BGPeek-a-Boo: Active BGP-based Traceback for Amplification DDoS Attacks
This talk will take place on April 9th 2021 18:00 CET and will be held by Johannes Krupp from CISPA.
He will talk about reflective DDoS which lets attackers hide behind IP spoofing and explore how BGP poisoning can help to trace back these attacks.
Abstract
The following abstract is from their research paper:
Amplification DDoS attacks inherently rely on IP spoofing to steer attack traffic to the victim. At the same time, IP spoofing undermines prosecution, as the originating attack infrastructure remains hidden. Researchers have therefore proposed various mechanisms to trace back amplification attacks (or IP-spoofed attacks in general). However, existing traceback techniques require either the cooperation of external parties or a priori knowledge about the attacker. We propose BGPEEK-A-BOO, a BGP-based approach to trace back amplification attacks to their origin network. BGPEEK-A-BOO monitors amplification attacks with honeypots and uses BGP poisoning to temporarily shut down ingress traffic from selected Autonomous Systems. By systematically probing the entire AS space, we detect systems forwarding and originating spoofed traffic. We then show how a graph-based model of BGP route propagation can reduce the search space, resulting in a 5× median speed-up and over 20× for 1/4 of all cases. BGPEEK-A-BOO achieves a unique traceback result 60% of the time in a simulationbased evaluation supported by real-world experiments.
Errata
Contrary to the statement on slide 30, the resulting graphs are only rooted and directed, but not necessarily acyclical. Yet they still provide all required properties.