research-article

Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event

Authors:

Giovane C.M. Moura,

Ricardo de O. Schmidt,

John Heidemann,

Wouter B. de Vries,

Cristian HesselmanAuthors Info & Claims

IMC '16: Proceedings of the 2016 Internet Measurement Conference

Pages 255 - 270

https://doi.org/10.1145/2987443.2987446

Published: 14 November 2016 Publication History

Abstract

Distributed Denial-of-Service (DDoS) attacks continue to be a major threat on the Internet today. DDoS attacks overwhelm target services with requests or other traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate a service in multiple physical locations/sites. If all sites announce a common prefix, BGP will associate users around the Internet with a nearby site, defining the catchment of that site. Anycast defends against DDoS both by increasing aggregate capacity across many sites, and allowing each site's catchment to contain attack traffic, leaving other sites unaffected. IP anycast is widely used by commercial CDNs and for essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This paper provides the first evaluation of several IP anycast services under stress with public data. Our subject is the Internet's Root Domain Name Service, made up of 13 independently designed services ("letters", 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at 100× normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our analysis to examine how different services respond to stress, and identify two policies: sites may absorb attack traffic, containing the damage but reducing service to some users, or they may withdraw routes to shift both good and bad traffic to other sites. We study how these deployment policies resulted in different levels of service to different users during the events. We also show evidence of collateral damage on other services located near the attacks.

References

[1]

Abley, J., and Lindqvist, K. Operation of anycast services. RFC 4786, Internet Request For Comments, Dec. 2006. (also Internet BCP-126).

[2]

Arbor Networks. Worldwide infrastructure security report, Sept. 2012. Volume VIII.

[3]

Arbor Networks. Worldwide infrastructure security report, Jan. 2014. Volume IX.

[4]

Arbor Networks. Rio Olympics Take the Gold for 540gb/sec Sustained DDoS Attacks! https://www.arbornetworks.com/blog/asert/rio-olympics-take-gold-540gbsec-sustained-ddos-attacks/, Aug. 2016.

[5]

B-Root Operators. Personal communication, Dec. 2015.

[6]

Ballani, H., and Francis, P. Towards a Global IP Anycast Service. In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement (Aug. 2007), pp. 301--312.

Digital Library

[7]

Ballani, H., Francis, P., and Ratnasamy, S. A Measurement-based Deployment Proposal for IP Anycast. In Proceedings of the ACM Internet Measurement Conference (Oct. 2006), IMC, ACM, pp. 231--244.

Digital Library

[8]

Bellis, R. Researching F-root Anycast Placement Using RIPE Atlas. https://labs.ripe.net/Members/ray_bellis/researching-f-root-anycast-placement-using-ripe-atlas, Oct. 2015.

[9]

Beverly, R., Berger, A., Hyun, Y., and Claffy, K. Understanding the efficacy of deployed Internet source address validation filtering. In Proceedings of the ACM Internet Measurement Conference (Nov. 2009), IMC, ACM, pp. 356--369.

Digital Library

[10]

Boothe, P., and Bush, R. Anycast Measurements Used to Highlight Routing Instabilities. NANOG 34, May 2005.

[11]

Brownlee, N., Claffy, K., and Nemeth, E. DNS Root/gTLD Performance Measurement. In Proceedings of the USENIX Large Installation System Administration conference (Dec. 2001), pp. 241--255.

[12]

Brownlee, N., and Ziedins, I. Response Time Distributions for Global Name Servers. In Proceedings of the International conference on Passive and Active Measurements (Mar. 2002), PAM.

[13]

Bush, R. DNS Anycast Stability: Some Initial Results. CAIDA/WIDE Workshop, Mar. 2005.

[14]

Bush, R., Karrenberg, D., Kosters, M., and Plzak, R. Root name server operational requirements. RFC 2870, Internet Request For Comments, June 2000. (also Internet BCP-40).

Digital Library

[15]

Calder, M., Flavel, A., Katz-Bassett, E., Mahajan, R., and Padhye, J. Analyzing the Performance of an Anycast CDN. In Proceedings of the ACM Internet Measurement Conference (Oct. 2015), IMC, ACM, pp. 531--537.

Digital Library

[16]

Castro, S., Wessels, D., Fomenkov, M., and Claffy, K. A Day at the Root of the Internet. ACM Computer Communication Review 38, 5 (Apr. 2008), pp. 41--46.

Digital Library

[17]

Chirgwin, R. Linode: Back at last after ten days of hell. The Register, http://www.theregister.co.uk/2016/01/04/linode_back_at_last_after_ten_days_of_hell/, Jan. 2016.

[18]

Chou, J. C.-Y., Lin, B., Sen, S., and Spatscheck, O. Proactive surge protection: a defense mechanism for bandwidth-based attacks. IEEE/ACM Transactions on Networking (TON) 17, 6 (Dec. 2009), pp. 1711--1723.

Digital Library

[19]

Colitti, L. Effect of anycast on K-root. 1st DNS-OARC Workshop, July 2005.

[20]

Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., and Karir, M. Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks. In Proceedings of the ACM Internet Measurement Conference (Nov. 2014), IMC, ACM, pp. 435--448.

Digital Library

[21]

Eastlake, D., and Andrews, M. Domain Name System (DNS) Cookies. RFC 7873 (Proposed Standard), May 2016.

[22]

Elz, R., Bush, R., Bradner, S., and Patton, M. Selection and operation of secondary DNS servers. RFC 2182, Internet Request For Comments, July 1997. (also Internet BCP-16).

Digital Library

[23]

Fan, X., Heidemann, J., and Govindan, R. Evaluating anycast in the Domain Name System. In Proceedings of the IEEE Infocom (Apr. 2013), IEEE, pp. 1681--1689.

[24]

Ferguson, P., and Senie, D. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2267, Internet Request For Comments, May 2000.

Digital Library

[25]

Flavel, A., Mani, P., Maltz, D., Holt, N., Liu, J., Chen, Y., and Surmachev, O. Fastroute: A scalable load-aware anycast routing architecture for modern CDNs. In 12th USENIX Symposium on Networked Systems Design and Implementation (May 2015), pp. 381--394.

Digital Library

[26]

Fomenkov, M., Claffy, K., Huffaker, B., and Moore, D. Macroscopic Internet Topology and Performance Measurements From the DNS Root Name Servers. In Proceedings of the USENIX Large Installation System Administration conference (Dec. 2001), pp. 231--240.

[27]

Gettys, J., and Nichols, K. Bufferbloat: dark buffers in the Internet. Communications of the ACM 55, 1 (Jan. 2012), pp. 57--65.

Digital Library

[28]

Gillman, D., Lin, Y., Maggs, B., and Sitaraman, R. K. Protecting websites from attack with secure delivery networks. IEEE Computer 48, 4 (Apr. 2015), 26--34.

[29]

H-Root Operators. Personal communication, Apr. 2016.

[30]

Holterbach, T., Pelsser, C., Bush, R., and Vanbever, L. Quantifying interference between measurements on the RIPE Atlas platform. In Proceedings of the ACM Internet Measurement Conference (Oct. 2015), IMC, ACM, pp. 437--443.

Digital Library

[31]

John, J. P., Moshchuk, A., Gribble, S. D., and Krishnamurthy, A. Studying spamming botnets using Botlab. In Proceedings of the 6th USENIX Symposium on Network Systems Design and Implementation (Boston, Massachusetts, USA, Apr. 2009), USENIX.

Digital Library

[32]

Krebs, B. Israeli Online Attack Service 'vDOS' Earned$ 600,000 in Two Years http://krebsonsecurity.com/2016/09/israeli-online-attack-service-vdos-earned-600000-in-two-years/, Sept. 2016.

[33]

Kührer, M., Hupperich, T., Rossow, C., and Holz, T. Exit from Hell? Reducing the Impact of Amplification DDoS Attacks. In 23rd USENIX Security Symposium (Aug. 2014), pp. 111--125.

Digital Library

[34]

Lee, B.-S., Tan, Y. S., Sekiya, Y., Narishige, A., and Date, S. Availability and Effectiveness of Root DNS servers: A long term study. In Proceedings of the IEEE Network Operations and Management Symposium (Apr. 2010), NOMS, pp. 862--865.

