Skip to main content
SpringerLink
Log in

A Taxonomy of Attacks Using BGP Blackholing

  • Conference paper
  • First Online:
Computer Security – ESORICS 2019 (ESORICS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11735))

Included in the following conference series:

Abstract

BGP blackholing is a common technique used to mitigate DDoS attacks. Generally, the victim sends in a request for traffic to the attacked IP(s) to be dropped. Unfortunately, remote parties may misuse blackholing [29, 57] and send requests for IPs they do not own, turning a defense technique into a new attack vector. As DDoS attacks grow in number, blackholing will only become more popular, creating a greater risk this service will be exploited. In this work, we develop a taxonomy of attacks combining hijacks with blackholing: BGP blackjacks (blackhole hijacks). We show that those attacks effectively grant more reach and stealth to the attacker than regular hijacks, and assess the usability of those attacks in various security deployments. We then find that routing security mechanisms for BGP [30, 31] do not provide an adequate protection against some of those attacks, and propose additional mechanisms to properly defend against or mitigate them.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This might be changing as several IXPs now seem to implement ROV [3].

References

  1. Akamai: Memcached-fueled 1.3 Tbps attacks, March 2018. https://blogs.akamai.com/2018/03/memcached-fueled-13-tbps-attacks.html. Accessed 29 Apr 2019

  2. Pilosov, A., Kapela, T.: Stealing The Internet: An Internet-Scale Man In The Middle Attack, August 2008. https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf. Accessed 29 Apr 2019

  3. Reuter, A., Bush, R., Katz-Bassett, E., Cunha, I., Schmidt, T.C., Wählisch, M.: Measuring Adoption of RPKI Route Origin Validation and Filtering, May 2018. https://ripe76.ripe.net/presentations/63-rov_filtering_update.pdf. Accessed 29 Apr 2019

  4. Apostolaki, M., Zohar, A., Vanbever, L.: Hijacking bitcoin: routing attacks on cryptocurrencies. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 375–392. IEEE (2017)

    Google Scholar 

  5. Ballani, H., Francis, P., Zhang, X.: A study of prefix hijacking and interception in the Internet. ACM SIGCOMM Comput. Commun. Rev. 37(4), 265–276 (2007)

    Article  Google Scholar 

  6. Brewster, T.: Cyber Attacks Strike Zimbabweans Around Controversial Election, August 2013. http://www.silicon.co.uk/workspace/zimbabwe-election-cyber-attacks-123938. Accessed 29 Apr 2019

  7. Bush, R.: BGPsec Operational Considerations. BCP 211, RFC Editor, September 2017

    Google Scholar 

  8. Chandra, R., Traina, P., Li, T.: BGP Communities Attribute. RFC 1997, RFC Editor, August 1996

    Google Scholar 

  9. Cisco: Remotely Triggered Black Hole Filtering - Destination Based and Source Based (2005). https://www.cisco.com/c/dam/en/us/products/collateral/security/ios-network-foundation-protection-nfp/prod_white_paper0900aecd80313fac.pdf. Accessed 29 Apr 2019

  10. Cohen, A., Gilad, Y., Herzberg, A., Schapira, M.: One hop for RPKI, one giant leap for BGP security. In: Proceedings of the 14th ACM Workshop on Hot Topics in Networks, p. 10. ACM (2015)

    Google Scholar 

  11. Cohen, A., Gilad, Y., Herzberg, A., Schapira, M.: Jumpstarting BGP security with path-end validation. In: Proceedings of the 2016 ACM SIGCOMM Conference, pp. 342–355. ACM (2016)

    Google Scholar 

  12. DE-CIX: DE-CIX Blackholing Service July 2018. https://www.de-cix.net/_Resources/Persistent/4277e7d4867a78ae923c0f5b3b66d7ff6aeb61f8/DE-CIX-Blackholing-Service.pdf. Accessed 29 Apr 2019; Slide 3

