How incumbents can collectively fight DDOS attacks

A DDOS can hit your network like a tsunami. Recently, I had the pleasure of designing and integrating a solution that can automatically thwart a DDOS attack by making use of a third party scrubbing center and a GenieATM.

In short, you announce your entire prefixes to your regular peers and IP transits through which the normal inbound traffic will come. Whenever a subnet is suffering from a DDOS, you announce that subnet to the third party scrubbing center. Inbound traffic towards the attacked subnet will come through the scrubbing center, where it is cleaned.

There are two interesting parts that I’ll get into: the scrubbing center and the GenieNetworks solutions. Let’s start by zooming into the third party scrubbing center setup. The scrubbing center has its own AS, routers and IP transits;

By joining a private VLAN on AMS-IX (or another IX), ISPs can engage in peering activities with the (shared) scrubbing center. Through these peering sessions, prefixes suffering from a DDOS can be advertised to the routers of the scrubbing center. This prefix has to be a /24 (or an IPv6 /48) and it has to be more specific than the subnet you are currently advertising yourself (the Internet will follow the most specific route).

Inside the network of the scrubbing center AS, there are various anti-DDOS solutions that can scrub (or clean) traffic. Putting it into a picture, it would look something like this during a DDOS attack:

The blue router is advertising its public prefix to its ‘regular’ peers and IP transits. So in the above example, legitimate inbound traffic that is not suffering from a DDOS follows the green line from the left.

During a DDOS attack, the subnet suffering the attack will be advertised by the blue router towards the scrubbing center. The scrubbing center will then advertise this more-specific route towards its peers and transits and attract all DDOS traffic. This is represented by the red line.

The Internet-facing router located in the scrubbing center will forward inbound traffic towards the scrubbers. These devices will filter out the illegitimate traffic and forward the cleaned traffic to your AS via the AMS-IX connected router.

This can work by simply logging in to the blue router and make it advertise the prefix under attack to the scrubbing center manually. This manual approach does have two downsides. It’s slower and it’s more error prone.

The GenieATM solution can solve these two concerns. The GenieATM can collect flow-data from the Internet edge, where I had several MX routers configured to supply the GenieATM collector with IPFIX.

Based on the IPFIX data, the GenieATM can start to build up a clear overview of what is happening on the network. As an added bonus, this data can be presented in periodic reports and they can offer you a tremendous insight into what is happening on your network.

The GenieATM can also setup peering sessions with BGP speaking routers. These sessions can be used to automatically redirect traffic to a scrubbing center. By configuring a blackhole policy in the BGP Diversion menu, you can make the Genie perform an action based on the traffic measurements.

These policies offer a lot of granularity. For example, you can create a policy with specific bandwidth thresholds for a /29. As soon as those criteria are met, you can make the Genie advertise a /24 subnet.

Having performed several successful tests, I am currently finishing up this project. During the testing, I have been able to automatically detect a DDOS in about 30 to 60 seconds. The only thing left to do is figure out how far I can drive this number down and try to make some products using both the Genie and the scrubbing center.

Hopefully, I have broadened your horizon and given you something to think about.