Anycast Agility: Network Playbooks to Fight DDoS

TL;DR

This paper introduces systematic methods and a response playbook for network operators to effectively manage DDoS attacks using IP anycast, including estimating attack size and understanding deployment constraints.

Contribution

It presents a novel systematic approach and playbook for using BGP to respond to DDoS attacks with insights into attack size estimation and deployment constraints.

Findings

A set of BGP-based response methods for DDoS mitigation

A new technique to estimate true attack size during attacks

Analysis of how deployment constrains response options

Abstract

IP anycast is used for services such as DNS and Content Delivery Networks (CDN) to provide the capacity to handle Distributed Denial-of-Service (DDoS) attacks. During a DDoS attack service operators redistribute traffic between anycast sites to take advantage of sites with unused or greater capacity. Depending on site traffic and attack size, operators may instead concentrate attackers in a few sites to preserve operation in others. Operators use these actions during attacks, but how to do so has not been described systematically or publicly. This paper describes several methods to use BGP to shift traffic when under DDoS, and shows that a response playbook can provide a menu of responses that are options during an attack. To choose an appropriate response from this playbook, we also describe a new method to estimate true attack size, even though the operator's view during the attack is incomplete. Finally, operator choices are constrained by distributed routing policies, and not all are helpful. We explore how specific anycast deployment can constrain options in this playbook, and are the first to measure how generally applicable they are across multiple anycast networks.