BGPeek-a-Boo: Active BGP-based Traceback for Amplification DDoS Attacks

TL;DR

BGPeek-a-Boo is a BGP-based traceback method that identifies the origin of amplification DDoS attacks by monitoring honeypots and using BGP poisoning, significantly improving traceback speed and accuracy.

Contribution

It introduces a novel BGP-based traceback technique that does not require attacker cooperation or prior knowledge, utilizing BGP poisoning and graph models for efficient attack origin detection.

Findings

Achieves a 5x median speed-up in traceback

Detects attack origins with over 60% success in simulations

Reduces search space by over 20x using BGP graph models

Abstract

Amplification DDoS attacks inherently rely on IP spoofing to steer attack traffic to the victim. At the same time, IP spoofing undermines prosecution, as the originating attack infrastructure remains hidden. Researchers have therefore proposed various mechanisms to trace back amplification attacks (or IP-spoofed attacks in general). However, existing traceback techniques require either the cooperation of external parties or a priori knowledge about the attacker. We propose BGPeek-a-Boo, a BGP-based approach to trace back amplification attacks to their origin network. BGPeek-a-Boo monitors amplification attacks with honeypots and uses BGP poisoning to temporarily shut down ingress traffic from selected Autonomous Systems. By systematically probing the entire AS space, we detect systems forwarding and originating spoofed traffic. We then show how a graph-based model of BGP route propagation can reduce the search space, resulting in a 5x median speed-up and over 20x for 1/4 of all cases. BGPeek-a-Boo achieves a unique traceback result 60% of the time in a simulation-based evaluation supported by real-world experiments.