# The Maestro Attack: Orchestrating Malicious Flows with BGP

**Authors:** Tyler McDaniel, Jared M. Smith, Max Schuchard

arXiv: 1905.07673 · 2019-05-21

## TL;DR

The paper introduces the Maestro attack, a new BGP-based link flooding method that can significantly amplify DDoS attacks by manipulating routing, with small ASes capable of executing devastating attacks and offering mitigation strategies.

## Contribution

It presents the Maestro attack, demonstrating how control-plane traffic engineering can be exploited to concentrate malicious flows and significantly increase attack impact.

## Key findings

- Maestro attack can increase DDoS flow density by over 30%.
- Small ASes can execute devastating attacks on core links.
- Effective mitigations for network operators are proposed.

## Abstract

We present the Maestro attack, a novel Link Flooding Attack (LFA) that leverages control-plane traffic engineering techniques to concentrate botnet-sourced Distributed Denial of Service flows on transit links. Executed from a compromised or malicious Autonomous System (AS), Maestro advertises specific-prefix routes poisoned for selected ASes to collapse inbound traffic paths onto a single target link. A greedy heuristic fed by publicly available AS relationship data iteratively builds the set of ASes to poison. Given a compromised BGP speaker with advantageous positioning relative to the target link in the Internet topology, an adversary can expect to enhance total flow density by more than 30%. For a large botnet (e.g., Mirai), that translates to augmenting a DDoS by more than a million additional infected hosts. Interestingly, the size of the adversary-controlled AS plays little role in this amplification effect. Devastating attacks on core links can be executed by small, resource-limited ASes. To understand the scope of the attack, we evaluate widespread Internet link vulnerability across several metrics, including BGP betweenness and botnet flow density. We then assess where an adversary must be positioned to execute the attack most successfully. Finally, we present effective mitigations for network operators seeking to insulate themselves from this attack.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1905.07673/full.md

## Figures

57 figures with captions in the complete paper: https://tomesphere.com/paper/1905.07673/full.md

## References

51 references — full list in the complete paper: https://tomesphere.com/paper/1905.07673/full.md

---
Source: https://tomesphere.com/paper/1905.07673