  13. Dietzel, C., Feldmann, A., King, T.: Blackholing at IXPs: on the effectiveness of DDoS mitigation in the wild. In: Karagiannis, T., Dimitropoulos, X. (eds.) Passive and Active Measurement, pp. 319–332. Springer International Publishing, Cham (2016)

    Chapter  Google Scholar 

  14. Dietzel, C., Smaragdakis, G., Wichtlhuber, M., Feldmann, A.: Stellar: network attack mitigation using advanced blackholing. In: Proceedings of the 14th International Conference on emerging Networking EXperiments and Technologies, pp. 152–164. ACM (2018)

    Google Scholar 

  15. Donnet, B., Bonaventure, O.: On BGP communities. ACM SIGCOMM Comput. Commun. Rev. 38(2), 55–59 (2008)

    Article  Google Scholar 

  16. France-IX: France-IX Blackholing Service, July 2018. https://www.franceix.net/fr/technical/blackholing/. Accessed 29 Apr 2019

  17. Gao, L., Griffin, T.G., Rexford, J.: Inherently safe backup routing with BGP. In: Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213), vol. 1, pp. 547–556. IEEE, April 2001. https://doi.org/10.1109/INFCOM.2001.916777

  18. Gao, L., Rexford, J.: Stable Internet routing without global coordination. IEEE/ACM Trans. Netw. (TON) 9(6), 681–692 (2001)

    Article  Google Scholar 

  19. Gilad, Y., Cohen, A., Herzberg, A., Schapira, M., Shulman, H.: Are We There Yet? On RPKI’s Deployment and Security. IACR Cryptology ePrint Archive 2016, 1010 (2016)

    Google Scholar 

  20. Gill, P., Schapira, M., Goldberg, S.: Let the market drive deployment: a strategy for transitioning to BGP security. ACM SIGCOMM Comput. Commun. Rev. 41(4), 14–25 (2011)

    Article  Google Scholar 

  21. Giotsas, V., Dietzel, C., Smaragdakis, G., Feldmann, A., Berger, A., Aben, E.: Detecting peering infrastructure outages in the wild. In: Proceedings of the Conference of the ACM Special Interest Group on Data Communication, pp. 446–459. ACM (2017)

    Google Scholar 

  22. Giotsas, V., Smaragdakis, G., Dietzel, C., Richter, P., Feldmann, A., Berger, A.: Inferring BGP blackholing activity in the Internet. In: Proceedings of the 2017 Internet Measurement Conference, pp. 1–14. ACM (2017)

    Google Scholar 

  23. Greenberg, A.: Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins, August 2014. https://www.wired.com/2014/08/isp-bitcoin-theft/. Accessed 29 Apr 2019

  24. Heitz, J., Snijders, J., Patel, K., Bagdonas, I., Hilliard, N.: BGP Large Communities Attribute. RFC 8092, RFC Editor, February 2017

    Google Scholar 

  25. Huston, G., Michaelson, G.: Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs). RFC 6483, RFC Editor, February 2012

    Google Scholar 

  26. Iamartino, D., Pelsser, C., Bush, R.: Measuring BGP route origin registration and validation. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 28–40. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15509-8_3

    Chapter  Google Scholar 

  27. Kandagatla, N.: Disgruntled ex-employees, DDoS attacks and the revenge of the nerds. https://www.wittysparks.com/disgruntled-ex-employees-ddos-attacks-and-the-revenge-of-the-nerds/, November 2017. Accessed 29 Apr 2019

  28. King, T., Dietzel, C., Snijders, J., Doering, G., Hankins, G.: BLACKHOLE Community. RFC 7999, RFC Editor, October 2016

    Google Scholar 

  29. Kumari, W., McPherson, D.: Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (uRPF). RFC 5635, RFC Editor, August 2009

    Google Scholar 

  30. Lepinski, M., Kent, S.: An Infrastructure to Support Secure Internet Routing. RFC 6480, RFC Editor, February 2012. http://www.rfc-editor.org/rfc/rfc6480.txt, http://www.rfc-editor.org/rfc/rfc6480.txt

