Title: On the Feasibility of Rerouting-based DDoS Defenses
Authors: Muoi Tran, Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang
Reviewers: RB
-The authors analyze in-depth routing around congestion (RAC) mechanisms
-The authors demonstrate a new adaptive attack that defeats the RAC defense.
-For that, the authors performed the first study to measure BGP poisoning
-A comprehensive study on the RAC defense, including its shortcomings (e.g., path leakage occurs).
-A path leakage metric to diminish the likelihood of flooding attacks systematically is proposed and explored to create the detour-learning attack. This attack supposedly defeats the RAC defense.
-Although a study on BGP poisoning is conducted, no further details are given concerning their effectiveness or specific purpose.
-The experimental evaluation, although based on representative numbers, has not been done in a real-world scenario: is an environment with 60k ASes, 1k of them critical, and 1k selected detours representative of reality?
-Study focus solely on RAC, leaving even considerations on other types of flood attacks, e.g., HTTP floods, slow attacks, or DNS query flood attacks out of scope.
-The authors conclude that RACs cannot adequately defend flooding attacks: those require bandwidth isolation requiring coordination among ASes.
-Bandwidth isolation mechanisms guarantee high bandwidth availability but require global coordination between ASes. Nonetheless, the authors do not consider this a suitable solution to protect against flooding attacks, as "deploying such bandwidth isolation solution seems challenging." However, by coordinating several ISPs, this coordination could be achieved.
-As the number of ASes to be poisoned diminishes, the length of detour paths raises.
HTTP flood attacks and Bandwidth isolation mechanisms:
H.-C. Hsiao, T. H.-J. Kim, S. Yoo, X. Zhang, S. B. Lee, V. Gligor, and A. Perrig, “STRIDE: sanctuary trail–refuge from internet DDoS entrapment,” in Proc. ACM Asia CCS, 2013.
C. Basescu, R. M. Reischuk, P. Szalachowski, A. Perrig, Y. Zhang, H.-C. Hsiao, A. Kubota, and J. Urakawa, “SIBRA: Scalable internet bandwidth reservation architecture,” Proc. NDSS, 2016.
-The authors focused on network layer attacks. Other types of DDoS attacks, application-layer attacks are quite interesting too, in particular HTTP flood attacks. HTTP flood attacks are volumetric attacks, where GET/POST requests are made to saturate a server. Typically, POST requests are better from the attacker's perspective, as it can trigger complex server-side processing.
-Bandwidth isolation mechanisms are deemed to be effective against flooding attacks, under the assumption of global scale ISP collaboration.
-As an interesting curiosity, the RAC protocol proposes all neighbors of ASes on the detour path to be poisoned. That guarantees the exclusive usage of a detour path.
-The feasibility of DDoS defense mechanisms depends not solely on the protocol but also on network operation communities.
-The minimization of path leakage is modeled as an optimization problem (min-cut), using heuristics.