Understanding the Behaviors of BGP-based DDoS Protection Services

  • Tony Miu Tung
  • Chenxu WangEmail author
  • Jinhe Wang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11058)


Distributed Denial of Service attacks has been one of the most challenges faced by the Internet for decades. Recently, DDoS protection services (DPS) have risen up to mitigate large-scale DDoS attacks by diverting the vast malicious traffic against the victims to affordable networks. One common approach is to reroute the traffic through the change of BGP policies, which may cause abnormal BGP routing dynamics. However, little is known about such behaviors and the consequences. To fill this gap, in this paper, we conduct the first study on the behaviors of BGP-based DPS through two steps. First, we propose a machine learning based approach to identify DDoS events because there usually lacks data for characterizing real DDoS events. Second, We design a new algorithm to analyze the behavior of DPS against typical DDoS attacks. In the case study of real DDoS attacks, we carefully analyze the policies used to mitigate the attacks and obtain several meaningful findings. This research sheds light on the design of effective DDoS attack mitigation schemes.


DDoS attacks BGP traffic DPS behavior 



The research presented in this paper is supported in part by National Natural Science Foundation (No. 61602370, 61672026, 61772411, U1736205), Postdoctoral Foundation (No. 201659M2806, 2018T111066), Fundamental Research Funds for the Central Universities (No. 1191320006), Shaanxi Postdoctoral Foundation, Project JCYJ20170816100819428 supported by SZSTI, CCF-Tencent Open Fund WeBank Special Funding (No. CCF-Webank RAGR20180101), CCF-NSFOCUS KunPeng Research Fund (No. CCF-NSFOCUS 2018006).


  1. 1.
    How friday’s massive ddos attack on the U.S. happened.
  2. 2.
    OVH suffers from 1.1Tbps DDoS attack. Accessed 11 Mar 2017
  3. 3.
    Chandrashekar, J., Duan, Z., Zhang, Z.L., Krasky, J.: Limiting path exploration in BGP. In: 24th Annual Joint Conference of INFOCOM, vol. 4, pp. 2337–2348. IEEE (2005)Google Scholar
  4. 4.
    Chang, D.F., Govindan, R., Heidemann, J.: The temporal and topological characteristics of BGP path changes. In: ICNP, pp. 190–199. IEEE (2003)Google Scholar
  5. 5.
    Cowie, J., Ogielski, A.T., Premore, B., Yuan, Y.: Internet worms and global routing instabilities. In: ITCom 2002: The Convergence of Information Technologies and Communications, pp. 195–199 (2002)Google Scholar
  6. 6.
    Deshpande, S., Thottan, M., Ho, T.K., Sikdar, B.: An online mechanism for BGP instability detection and analysis. IEEE Trans. Comput. 58(11), 1470–1484 (2009)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Feldmann, A., Maennel, O., Mao, Z.M., Berger, A., Maggs, B.: Locating internet routing instabilities. ACM SIGCOMM CCR 34, 205–218 (2004)CrossRefGoogle Scholar
  8. 8.
    Hilton, S.: Dyn analysis summary of friday october 21 attack.
  9. 9.
    Jonker, M., Sperotto, A., van Rijswijk-Deij, R., Sadre, R., Pras, A.: Measuring the adoption of DDoS protection services. In: Proceedings of the 2016 ACM on Internet Measurement Conference, pp. 279–285. ACM (2016)Google Scholar
  10. 10.
    Karami, M., McCoy, D.: Understanding the emerging threat of DDoS-as-a-service. In: LEET (2013)Google Scholar
  11. 11.
    Labovitz, C., Malan, G.R., Jahanian, F.: Internet routing instability. IEEE/ACM Trans. Netw. 6(5), 515–528 (1998)CrossRefGoogle Scholar
  12. 12.
    Li, J., Brooks, S.: I-seismograph: observing and measuring internet earthquakes. In: INFOCOM, 2011 Proceedings IEEE, pp. 2624–2632. IEEE (2011)Google Scholar
  13. 13.
    Li, J., Guidero, M., Wu, Z., Purpus, E., Ehrenkranz, T.: BGP routing dynamics revisited. ACM SIGCOMM CCR 37(2), 5–16 (2007)CrossRefGoogle Scholar
  14. 14.
    Li, J., Wu, Z., Purpus, E.: Cam04-5: Toward understanding the behavior of BGP during large-scale power outages. In: IEEE Globecom. IEEE (2006)Google Scholar
  15. 15.
    Noroozian, A., Korczyński, M., Gañan, C.H., Makita, D., Yoshioka, K., van Eeten, M.: Who gets the boot? analyzing victimization by DDoS-as-a-service. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 368–389. Springer, Cham (2016). Scholar
  16. 16.
    Park, J.H., Jen, D., Lad, M., Amante, S., McPherson, D., Zhang, L.: Investigating occurrence of duplicate updates in BGP announcements. In: Krishnamurthy, A., Plattner, B. (eds.) PAM 2010. LNCS, vol. 6032, pp. 11–20. Springer, Heidelberg (2010). Scholar
  17. 17.
    Santanna, J.J., et al.: Booters-an analysis of DDoS-as-a-service attacks. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 243–251. IEEE (2015)Google Scholar
  18. 18.
    Smith, D.: How friday’s massive ddos attack on the U.S. happened.
  19. 19.
    Zhang, M.: BGPInspector: A real-time extensible border gateway protocol monitoring framework. CAS (2014)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Nexusguard Ltd.Tsuen WanHong Kong
  2. 2.School of Software EngineeringXi’an Jiaotong UniversityXi’anChina
  3. 3.MoE Key Laboratory for INNSXi’an Jiaotong UniversityXi’anChina

Personalised recommendations