Oct 15 – 16, 2016
The Fairmont Dallas
US/Central timezone

Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event

Oct 16, 2016, 12:00 PM
Gold (The Fairmont Dallas)


The Fairmont Dallas

1717 N Akard St Dallas, TX 75201 USA
Standard Presentation Public Workshop Public Workshop: Anycast


Mr John Heidemann (USC/Information Sciences Institute)


Distributed Denial-of-Service (DDoS) attacks continue to be a major threat in the Internet today. DDoS attacks overwhelm target services with requests or other "bogus" traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate the service in multiple physical locations or sites. If all sites announce a common IP address, BGP will associate users around the Internet with a nearby site, defining the *catchment* of that site. Anycast adds resilience against DDoS both by increasing capacity to the aggregate of many sites, and allowing each catchment to contain attack traffic leaving other sites unaffected. IP anycast is widely used for commercial CDNs and essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This talk will provide a *first evaluation of several anycast services under stress with public data*. Our subject is the Internet's Root Domain Name Service, made up of 13 independently designed services (``letters'', 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at 100x normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our analysis to examine how different services respond to the these events. In our analysis we identify two policies by operators: (1) sites may *absorb* attack traffic, containing the damage but reducing service to some users, or (2) they may *withdraw* routes to shift both legitimate and bogus traffic to other sites. We study how these deployment policies result in different levels of service to different users, during and immediately after the attacks. We also show evidence of *collateral damage* on other services located near the attack targets. The work is based on analysis of DNS response from around 9000 RIPE Atlas vantage points (or "probes"), agumented by RSSAC-002 reports from 5 root letters and BGP data from BGPmon. We examine DNS performance for each Root Letter, for anycast sites inside specific letters, and for specific servers at one site.


This talk will evaluate the event affecting many Root DNS servers on November 30, 2015, based on public data from RIPE Atlas and other sources.

Talk duration 30 Minutes

Primary authors

Cristian Hesselman (SIDN Labs) Giovane C. M. Moura (SIDN Labs) Mr John Heidemann (USC/Information Sciences Institute) Lan Wei (USC/ISI) Moritz Müller (SIDN Labs) Dr Ricardo Schmidt (University of Twente) Wouter de Vries (U. Twente)

Presentation materials