[35]

Lee, T., Huffaker, B., Fomenkov, M., and Claffy, K. On the problem of optimzation of DNS root servers' placement. In Proceedings of the International conference on Passive and Active Measurements (Mar. 2003), PAM.

[36]

Lentz, M., Levin, D., Castonguay, J., Spring, N., and Bhattacharjee, B. D-mystifying the D-root Address Change. In Proceedings of the ACM Internet Measurement Conference (2013), IMC, ACM, pp. 57--62.

Digital Library

[37]

Liang, J., Jiang, J., Duan, H., Li, K., and Wu, J. Measuring Query Latency of Top Level DNS Servers. In Proceedings of the International conference on Passive and Active Measurements (Mar. 2013), PAM, pp. 145--154.

Digital Library

[38]

Liu, Z., Huffaker, B., Fomenkov, M., Brownlee, N., and Claffy, K. Two Days in the Life of the DNS Anycast Root Servers. In Proceedings of the International conference on Passive and Active Measurements (Apr. 2007), PAM, pp. 125--134.

Digital Library

[39]

Mockapetris, P. Domain names - implementation and specification. RFC 1035, Nov. 1987.

Digital Library

[40]

Moura, G. C. M., de O. Schmidt, R., Heidemann, J., de Vries, W. B., Müller, M., Wei, L., and Hesselman, C. Anycast vs. ddos: Evaluating the november 2015 root dns event (extended). Tech. Rep. ISI-TR-2016--709b, USC/Information Sciences Institute, May 2016.

Digital Library

[41]

Moura, G. C. M., de O. Schmidt, R., Heidemann, J., de Vries, W. B., Müller, M., Wei, L., and Hesselman, C. Nov. 30 datasets. http://traces.simpleweb.org/ and https://ant.isi.edu/datasets/anycast/, 2016.

[42]

Perlroth, N. Tally of cyber extortion attacks on tech companies grows. New York Times Bits Blog, http://bits.blogs.nytimes.com/2014/06/19/tally-of-cyber-extortion-attacks-on-tech-companies-grows/, June 2016.

[43]

ProtonMail. Guide to DDoS protection. https://protonmail.com/blog/ddos-protection-guide/, Dec. 2015.

[44]

Ripe Atlas. Graphs: Probe firmware versions https://atlas.ripe.net/results/graphs/, Sept. 2016.

[45]

RIPE NCC. DNSMON. https://atlas.ripe.net/dnsmon/, 2015.

[46]

RIPE NCC. RIPE Atlas root server data. https://atlas.ripe.net/measurements/ID, 2015. ID is the per-root-letter experiment ID: A: 10309, B: 10310, C: 10311, D: 10312, E: 10313, F:10304, G: 10314, H: 10315, I: 10305, J: 10316, K: 10301, L: 10308, M: 10306.

[47]

RIPE NCC Staff. RIPE Atlas: A global Internet measurement network. The Internet Protocol Journal 18, 3 (Sept. 2015), pp. 2--26.

[48]

Root Operators. http://www.root-servers.org, Apr. 2016.

[49]

Root Server Operators. Events of 2015--11--30, Nov. 2015. http://root-servers.org/news/events-of-20151130.txt.

[50]

Root Server Operators. Events of 2016-06--25, June 2016. http://root-servers.org/news/events-of-20160625.txt.

[51]

Rossow, C. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In Network and Distributed System Security (NDSS) Symposium (Feb. 2014).

[52]

RSSAC. Advisory on measurements of the Root Server System, Nov. 2014.

[53]

Santanna, J. J., van Rijswijk-Deij, R., Hofstede, R., Sperotto, A., Wierbosch, M., Zambenedetti Granville, L., and Pras, A. Booters-An analysis of DDoS-as-a-service attacks. In IFIP/IEEE Intl. Symposium on Integrated Network Management (IM) (May 2015), IEEE, pp. 243--251.

[54]

Sarat, S., Pappas, V., and Terzis, A. On the use of Anycast in DNS. In Proceedings of the 15th International Conference on Computer Communications and Networks (Oct. 2006), pp. 71--78.

[55]

Shaikh, A., Kalampoukas, L., Dube, R., and Varma, A. Routing stability in congested networks: Experimentation and analysis. In Proceedings of the ACM SIGCOMM Conference (Aug. 2000), ACM, pp. 163--174.

Digital Library

[56]

van Rijswijk-Deij, R., Sperotto, A., and Pras, A. DNSSEC and Its Potential for DDoS Attacks: a comprehensive measurement study. In Proceedings of the ACM Internet Measurement Conference (Nov. 2014), IMC, ACM, pp. 449--460.

Digital Library

[57]

Vixie, P. Response Rate Limiting in the Domain Name System (DNS RRL). blog post http://www.redbarn.org/dns/ratelimits, June 2012.

[58]

Weinberg, M., and Wessels, D. Review and analysis of anonmalous traffic to A-Root and J-Root (Nov/Dec 2015). In 24th DNS-OARC Workshop (Apr. 2016). (presentation).

[59]

Welzel, A., Rossow, C., and Bos, H. On Measuring the Impact of DDoS Botnets. In 7th European Workshop on System Security (Apr. 2014).

Digital Library

[60]

Wessels, D. Verisign's perspective on recent root server attacks. CircleID http://www.circleid.com/posts/20151215_verisign_perspective_on_recent_root_server_attacks/, Dec. 15 2015.

[61]

Woolf, S., and Conrad, D. Requirements for a mechanism identifying a name server instance. RFC 4892, Internet Request For Comments, June 2007.

[62]

Yan, H., Oliveira, R., Burnett, K., Matthews, D., Zhang, L., and Massey, D. BGPmon: A real-time, scalable, extensible monitoring system. In Proceedings of the IEEE Cybersecurity Applications and Technologies Conference for Homeland Security (CATCH) (Mar. 2009), IEEE, pp. 212--223.

Digital Library

[63]

Yu, Y., Wessels, D., Larson, M., and Zhang, L. Authority Server Selection in DNS Caching Resolvers. SIGCOMM Computer Communication Review 42, 2 (Mar. 2012), pp. 80--86.

Digital Library

[64]

Zhu, L., Hu, Z., Heidemann, J., Wessels, D., Mankin, A., and Somaiya, N. Connection-oriented DNS to improve privacy and security. In Proceedings of the 36th IEEE Symposium on Security and Privacy (May 2015), IEEE, pp. 171--186.

Digital Library

[65]

Zwart, R., and Buddhdev, A. Report: K-root on 30 November and 1 December 2015. RIPE Labs blog https://labs.ripe.net/Members/romeo_zwart/report-on-the-traffic-load-event-at-k-root-on-2015--11--30, Feb. 2015.

Cited By

Kastanakis SGiotsas VLivadariu ISuri N(2024)Investigating Location-aware Advertisements in Anycast IP NetworksProceedings of the 2024 Applied Networking Research Workshop10.1145/3673422.3674885(15-22)Online publication date: 23-Jul-2024
https://dl.acm.org/doi/10.1145/3673422.3674885
Moura GDavids MSchutijser CHesselman CHeidemann JSmaragdakis G(2024)Deep Dive into NTP Pool's Popularity and MappingProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/36390418:1(1-30)Online publication date: 21-Feb-2024
https://dl.acm.org/doi/10.1145/3639041
Rizvi AHuang TEsrefoglu RHeidemann J(2024)Anycast Polarization in the WildPassive and Active Measurement10.1007/978-3-031-56252-5_6(104-131)Online publication date: 11-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-56252-5_6
Show More Cited By

Index Terms

Recommendations

Microsoft vs. Apple: Resilience against Distributed Denial-of-Service Attacks

Both Microsoft's Windows 7 and Apple's Snow Leopard operating systems claim to provide users with a safer and more reliable environment, but no work has evaluated and compared their resilience against common DDoS attack traffic. The authors compare the ...
A Taxonomy of Attacks Using BGP Blackholing
Computer Security – ESORICS 2019
Abstract
BGP blackholing is a common technique used to mitigate DDoS attacks. Generally, the victim sends in a request for traffic to the attacked IP(s) to be dropped. Unfortunately, remote parties may misuse blackholing [29, 57] and send requests for IPs ...
DDoS detection and defense: client termination approach
CUBE '12: Proceedings of the CUBE International Information Technology Conference

A Denial-of-Service attack (DoS) or Distributed Denial-of-Service (DDoS) is an attempt by an attacker to make a computer or network resource unavailable to its legitimate users. In general it is specified by an event in which legitimate user(s) is/are ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '16: Proceedings of the 2016 Internet Measurement Conference

November 2016

570 pages

ISBN:9781450345262

DOI:10.1145/2987443

General Chairs:
Phillipa Gill
University of Massachusetts--Amherst
,
John Heidemann
USC/ISI
,
Program Chairs:
John W. Byers
Boston University
,
Ramesh Govindan
USC

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation
SIGCOMM: ACM Special Interest Group on Data Communication
USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 November 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Air Force Research Laboratory Information Directorate
U.S. DHS Science and Technology Directorate HSARPA Cyber Security Division via SPAWAR Systems Center Pacific
SAND Project
DAS Project

Conference

IMC 2016

Sponsor:

SIGMETRICS
SIGCOMM
USENIX Assoc

IMC 2016: Internet Measurement Conference

November 14 - 16, 2016

California, Santa Monica, USA

Acceptance Rates

IMC '16 Paper Acceptance Rate 48 of 184 submissions, 26%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

71
Total Citations
View Citations
734
Total Downloads

Downloads (Last 12 months)58
Downloads (Last 6 weeks)2

Reflects downloads up to 05 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kastanakis SGiotsas VLivadariu ISuri N(2024)Investigating Location-aware Advertisements in Anycast IP NetworksProceedings of the 2024 Applied Networking Research Workshop10.1145/3673422.3674885(15-22)Online publication date: 23-Jul-2024
https://dl.acm.org/doi/10.1145/3673422.3674885
Moura GDavids MSchutijser CHesselman CHeidemann JSmaragdakis G(2024)Deep Dive into NTP Pool's Popularity and MappingProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/36390418:1(1-30)Online publication date: 21-Feb-2024
https://dl.acm.org/doi/10.1145/3639041
Rizvi AHuang TEsrefoglu RHeidemann J(2024)Anycast Polarization in the WildPassive and Active Measurement10.1007/978-3-031-56252-5_6(104-131)Online publication date: 11-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-56252-5_6
Afek YBremler-Barr AStajnrod SCalandrino JTroncoso C(2023)NRDelegationAttackProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620416(3187-3204)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620416
Li CXie JCheng YZhang ZChen JWang HTao H(2023)Research on the Construction of High-Trust Root Zone File Based on Multi-Source Data VerificationElectronics10.3390/electronics1210226412:10(2264)Online publication date: 16-May-2023
https://doi.org/10.3390/electronics12102264
Wang JLi ZZhang ZChen JLi CCheng Y(2023)Root Mirror Sites Identification and Service Area AnalysisElectronics10.3390/electronics1207173712:7(1737)Online publication date: 5-Apr-2023
https://doi.org/10.3390/electronics12071737
Li XZhou TCai ZSu J(2023)Realizing Fine-Grained Inference of AS Path With a Generative Measurable ProcessIEEE/ACM Transactions on Networking10.1109/TNET.2023.327056531:6(3112-3127)Online publication date: Dec-2023
https://doi.org/10.1109/TNET.2023.3270565
Li CChen JZhang ZCheng YLi ZLi Z(2023)Evaluating the Quality of Service of the DNS Root Server From the Service Scope2023 International Conference on Mobile Internet, Cloud Computing and Information Security (MICCIS)10.1109/MICCIS58901.2023.00033(173-177)Online publication date: Apr-2023
https://doi.org/10.1109/MICCIS58901.2023.00033
Bushart JRossow C(2023)Anomaly-based Filtering of Application-Layer DDoS Against DNS Authoritatives2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00040(558-575)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00040
Rizvi AMirkovic JHeidemann JHardaker WStory R(2023)Defending Root DNS Servers Against DDoS Using Layered Defenses2023 15th International Conference on COMmunication Systems & NETworkS (COMSNETS)10.1109/COMSNETS56262.2023.10041415(513-521)Online publication date: 3-Jan-2023
https://doi.org/10.1109/COMSNETS56262.2023.10041415
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents