & Clues 2. Does a Galaxy Merger Imply a Black Hole Merger?

1.02k views • 88 slides
Black Hole Attractors and Superconformal Quantum Mechanics Davide Gaiotto

Black Hole Attractors and Superconformal Quantum Mechanics Davide Gaiotto

Black Hole Attractors and Superconformal Quantum Mechanics Davide Gaiotto dgaiotto@fas.harvard.edu Harvard University joint work with Aaron Simons, Andrew Strominger, Xi Yin hep-th/ 0412322 hep-th/ 0412179 Black Hole Attractors and

932 views • 67 slides
Black hole -state geometries, antibranes & the dS landscape Iosif Bena IPhT, CEA Saclay

Black hole -state geometries, antibranes & the dS landscape Iosif Bena IPhT, CEA Saclay

Black hole -state geometries, antibranes & the dS landscape Iosif Bena IPhT, CEA Saclay Strominger and Vafa (1996): Black Hole Microstates at Zero Gravity (branes + strings) Correctly match B.H. entropy !!! One Particular Microstate

872 views • 41 slides
Supertubes and the 4D black hole Per Kraus, UCLA with I. Bena: hep-th/0402144, hep-th/0408186,

Supertubes and the 4D black hole Per Kraus, UCLA with I. Bena: hep-th/0402144, hep-th/0408186,

Supertubes and the 4D black hole Per Kraus, UCLA with I. Bena: hep-th/0402144, hep-th/0408186, hep-th/0502xxx Supertubes and the 4D black hole p.1/25 Introduction Much has been learned from relating the gravity and gauge theory

419 views • 25 slides
Structure of Black Hole Xiaoning Wu Institute of Mathematics, AMSS Cooperated with Y.Tian, C.

Structure of Black Hole Xiaoning Wu Institute of Mathematics, AMSS Cooperated with Y.Tian, C.

Van der Waals like Phase Structure of Black Hole Xiaoning Wu Institute of Mathematics, AMSS Cooperated with Y.Tian, C. Niu, Y. Cai and Y. Yang Black hole mechanical law 0th law : is constant on horizon . 1st law : 2nd law : the area of

447 views • 21 slides
DATA AND SCHEMA MODIFICATIONS CHAPTERS 4,5 (6/E) CHAPTER 8 (5/E) 1 CHAPTER 5 OUTLINE

DATA AND SCHEMA MODIFICATIONS CHAPTERS 4,5 (6/E) CHAPTER 8 (5/E) 1 CHAPTER 5 OUTLINE

DATA AND SCHEMA MODIFICATIONS CHAPTERS 4,5 (6/E) CHAPTER 8 (5/E) 1 CHAPTER 5 OUTLINE Updating Databases Using SQL Specifying Constraints as Assertions and Actions as Triggers Schema Change Statements in SQL 2 THE INSERT

309 views • 12 slides
Interception, Replication, and Consolidation Solutions OPTA2000 Enscribe-2-SQL Toolkit clock

Interception, Replication, and Consolidation Solutions OPTA2000 Enscribe-2-SQL Toolkit clock

Interception, Replication, and Consolidation Solutions OPTA2000 Enscribe-2-SQL Toolkit clock & time-zone simulator flexible, affordable alternative for Enscribe to SQL conversion FileSync replication & synchronization software Command

537 views • 24 slides
pgDU Sydney 15th November 2019 Hari Kiran PostgreSQL Consultant, 2ndQuadrant

pgDU Sydney 15th November 2019 Hari Kiran PostgreSQL Consultant, 2ndQuadrant

pgDU Sydney 15th November 2019 Hari Kiran PostgreSQL Consultant, 2ndQuadrant https://www.2ndQuadrant.com pgDU Sydney THP & Defrag Enabled by default Disable! Disable! Disable! Consolidate Fragmented huge pages Defrags huge

447 views • 18 slides
CS3431 Description: Envision a database Database Systems I application, and implement it

CS3431 Description: Envision a database Database Systems I application, and implement it

One continuous course project CS3431 Description: Envision a database Database Systems I application, and implement it fully. Project Overview Teaming : Teams of 2 students each Grading : Collect points over the phases Murali

216 views • 4 slides
Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader spectrum of very different approaches to find malicious activity semantic misuse detection anomaly detection behavioral analysis.

617 views • 23 slides
Cyber@UC Meeting 34 Wireshark, Packets, PCAPs, and Pings If Youre New! Join our Slack

Cyber@UC Meeting 34 Wireshark, Packets, PCAPs, and Pings If Youre New! Join our Slack

Cyber@UC Meeting 34 Wireshark, Packets, PCAPs, and Pings If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter @UCyb3r and Facebook UC.yber; University of Cincinnati OWASP Chapter Feel free to get involved with one

464 views • 9 slides
Trajectory Optimization (this is a draft, to be updated before lecture) McGill COMP 765 Oct 5 th

Trajectory Optimization (this is a draft, to be updated before lecture) McGill COMP 765 Oct 5 th

Trajectory Optimization (this is a draft, to be updated before lecture) McGill COMP 765 Oct 5 th , 2017 Recall: LQR Provided a globally optimal control solution in a single pass, under fairly restrictive assumptions As with the KF/EKF,

290 views • 9 slides
SoftRDMA: Rekindling High Performance Software RDMA over Commodity Ethernet Mao Miao, Fengyuan

SoftRDMA: Rekindling High Performance Software RDMA over Commodity Ethernet Mao Miao, Fengyuan

SoftRDMA: Rekindling High Performance Software RDMA over Commodity Ethernet Mao Miao, Fengyuan Ren, Xiaohui Luo , Jing Xie, Qingkai Meng, Wenxue Cheng Dept. of Computer Science and Technology, Tsinghua University, Background R emote D irect

517 views • 23 slides

More recommend