“poster” — 2017/6/16 — 11:50 — page 1 — #1

Detection and Mitigation of DDoS Attacks atInternet Exchange Points

Marcin Nawrocki, Matthias Wahlisch{marcin.nawrocki, m.waehlisch}@fu-berlin.de

Freie Universitat Berlin, Institut fur Informatik, Germany

Research Problem: DDoS AttacksDistributed Denial of Service

•Attempts to exhaust resources of target in order todisrupt the availability of Internet services

• Flooding of the target with a high volume of super-fluous data packets from numerous sources

• Impact of DDoS attacks has increased recently dueto millions of compromised IoT devices

Detection and Mitigation

•DDoS attacks are Internet-wide phenomena andcannot be detected or mitigated at a single domain

• Popular commercial DDoS protection solutions uti-lize distributed sensors to monitor the Internet

•Distributed systems impose a high configurationand maintenance effort

IXP

vs.

Background: Internet Exchange Points (IXP)•Central infrastructures where heterogeneous domains intertwine in order to ex-

change Internet traffic

• IXPs are gaining more and more in importance for the Internet ecosystem

• IXPs provide a layer-2 switching fabric to which autonomous systems connect

•By design, IXPs improve the connectivity of their members and are envisaged ascentral vantage points that utilize their inter-domain perspective to improve security

ASx ASy

IXP Switching Fabric

IXP Routeserver

Data Plane:SFlow, Netflow

Control Plane:BGP Data

Scalable Real-Time Analysis of Network Incidents at IXPsPreliminary Results

Comparison: IXPs and Honeypots

1 J u n 8 J u n 1 5 J u n 2 2 J u n 2 9 J u n0 . 00 . 10 . 20 . 30 . 40 . 50 . 60 . 70 . 80 . 91 . 0

Relati

ve Ra

tio (R

eque

sts pe

r IXP M

embe

r)

J u n e 2 0 1 6 ( d a y s )

L a r g e & S m a l l I X P S m a l l I X P L a r g e I X P S u m

Fig. 1: Relative amount of malicious (honeypot) trafficwhich was initiated from an AS of an IXP member.

Detection of Known Incidents at IXPs

Fig. 2: Number of flows and distinct source/destination ASNsduring the Telekom outage as seen by a small IXP.

Research Questions1. Which resources and inter-domain knowledge can be instrumented by IXPs

to detect DDoS attacks?

2. Do IXPs allow a detection of incidents that other tools are not capable of?

3. How can we mitigate DDoS attacks on the Internet as a whole and sub-domains with the help of IXPs?

4. How can IXPs deal with recent DDoS trends such as attacks from massivelydistributed IoT botnets?

5. How can IXPs check the integrity of IP source addresses in order to preventspoofing/ amplification attacks?

6. Can we achieve better results by a close cooperation between several IXPs

7. How do we produce precise real-time results, despite the high volume oftraffic?

Practical Challenges• Expensive analysis in terms of resources and time

• Privacy issues, since IXPs forward end-user data

•Conflicting business interests of members might emerge if data is not revealedthoughtfully, e.g. routing export policies

• IXPs serve their members and must not compete with them by similar ser-vices

• Legal rules may prohibit any kind of traffic analysis