Skip to main content
SpringerLink
Log in

Blackholing at IXPs: On the Effectiveness of DDoS Mitigation in the Wild

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2016)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 9631))

Included in the following conference series:

Abstract

DDoS attacks remain a serious threat not only to the edge of the Internet but also to the core peering links at Internet Exchange Points (IXPs). Currently, the main mitigation technique is to blackhole traffic to a specific IP prefix at upstream providers. Blackholing is an operational technique that allows a peer to announce a prefix via BGP to another peer, which then discards traffic destined for this prefix. However, as far as we know there is only anecdotal evidence of the success of blackholing.

Largely unnoticed by research communities, IXPs have deployed blackholing as a service for their members. In this first-of-its-kind study, we shed light on the extent to which blackholing is used by the IXP members and what effect it has on traffic.

Within a 12 week period we found that traffic to more than 7, 864 distinct IP prefixes was blackholed by 75 ASes. The daily patterns emphasize that there are not only a highly variable number of new announcements every day but, surprisingly, there are a consistently high number of announcements (\(>1000\)). Moreover, we highlight situations in which blackholing succeeds in reducing the DDoS attack traffic.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abdelsayed, S., Glimsholt, D., Leckie, C., Ryan, S., Shami, S.: An efficient filter for denial-of-service bandwidth attacks. In: GOLBECOM (2003)

    Google Scholar 

  2. Adler, M.: Trade-offs in probabilistic packet marking for IP traceback. JACM 52(2), 217–244 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  3. Agarwal, S., Dawson, T., Tryfonas, C.: DDoS Mitigation via Regional Cleaning Centers. Technical report, Sprint ATL Research Report (2003)

    Google Scholar 

  4. Andersen, D., Balakrishnan, H., Kaashoek, F., Morris, R.: Resilient overlay networks. In: ACM SOSP (2001)

    Google Scholar 

  5. Battles, T., McPherson, D., Morrow, C.: Customer-triggered real-time blackholes. In: NANOG 30 (2004)

    Google Scholar 

  6. Chatzis, N., Smaragdakis, G., Böttger, J., Krenc, T., Feldmann, A.: On the benefits of using a large IXP as an internet vantage point. In: ACM IMC (2013)

    Google Scholar 

  7. Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., Karir, M.: Taming the 800 pound gorilla: the rise and decline of NTP DDoS attacks. In: ACM IMC (2014)

    Google Scholar 

  8. DE-CIX: DE-CIX Blackholing Support. www.de-cix.net/products-services/de-cix-frankfurt/blackholing/

  9. Deutsche Telekom: AS3320 BGP Communities, August 2005. www.onesc.net/communities/as3320/AS3320_BGP_Communities_v1.1.pdf

  10. Gil, T.M., Poletto, M.: MULTOPS: A data-structure for bandwidth attack detection. In: USENIX Security Symposium (2001)

    Google Scholar 

  11. Gonzalez, J.M., Anwar, M., Joshi, J.: A trust-based approach against ip-spoofing attacks. In: IEEE PST (2011)

    Google Scholar 

  12. Greene, B.R.: Remote triggering black hole filtering. Cisco Systems (2002)

    Google Scholar 

  13. Greene, B.R., Smith, P.: Cisco ISP Essentials. Cisco Press, Indianapolis (2002)

    Google Scholar 

  14. Hu, Y., Choi, H., Choi, H.-A.: Packet filtering to defend flooding-based DDoS attacks. In: Advances in Wired and Wireless Communication (2004)

    Google Scholar 

  15. Hurricane Electric: Customer Blackhole Community (2006). www.he.net/adm/blackhole.html

  16. Ioannidis, J., Bellovin, S.M.: Implementing Pushback: Router-Based Defense Against DDoS Attacks. Columbia University Academic Commons (2002)

    Google Scholar 

  17. Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: an effective defense against spoofed DDoS traffic. In: ACM CCS (2003)

    Google Scholar 

  18. Keshariya, A., Foukia, N.: DDoS defense mechanisms: a new taxonomy. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., Roudier, Y. (eds.) DPM 2009. LNCS, vol. 5939, pp. 222–236. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  19. Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? reducing the impact of amplification DDoS attacks. In: USENIX Security Symposium (2001)

    Google Scholar 

  20. MacFarland, D.C., Shue, C.A., Kalafut, A.J.: Characterizing optimal DNS amplification attacks and effective mitigation. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 15–27. Springer, Heidelberg (2015)

    Google Scholar 

  21. Mahajan, R., Bellovin, S.M., Floyd, S., Ioannidis, J., Paxson, V., Shenker, S.: Controlling high bandwidth aggregates in the network. ACM SIGCOMM CCR (2002)

    Google Scholar 

  22. Mirkovic, J., Prier, G., Reiher, P.: Source-end DDoS defense. In: IEEE NCA (2003)

    Google Scholar 

  23. Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. In: ACM SIGCOMM CCR (2004)

    Google Scholar 

  24. Mizrak, A.T., Savage, S., Marzullo, K.: Detecting compromised routers via packet forwarding behavior. IEEE Netw. 22(2), 34–39 (2008)

    Article  Google Scholar 

  25. MSK-IX: Protection against DDoS-attacks by blackholing. www.msk-ix.ru/eng/routeserver.html#blackhole

  26. NETIX: Blackholing. www.netix.net/services/14/NetIX-Blackholing

  27. NTT Communications: Terms and conditions for use of global IP network services, August 2007. http://www.ntt.net/english/library/pdf/terms.pdf

  28. Park, K., Lee, H.: On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. In: ACM SIGCOMM CCR (2001)

    Google Scholar 

  29. Peng, T., Leckie, C., Ramamohanarao, K.: Protection from distributed denial of service attacks using history-based IP filtering. In: IEEE ICC (2003)

    Google Scholar 

  30. Prince, M.: The DDoS that almost broke the internet, March 2013. www.blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/

  31. Richter, P., Smaragdakis, G., Feldmann, A., Chatzis, N., Boettger, J., Willinger, W.: Peering at peerings: on the role of IXP route servers. In: ACM IMC (2014)

    Google Scholar 

  32. Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: NDSS (2014)

    Google Scholar 

  33. Ryba, F., Orlinski, M., Wählisch, M., Rossow, C., Schmidt, T.: Amplification and DRDoS Attack Defense - A Survey and New Perspectives. arXiv preprint (2015). arxiv:1505.07892

  34. Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Network support for IP traceback. IEEE/ACM Trans. Netw. 9(3), 226–237 (2001)

    Article  Google Scholar 

  35. Shi, E., Stoica, I., Andersen, D.G., Perrig, A.: OverDoSe: A Generic DDoS Protection Service Using an Overlay Network. Computer Science Department (2006)

    Google Scholar 

  36. Sipgate: The Sipgate DDoS Story, October 2014. https://medium.com/@sipgate/ddos-attacke-auf-sipgate-a7d18bf08c03

  37. Specht, S.M., Lee, R.B.: Distributed denial of service: taxonomies of attacks, tools, and countermeasures. In: ISCA PDCS, pp. 543–550 (2004)

    Google Scholar 

  38. van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In: ACM IMC (2014)

    Google Scholar 

  39. Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Com. Surv. Tutorials 15(4), 2046–2069 (2013)

    Article  Google Scholar 

Download references

Acknowledgments

We thank all our colleagues for their feedback, and the reviewers for their suggestions. This work is supported by European Unions Horizon 2020 research and innovation programme under the ENDEAVOUR project (grant agreement 644960) and by the German Federal Ministry of Education and Research (BMBF Grant 01IS14009D BDSec).

Author information

Authors and Affiliations

  1. TU Berlin, Berlin, Germany

    Christoph Dietzel & Anja Feldmann

  2. DE-CIX, Frankfurt, Germany

    Christoph Dietzel & Thomas King

Authors
  1. Christoph Dietzel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anja Feldmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas King
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christoph Dietzel .

Editor information

Editors and Affiliations

  1. Microsoft Research, Cambridge, United Kingdom

    Thomas Karagiannis

  2. FORTH-ICS, Heraklion, Greece

    Xenofontas Dimitropoulos

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Dietzel, C., Feldmann, A., King, T. (2016). Blackholing at IXPs: On the Effectiveness of DDoS Mitigation in the Wild. In: Karagiannis, T., Dimitropoulos, X. (eds) Passive and Active Measurement. PAM 2016. Lecture Notes in Computer Science(), vol 9631. Springer, Cham. https://doi.org/10.1007/978-3-319-30505-9_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-30505-9_24

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-30504-2

  • Online ISBN: 978-3-319-30505-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation