BGPeek-a-Boo: Active BGP-based Traceback for Amplification DDoS Attacks

03/15/2021
by   Johannes Krupp, et al.
0

Amplification DDoS attacks inherently rely on IP spoofing to steer attack traffic to the victim. At the same time, IP spoofing undermines prosecution, as the originating attack infrastructure remains hidden. Researchers have therefore proposed various mechanisms to trace back amplification attacks (or IP-spoofed attacks in general). However, existing traceback techniques require either the cooperation of external parties or a priori knowledge about the attacker. We propose BGPeek-a-Boo, a BGP-based approach to trace back amplification attacks to their origin network. BGPeek-a-Boo monitors amplification attacks with honeypots and uses BGP poisoning to temporarily shut down ingress traffic from selected Autonomous Systems. By systematically probing the entire AS space, we detect systems forwarding and originating spoofed traffic. We then show how a graph-based model of BGP route propagation can reduce the search space, resulting in a 5x median speed-up and over 20x for 1/4 of all cases. BGPeek-a-Boo achieves a unique traceback result 60 time in a simulation-based evaluation supported by real-world experiments.

READ FULL TEXT
research
11/12/2019

A Reproducibility Study of "IP Spoofing Detection in Inter-Domain Traffic"

IP spoofing enables reflection and amplification attacks, which cause ma...
research
04/27/2018

Attacks and Defenses in Mobile IP: Modeling with Stochastic Game Petri Net

The urging need for seamless connectivity in mobile environment has cont...
research
09/07/2020

Passwords: Divided they Stand, United they Fall

Today, offline attacks are one of the most severe threats to password se...
research
07/31/2023

Learning When to Say Goodbye: What Should be the Shelf Life of an Indicator of Compromise?

Indicators of Compromise (IOCs), such as IP addresses, file hashes, and ...
research
11/01/2018

An Adaptive Pruning Algorithm for Spoofing Localisation Based on Tropical Geometry

The problem of spoofing attacks is increasingly relevant as digital syst...
research
03/16/2019

On the classification and false alarm of invalid prefixes in RPKI based BGP route origin validation

BGP is the default inter-domain routing protocol in today's Internet, bu...
research
06/09/2020

The Closed Resolver Project: Measuring the Deployment of Source Address Validation of Inbound Traffic

Source Address Validation (SAV) is a standard aimed at discarding packet...

Please sign up or login with your details

Forgot password? Click here to reset