Inferring BGP Blackholing in the Internet

Size: px

Start display at page:

Download "Inferring BGP Blackholing in the Internet"

Amice Hart
6 years ago
Views:

1 Inferring BGP Blackholing in the Internet Vasileios Giotsas, Georgios Smaragdakis, Christoph Dietzel, Philipp Richter, Anja Feldmann, and Arthur Berger TU Berlin CAIDA MIT DE-CIX Akamai

2 DDoS A&acks are a Serious Threat 2

3 Networks under A&ack AS AS2 AS3 AS4 AIack Target Server 3

4 Blackholing AS AS2 AS3 AS4 AIack Target Server 4

5 BGP Blackholing AS1 BGP AS2 AS3 AS4 AIack Target Server 5

6 BGP Blackholing AS AS2 AS3 AS4 AIack Target Server 6

7 Agenda BGP Blackholing in Detail Inference Methodology for BGP Blackholing Trends in BGP Blackholing AcDvity Visibility of BGP Blackholing BGP Blackholing Network Efficacy Profile of BGP Blackholing Adopters 7

8 Agenda BGP Blackholing in Detail Inference Methodology for BGP Blackholing Trends in BGP Blackholing AcDvity Visibility of BGP Blackholing BGP Blackholing Network Efficacy Profile of BGP Blackholing Adopters 8

9 BGP Blackholing in the Internet AS AS2 AS3 AS4 AIack Target Server 9

10 BGP Blackholing in the Internet AS /32 Community = AS3: AS2 AS3 RFC1997, RFC6535, RFC7999 AS4 AIack Target Server 10

11 Terminology /32 Community = AS3:666 AS3:666 Blackholing Community AS AS2 AS3 RFC1997, RFC6535, RFC7999 AS /32 Blackholed Prefix AIack Target Server 11

12 BGP Blackholing in the Internet AS AS2 AS3 RFC1997, RFC6535, RFC7999 AS4 AIack Target Server 12

13 BGP Blackholing in the Internet /32 Community = AS3:666 AS AS2 AS3 RFC1997, RFC6535, RFC7999 AS4 AIack Target Server 13

14 BGP Blackholing in the Internet AS AS2 AS3 RFC1997, RFC6535, RFC7999 AS4 AIack Target Server 14

15 Terminology /32 Community = AS3:666 AS1 AS2 AS3 Blackholing Provider AS AS4 Blackholing User AS4 AIack Target Server 15

16 BGP Blackholing in an IXP member AS1 member AS2 Route Server member AS3 IXP member AS4 AIack Target Server 16

17 BGP Blackholing in an IXP member AS1 member AS2 Route Server /32 Community = IXP: member AS3 IXP member AS4 AIack Target Server 17

BGP Blackholing in an IXP member AS1 172.18.192.

18 BGP Blackholing in an IXP member AS /32 Next hop: (blackhole) Community = IXP:666 member AS2 Route Server member AS3 IXP member AS4 AIack Target Server 18

19 BGP Blackholing in an IXP member AS1 member AS2 Route Server member AS3 IXP member AS4 AIack Target Server 19

20 BGP Blackholing in an IXP member AS1 member AS2 member AS3 IXP Blackholing Provider Route Server IXP member AS4 AIack AS4 Target Blackholing Server User 20

21 Agenda BGP Blackholing in Detail Inference Methodology for BGP Blackholing Trends in BGP Blackholing AcDvity Visibility of BGP Blackholing BGP Blackholing Network Efficacy Profile of BGP Blackholing Adopters 21

22 BGP Blackhole Community DicDonary BGP CommuniDes are standardized We mine Internet Registries, NOC webpages etc. for keywords like blackhole, null route using Natural Language Processing Level3 DE-CIX 22

23 Methodology AS1 BGP Collector /32 AS3 AS1 Community = AS3: AS2 AS3 AS4 AIack Target Server 23

Methodology BGP Collector Starts at t 0 : A 172.18.192.

24 Methodology BGP Collector Starts at t 0 : A /32 provider:as3 user:as4 communiaes AS AS2 AS3 AS4 AIack Target Server 24

25 Methodology AS1 BGP Collector Starts at t 0 : A /32 provider:as3 user:as4 communiaes Ends at t 1 : W / / AS2 AS3 AS4 AIack Target Server 25

Methodology AS1 BGP Collector Starts at t 0 : A 172.18.192.

26 Methodology AS1 BGP Collector Starts at t 0 : A /32 provider:as3 user:as4 communiaes Ends at t 1 : W / AS2 AS3 AS4 AIack Target Server 26

27 Methodology t 3 : A /32 provider: AS13 user: AS9 communiaes t 4 : W /32 AS1 BGP Collector Starts at t 0 : A /32 provider:as3 user:as4 communiaes Ends at t 1 : W / t 7 : A /32 provider: AS30 user: AS11 communiaes t 8 : W /32 AS2 AS3 AS3 AS4 AIack Target Server 27

28 Agenda BGP Blackholing in Detail Inference Methodology for BGP Blackholing Trends in BGP Blackholing Acavity Visibility of BGP Blackholing BGP Blackholing Network Efficacy Profile of BGP Blackholing Adopters 28

29 BGP Datasets Source #IP peers #AS peers RIPE Route Views PCH 8,897 1,721 CDN 3,349 1,282 Total 12,940 2,798 CDN and PCH infer 3x more blackholed prefixes than RIPE and Route Views 29

30 The Rise of BGP Blackholing 2.5x 30

31 The Rise of BGP Blackholing 4x 31

32 The Rise of BGP Blackholing 6x 32

33 The Rise of BGP Blackholing Mirai 33

34 Agenda BGP Blackholing in Detail Inference Methodology for BGP Blackholing Trends in BGP Blackholing AcDvity Visibility of BGP Blackholing BGP Blackholing Network Efficacy Profile of BGP Blackholing Adopters 34

35 BGP Blackholing Inference StaDsDcs 35

36 BGP Blackholing PropagaDon AS1 BGP Collector /32 Community = AS3: /32 Next hop = R4 Community = AS3: AS120 AS130 AS3 AS140 BGP Collector AS4 AIack Target Server 36

37 BGP Blackholing Inference StaDsDcs Due to Blackholing Propagaaon 37

BGP Blackhole Bundling AS1 BGP Collector 172.18.192.

38 BGP Blackhole Bundling AS1 BGP Collector /32 Community = AS3:666, AS20:666, AS30:99, AS40: AS3 AS20 AS30 AS4 AIack Target Server AS40 38

39 BGP Blackholing Inference StaDsDcs Due to Blackholing Bundling 39

40 Agenda BGP Blackholing in Detail Inference Methodology for BGP Blackholing Trends in BGP Blackholing AcDvity Visibility of BGP Blackholing BGP Blackholing Network Efficacy Profile of BGP Blackholing Adopters 40

41 BGP Blackholing Efficacy: AcDve Measurements AS AS3 AS4 AIack Target Server 41

42 BGP Blackholing Efficacy: AcDve Measurements AS AS3 AS4 AIack Target Server 42

43 BGP Blackholing Efficacy: AcDve Measurements AS AS3 AS4 AIack Target Server 43

44 BGP Blackholing Efficacy: AcDve Measurements Reducaon by 5 IP hops (on average) 44

45 BGP Blackholing Efficacy: AcDve Measurements Reducaon by 3 AS hops (on average) 45

46 Agenda BGP Blackholing in Detail Inference Methodology for BGP Blackholing Trends in BGP Blackholing AcDvity Visibility of BGP Blackholing BGP Blackholing Network Efficacy Profile of BGP Blackholing Adopters 46

47 Popularity of Blackholing Providers 47

48 Popularity of Blackholing Providers 48

49 Popularity of Blackholing Users 49

50 Popularity of Blackholing Users 43% of bh prefixes belong to content providers/hosters 50

51 Profile of Blackholed Prefixes 50% 40% 30% 20% 10% 0 Open ports in hosts in 60% of the blackholed prefixes In many cases default hosdng so`ware configuradons Serve ephemeral or low-ranked domains 51

52 BGP Blackholing DuraDon 52

53 Conclusion The first Internet-wide study on the adopdon and state of BGP Blackholing Methodology to infer Blackholing acdvity from BGP data BGP Blackholing is on the rise in all three metrics (Providers, Users, Prefixes) BGP Blackholing is effecdve in dropping traffic early Profile of Blackholed adopters and Insights on Usage 53

54 Thank you! 54

BGP Community Harvesting: Locating Peering Infrastructures

BGP Community Harvesting: Locating Peering Infrastructures Community Harvesting: Locating Peering Infrastructures Vasileios Giotsas, Christoph Dietzel, Georgios Smaragdakis, Anja Feldmann, Arthur Berger, Emile Aben # TU Berlin CAIDA DE-CIX MIT Akamai # RIPE NCC