EEMCS

Home > Publications
Home University of Twente
Education
Research
Prospective Students
Jobs
Publications
Intranet (internal)
 
 Nederlands
 Contact
 Search
 Organisation

EEMCS EPrints Service


27641 Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event
Home Policy Brochure Browse Search User Area Contact Help

Moreira Moura, G.C. and de Oliveira Schmidt, R. and Heidemann, J. and de Vries, W.B. and Müller, M. and Wei, Lan and Hesselman, C. (2016) Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. Technical Report ISI-TR-2016-709, Information Sciences Institute, University of Southern California, Los Angeles-CA, USA.

Full text available as:

PDF

644 Kb

Official URL: ftp://ftp.isi.edu/isi-pubs/tr-709.pdf

Abstract

Distributed Denial-of-Service (DDoS) attacks continue to be a major threat in the Internet today. DDoS attacks over- whelm target services with requests or other traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate the service in multiple physical locations or sites. If all sites announce a common IP address, BGP will associate users around the Internet with a nearby site, defining the catchment of that site. Anycast ad- dresses DDoS both by increasing capacity to the aggregate of many sites, and allowing each catchment to contain attack traffic leaving other sites unaffected. IP anycast is widely used for commercial CDNs and essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This paper provides the first evaluation of several anycast services under stress with public data. Our subject is the Internet’s Root Domain Name Service, made up of 13 inde- pendently designed services (“letters”, 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at 100× normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our anal- ysis to examine how different services respond to the these events. We see how different anycast deployments respond to stress, and identify two policies: sites may absorb attack traffic, containing the damage but reducing service to some users, or they may withdraw routes to shift both good and bad traffic to other sites. We study how these deployments policies result in different levels of service to different users. We also show evidence of collateral damage on other services located near the attacks.

Item Type:Internal Report (Technical Report)
Research Group:EWI-DACS: Design and Analysis of Communication Systems
Research Program:CTIT-General
Research Project:SAND: Self-managing Anycast Networks For The Dns, DAS: Dns (anycast) Security
Uncontrolled Keywords:DDoS, DNS, Anycast
ID Code:27641
Deposited On:15 March 2017
More Information:statistics

Export this item as:

To correct this item please ask your editor

Repository Staff Only: edit this item