Abstract
BGP blackholing is a common technique used to mitigate DDoS attacks. Generally, the victim sends in a request for traffic to the attacked IP(s) to be dropped. Unfortunately, remote parties may misuse blackholing [29, 57] and send requests for IPs they do not own, turning a defense technique into a new attack vector. As DDoS attacks grow in number, blackholing will only become more popular, creating a greater risk this service will be exploited. In this work, we develop a taxonomy of attacks combining hijacks with blackholing: BGP blackjacks (blackhole hijacks). We show that those attacks effectively grant more reach and stealth to the attacker than regular hijacks, and assess the usability of those attacks in various security deployments. We then find that routing security mechanisms for BGP [30, 31] do not provide an adequate protection against some of those attacks, and propose additional mechanisms to properly defend against or mitigate them.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This might be changing as several IXPs now seem to implement ROV [3].
References
Akamai: Memcached-fueled 1.3 Tbps attacks, March 2018. https://blogs.akamai.com/2018/03/memcached-fueled-13-tbps-attacks.html. Accessed 29 Apr 2019
Pilosov, A., Kapela, T.: Stealing The Internet: An Internet-Scale Man In The Middle Attack, August 2008. https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf. Accessed 29 Apr 2019
Reuter, A., Bush, R., Katz-Bassett, E., Cunha, I., Schmidt, T.C., Wählisch, M.: Measuring Adoption of RPKI Route Origin Validation and Filtering, May 2018. https://ripe76.ripe.net/presentations/63-rov_filtering_update.pdf. Accessed 29 Apr 2019
Apostolaki, M., Zohar, A., Vanbever, L.: Hijacking bitcoin: routing attacks on cryptocurrencies. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 375–392. IEEE (2017)
Ballani, H., Francis, P., Zhang, X.: A study of prefix hijacking and interception in the Internet. ACM SIGCOMM Comput. Commun. Rev. 37(4), 265–276 (2007)
Brewster, T.: Cyber Attacks Strike Zimbabweans Around Controversial Election, August 2013. http://www.silicon.co.uk/workspace/zimbabwe-election-cyber-attacks-123938. Accessed 29 Apr 2019
Bush, R.: BGPsec Operational Considerations. BCP 211, RFC Editor, September 2017
Chandra, R., Traina, P., Li, T.: BGP Communities Attribute. RFC 1997, RFC Editor, August 1996
Cisco: Remotely Triggered Black Hole Filtering - Destination Based and Source Based (2005). https://www.cisco.com/c/dam/en/us/products/collateral/security/ios-network-foundation-protection-nfp/prod_white_paper0900aecd80313fac.pdf. Accessed 29 Apr 2019
Cohen, A., Gilad, Y., Herzberg, A., Schapira, M.: One hop for RPKI, one giant leap for BGP security. In: Proceedings of the 14th ACM Workshop on Hot Topics in Networks, p. 10. ACM (2015)
Cohen, A., Gilad, Y., Herzberg, A., Schapira, M.: Jumpstarting BGP security with path-end validation. In: Proceedings of the 2016 ACM SIGCOMM Conference, pp. 342–355. ACM (2016)
DE-CIX: DE-CIX Blackholing Service July 2018. https://www.de-cix.net/_Resources/Persistent/4277e7d4867a78ae923c0f5b3b66d7ff6aeb61f8/DE-CIX-Blackholing-Service.pdf. Accessed 29 Apr 2019; Slide 3
Dietzel, C., Feldmann, A., King, T.: Blackholing at IXPs: on the effectiveness of DDoS mitigation in the wild. In: Karagiannis, T., Dimitropoulos, X. (eds.) Passive and Active Measurement, pp. 319–332. Springer International Publishing, Cham (2016)
Dietzel, C., Smaragdakis, G., Wichtlhuber, M., Feldmann, A.: Stellar: network attack mitigation using advanced blackholing. In: Proceedings of the 14th International Conference on emerging Networking EXperiments and Technologies, pp. 152–164. ACM (2018)
Donnet, B., Bonaventure, O.: On BGP communities. ACM SIGCOMM Comput. Commun. Rev. 38(2), 55–59 (2008)
France-IX: France-IX Blackholing Service, July 2018. https://www.franceix.net/fr/technical/blackholing/. Accessed 29 Apr 2019
Gao, L., Griffin, T.G., Rexford, J.: Inherently safe backup routing with BGP. In: Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213), vol. 1, pp. 547–556. IEEE, April 2001. https://doi.org/10.1109/INFCOM.2001.916777
Gao, L., Rexford, J.: Stable Internet routing without global coordination. IEEE/ACM Trans. Netw. (TON) 9(6), 681–692 (2001)
Gilad, Y., Cohen, A., Herzberg, A., Schapira, M., Shulman, H.: Are We There Yet? On RPKI’s Deployment and Security. IACR Cryptology ePrint Archive 2016, 1010 (2016)
Gill, P., Schapira, M., Goldberg, S.: Let the market drive deployment: a strategy for transitioning to BGP security. ACM SIGCOMM Comput. Commun. Rev. 41(4), 14–25 (2011)
Giotsas, V., Dietzel, C., Smaragdakis, G., Feldmann, A., Berger, A., Aben, E.: Detecting peering infrastructure outages in the wild. In: Proceedings of the Conference of the ACM Special Interest Group on Data Communication, pp. 446–459. ACM (2017)
Giotsas, V., Smaragdakis, G., Dietzel, C., Richter, P., Feldmann, A., Berger, A.: Inferring BGP blackholing activity in the Internet. In: Proceedings of the 2017 Internet Measurement Conference, pp. 1–14. ACM (2017)
Greenberg, A.: Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins, August 2014. https://www.wired.com/2014/08/isp-bitcoin-theft/. Accessed 29 Apr 2019
Heitz, J., Snijders, J., Patel, K., Bagdonas, I., Hilliard, N.: BGP Large Communities Attribute. RFC 8092, RFC Editor, February 2017
Huston, G., Michaelson, G.: Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs). RFC 6483, RFC Editor, February 2012
Iamartino, D., Pelsser, C., Bush, R.: Measuring BGP route origin registration and validation. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 28–40. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15509-8_3
Kandagatla, N.: Disgruntled ex-employees, DDoS attacks and the revenge of the nerds. https://www.wittysparks.com/disgruntled-ex-employees-ddos-attacks-and-the-revenge-of-the-nerds/, November 2017. Accessed 29 Apr 2019
King, T., Dietzel, C., Snijders, J., Doering, G., Hankins, G.: BLACKHOLE Community. RFC 7999, RFC Editor, October 2016
Kumari, W., McPherson, D.: Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (uRPF). RFC 5635, RFC Editor, August 2009
Lepinski, M., Kent, S.: An Infrastructure to Support Secure Internet Routing. RFC 6480, RFC Editor, February 2012. http://www.rfc-editor.org/rfc/rfc6480.txt, http://www.rfc-editor.org/rfc/rfc6480.txt
Lepinski, M., Sriram, K.: BGPsec Protocol Specification. RFC 8205, RFC Editor, September 2017
Leyden, J.: US credit card firm fights DDoS attack, September 2004. http://www.theregister.co.uk/2004/09/23/authorize_ddos_attack/. Accessed 29 Apr 2019
Lychev, R., Goldberg, S., Schapira, M.: BGP security in partial deployment: is the juice worth the squeeze? SIGCOMM Comput. Commun. Rev. 43(4), 171–182 (2013). https://doi.org/10.1145/2534169.2486010
Madory, D.: BackConnect’s Suspicious BGP Hijacks, September 2016. https://dyn.com/blog/backconnects-suspicious-bgp-hijacks/. Accessed 29 Apr 2019
Madory, D.: Iran Leaks Censorship via BGP Hijacks, January 2017. https://dyn.com/blog/iran-leaks-censorship-via-bgp-hijacks/. Accessed 29 Apr 2019
Miller, L., Pelsser, C., Cateloin, S.: DDoS, BGP Leaks and Hijack Mitigation Techniques, August 2018. https://loicmiller.com/documents/hijack_ddos_mitigation.pdf. Accessed 29 Apr 2019
Mohapatra, P., Scudder, J., Ward, D., Bush, R., Austein, R.: BGP Prefix Origin Validation. RFC 6811, RFC Editor, January 2013. http://www.rfc-editor.org/rfc/rfc6811.txt, http://www.rfc-editor.org/rfc/rfc6811.txt
Morales, C.: NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us, March 2018. https://www.arbornetworks.com/blog/asert/netscout-arbor-confirms-1-7-tbps-ddos-attack-terabit-attack-era-upon-us/. Accessed 29 Apr 2019
National Institute of Standards and Technology: Global Prefix/Origin Validation using RPKI, April 2019. https://rpki-monitor.antd.nist.gov/. Accessed 29 Apr 2019
Newman, L.H.: The Botnet That Broke the Internet Isn’t Going Away, September 2016. https://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/. Accessed 29 Apr 2019
Pras, A., et al.: Attacks by “Anonymous” WikiLeaks Proponents not Anonymous (2010)
Prince, M.: The DDoS That Almost Broke the Internet, March 2013. https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/. Accessed 29 Apr 2019
Rekhter, Y., Li, T., Hares, S.: A Border Gateway Protocol 4 (BGP-4). RFC 4271, RFC Editor, January 2006. http://www.rfc-editor.org/rfc/rfc4271.txt
Reuter, A., Bush, R., Cunha, I., Katz-Bassett, E., Schmidt, T.C., Wählisch, M.: Towards a rigorous methodology for measuring adoption of RPKI route validation and filtering. ACM SIGCOMM Comput. Commun. Rev. 48(1), 19–27 (2018)
Reuter, A., Bush, R., Cunha, I., Katz-Bassett, E., Schmidt, T.C., Wählisch, M.: Measuring RPKI Route Origin Validation Deployment, April 2019. https://rov.rpki.net/. Accessed 29 Apr 2019
Reynolds, M., Turner, S., Kent, S.: A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests. RFC 8209, RFC Editor, September 2017
RIPE NCC: YouTube Hijacking: A RIPE NCC RIS case study, March 2008. https://www.ripe.net/publications/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study. Accessed 29 Apr 2019
Rossow, C.: Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In: NDSS (2014)
Ryba, F.J., Orlinski, M., Wählisch, M., Rossow, C., Schmidt, T.C.: Amplification and DRDoS attack defense-a survey and new perspectives. arXiv preprint arXiv:1505.07892 (2015)
Schlamp, J., Holz, R., Jacquemart, Q., Carle, G., Biersack, E.W.: HEAP: reliable assessment of BGP hijacking attacks. IEEE J. Sel. Areas Commun. 34(6), 1849–1861 (2016)
Sermpezis, P., Kotronis, V., Dainotti, A., Dimitropoulos, X.: A survey among network operators on BGP prefix hijacking. ACM SIGCOMM Comput. Commun. Rev. 48(1), 64–69 (2018)
Sermpezis, P., et al.: Artemis: neutralizing BGP hijacking within a minute. IEEE/ACM Trans. Netw. (TON) 26(6), 2471–2486 (2018)
Shi, X., Xiang, Y., Wang, Z., Yin, X., Wu, J.: Detecting prefix hijackings in the internet with argus. In: Proceedings of the 2012 Internet Measurement Conference, pp. 15–28. ACM (2012)
Streibelt, F., et al.: BGP communities: even more worms in the routing can. In: Proceedings of the Internet Measurement Conference 2018, pp. 279–292. ACM (2018)
Sun, Y., et al.: \(\{\)RAPTOR\(\}\): routing attacks on privacy in Tor. In: 24th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 15), pp. 271–286 (2015)
Tomlinson, K.: Cyber battle rages on Internet after arrest of cyber crime suspects, September 2016. http://www.archersecuritygroup.com/cyber-battle-rages-internet-arrest-cyber-crime-suspects/. Accessed 29 Apr 2019
Turk, D.: Configuring BGP to Block Denial-of-Service Attacks. RFC 3882, RFC Editor, September 2004
Vervier, P.A., et al.: Malicious BGP hijacks: appearances can be deceiving. In: 2014 IEEE International Conference on Communications (ICC), pp. 884–889. IEEE (2014)
Vervier, P.A., Thonnard, O., Dacier, M.: Mind Your Blocks: On the Stealthiness of Malicious BGP Hijacks. In: NDSS (2015)
Wählisch, M., Maennel, O., Schmidt, T.C.: Towards detecting BGP route hijacking using the RPKI. In: Proceedings of the ACM SIGCOMM 2012 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, pp. 103–104. Citeseer (2012)
Wählisch, M., Schmidt, R., Schmidt, T.C., Maennel, O., Uhlig, S., Tyson, G.: RiPKI: The tragic story of RPKI deployment in the Web ecosystem. In: Proceedings of the 14th ACM Workshop on Hot Topics in Networks. p. 11. ACM (2015)
Zheng, C., Ji, L., Pei, D., Wang, J., Francis, P.: A light-weight distributed scheme for detecting IP prefix hijacks in real-time. In: ACM SIGCOMM Computer Communication Review. vol. 37, pp. 277–288. ACM (2007)
Acknowledgments
This project has been made possible in part by a grant from the Cisco University Research Program Fund, an advised fund of Silicon Valley Community Foundation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Miller, L., Pelsser, C. (2019). A Taxonomy of Attacks Using BGP Blackholing. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11735. Springer, Cham. https://doi.org/10.1007/978-3-030-29959-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-29959-0_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29958-3
Online ISBN: 978-3-030-29959-0
eBook Packages: Computer ScienceComputer Science (R0)