  31. Lepinski, M., Sriram, K.: BGPsec Protocol Specification. RFC 8205, RFC Editor, September 2017

    Google Scholar 

  32. Leyden, J.: US credit card firm fights DDoS attack, September 2004. http://www.theregister.co.uk/2004/09/23/authorize_ddos_attack/. Accessed 29 Apr 2019

  33. Lychev, R., Goldberg, S., Schapira, M.: BGP security in partial deployment: is the juice worth the squeeze? SIGCOMM Comput. Commun. Rev. 43(4), 171–182 (2013). https://doi.org/10.1145/2534169.2486010

    Article  Google Scholar 

  34. Madory, D.: BackConnect’s Suspicious BGP Hijacks, September 2016. https://dyn.com/blog/backconnects-suspicious-bgp-hijacks/. Accessed 29 Apr 2019

  35. Madory, D.: Iran Leaks Censorship via BGP Hijacks, January 2017. https://dyn.com/blog/iran-leaks-censorship-via-bgp-hijacks/. Accessed 29 Apr 2019

  36. Miller, L., Pelsser, C., Cateloin, S.: DDoS, BGP Leaks and Hijack Mitigation Techniques, August 2018. https://loicmiller.com/documents/hijack_ddos_mitigation.pdf. Accessed 29 Apr 2019

  37. Mohapatra, P., Scudder, J., Ward, D., Bush, R., Austein, R.: BGP Prefix Origin Validation. RFC 6811, RFC Editor, January 2013. http://www.rfc-editor.org/rfc/rfc6811.txt, http://www.rfc-editor.org/rfc/rfc6811.txt

  38. Morales, C.: NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us, March 2018. https://www.arbornetworks.com/blog/asert/netscout-arbor-confirms-1-7-tbps-ddos-attack-terabit-attack-era-upon-us/. Accessed 29 Apr 2019

  39. National Institute of Standards and Technology: Global Prefix/Origin Validation using RPKI, April 2019. https://rpki-monitor.antd.nist.gov/. Accessed 29 Apr 2019

  40. Newman, L.H.: The Botnet That Broke the Internet Isn’t Going Away, September 2016. https://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/. Accessed 29 Apr 2019

  41. Pras, A., et al.: Attacks by “Anonymous” WikiLeaks Proponents not Anonymous (2010)

    Google Scholar 

  42. Prince, M.: The DDoS That Almost Broke the Internet, March 2013. https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/. Accessed 29 Apr 2019

  43. Rekhter, Y., Li, T., Hares, S.: A Border Gateway Protocol 4 (BGP-4). RFC 4271, RFC Editor, January 2006. http://www.rfc-editor.org/rfc/rfc4271.txt

  44. Reuter, A., Bush, R., Cunha, I., Katz-Bassett, E., Schmidt, T.C., Wählisch, M.: Towards a rigorous methodology for measuring adoption of RPKI route validation and filtering. ACM SIGCOMM Comput. Commun. Rev. 48(1), 19–27 (2018)

    Article  Google Scholar 

  45. Reuter, A., Bush, R., Cunha, I., Katz-Bassett, E., Schmidt, T.C., Wählisch, M.: Measuring RPKI Route Origin Validation Deployment, April 2019. https://rov.rpki.net/. Accessed 29 Apr 2019

  46. Reynolds, M., Turner, S., Kent, S.: A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests. RFC 8209, RFC Editor, September 2017

    Google Scholar 

  47. RIPE NCC: YouTube Hijacking: A RIPE NCC RIS case study, March 2008. https://www.ripe.net/publications/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study. Accessed 29 Apr 2019

  48. Rossow, C.: Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In: NDSS (2014)

    Google Scholar 

  49. Ryba, F.J., Orlinski, M., Wählisch, M., Rossow, C., Schmidt, T.C.: Amplification and DRDoS attack defense-a survey and new perspectives. arXiv preprint arXiv:1505.07892 (2015)

  50. Schlamp, J., Holz, R., Jacquemart, Q., Carle, G., Biersack, E.W.: HEAP: reliable assessment of BGP hijacking attacks. IEEE J. Sel. Areas Commun. 34(6), 1849–1861 (2016)

    Article  Google Scholar 

  51. Sermpezis, P., Kotronis, V., Dainotti, A., Dimitropoulos, X.: A survey among network operators on BGP prefix hijacking. ACM SIGCOMM Comput. Commun. Rev. 48(1), 64–69 (2018)

    Article  Google Scholar 

  52. Sermpezis, P., et al.: Artemis: neutralizing BGP hijacking within a minute. IEEE/ACM Trans. Netw. (TON) 26(6), 2471–2486 (2018)

    Article  Google Scholar 

  53. Shi, X., Xiang, Y., Wang, Z., Yin, X., Wu, J.: Detecting prefix hijackings in the internet with argus. In: Proceedings of the 2012 Internet Measurement Conference, pp. 15–28. ACM (2012)

    Google Scholar 

  54. Streibelt, F., et al.: BGP communities: even more worms in the routing can. In: Proceedings of the Internet Measurement Conference 2018, pp. 279–292. ACM (2018)

    Google Scholar 

  55. Sun, Y., et al.: \(\{\)RAPTOR\(\}\): routing attacks on privacy in Tor. In: 24th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 15), pp. 271–286 (2015)

    Google Scholar 

  56. Tomlinson, K.: Cyber battle rages on Internet after arrest of cyber crime suspects, September 2016. http://www.archersecuritygroup.com/cyber-battle-rages-internet-arrest-cyber-crime-suspects/. Accessed 29 Apr 2019

  57. Turk, D.: Configuring BGP to Block Denial-of-Service Attacks. RFC 3882, RFC Editor, September 2004

    Google Scholar 

  58. Vervier, P.A., et al.: Malicious BGP hijacks: appearances can be deceiving. In: 2014 IEEE International Conference on Communications (ICC), pp. 884–889. IEEE (2014)

    Google Scholar 

  59. Vervier, P.A., Thonnard, O., Dacier, M.: Mind Your Blocks: On the Stealthiness of Malicious BGP Hijacks. In: NDSS (2015)

    Google Scholar 

  60. Wählisch, M., Maennel, O., Schmidt, T.C.: Towards detecting BGP route hijacking using the RPKI. In: Proceedings of the ACM SIGCOMM 2012 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, pp. 103–104. Citeseer (2012)

    Google Scholar 

  61. Wählisch, M., Schmidt, R., Schmidt, T.C., Maennel, O., Uhlig, S., Tyson, G.: RiPKI: The tragic story of RPKI deployment in the Web ecosystem. In: Proceedings of the 14th ACM Workshop on Hot Topics in Networks. p. 11. ACM (2015)

    Google Scholar 

  62. Zheng, C., Ji, L., Pei, D., Wang, J., Francis, P.: A light-weight distributed scheme for detecting IP prefix hijacks in real-time. In: ACM SIGCOMM Computer Communication Review. vol. 37, pp. 277–288. ACM (2007)

    Article  Google Scholar 

Download references

Acknowledgments

This project has been made possible in part by a grant from the Cisco University Research Program Fund, an advised fund of Silicon Valley Community Foundation.

Author information

Authors and Affiliations

  1. University of Strasbourg, 4 Rue Blaise Pascal, 67081, Strasbourg, France

    Loïc Miller & Cristel Pelsser

Authors
  1. Loïc Miller
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Cristel Pelsser
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Loïc Miller .

Editor information

Editors and Affiliations

  1. NEC Corporation, Kawasaki, Japan

    Kazue Sako

  2. University of Surrey, Guildford, UK

    Steve Schneider

  3. University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Peter Y. A. Ryan

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Miller, L., Pelsser, C. (2019). A Taxonomy of Attacks Using BGP Blackholing. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11735. Springer, Cham. https://doi.org/10.1007/978-3-030-29959-0_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-29959-0_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-29958-3

  • Online ISBN: 978-3-030-29959-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation