Abstract
Remotely Triggered Black Hole (RTBH) is a common DDoS mitigation approach that has been in use for the last two decades. Usually, it is implemented close to the attack victim in networks sharing some type of physical connectivity. The Unwanted Traffic Removal Service (UTRS) project offers a free, global, and relatively low-effort-to-join and operate RTBH alternative by removing the requirement of physical connectivity. Given these unique value propositions of UTRS, this paper aims to understand to what extent UTRS is adopted and used to mitigate DDoS attacks. To reach this goal, we collected two DDoS datasets describing amplification and Internet-of-Things-botnet-driven attacks and correlated them with the information from the third dataset containing blackholing requests propagated to the members of UTRS. Our findings suggest that, currently, just a small portion of UTRS members (approximately \(10\%\)) trigger mitigation attempts: out of 1200+ UTRS members, only 124 triggered blackholing events during our study. Among those, with high probability, 25 Autonomous Systems (ASes) reacted on AmpPot attacks mitigating \(0.025\%\) of them globally or \(1.03\%\) targeting UTRS members; 2 countered IoT-botnet-driven attacks alleviating \(0.001\%\) of them globally or \(0.06\%\) targeting UTRS members. This suggests that UTRS can be a useful tool in mitigating DDoS attacks, but it is not widely used.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
UTRS members can announce up to a /25 of IPv4 addresses and up to /49 for IPv6 from their ASes as targets.
- 2.
If a target network is added and removed within a 5-minute interval, it will not appear in any dump and we will not record it.
- 3.
- 4.
For this dataset, the number of targets corresponds to the number of IPs because AmpPot records attacks to individual IPs rather networks.
- 5.
- 6.
The ASes’ country codes are obtained using the Caida’s AS Rank [6] dataset.
- 7.
The Milker monitor registers attack durations, but those values are fixed by the IoT malware owners.
References
RIR Statistics. https://www.nro.net/about/rirs/statistics/
Alieyan, K., Kadhum, M.M., Anbar, M., Rehman, S.U., Alajmi, N.K.: An overview of DDoS attacks based on DNS. In: 2016 International Conference on Information and Communication Technology Convergence (ICTC), pp. 276–280. IEEE (2016)
AMSIX: Pricing | AMS-IX Amsterdam (2023). https://www.ams-ix.net/ams/pricing
Antonakakis, M., et al.: Understanding the Mirai botnet. In: 26th \(\{\)USENIX\(\}\) security symposium (\(\{\)USENIX\(\}\) Security 17), pp. 1093–1110 (2017)
Bailey, M., Dittrich, D., Kenneally, E., Maughan, D.: The Menlo report. IEEE Secur. Priv. 10(2), 71–75 (2012)
CAIDA: AS Rank. https://asrank.caida.org/
Cymru, T.: network-security-templates/README.md at master \(\cdot \) team-cymru/network-security-templates \(\cdot \) GitHub (2022)
DE-CIX: Blackholing - Fight DDoS attacks effectively. https://de-cix.net/en/services/blackholing
Dietzel, C., Wichtlhuber, M., Smaragdakis, G., Feldmann, A.: Stellar: network attack mitigation using advanced blackholing. In: Proceedings of the 14th International Conference on Emerging Networking Experiments and Technologies. CoNEXT 2018, pp. 152–164, New York, NY, USA. Association for Computing Machinery (2018). https://doi.org/10.1145/3281411.3281413, https://doi.org/10.1145/3281411.3281413
Dnsfilter: Beyond Hackers in Hoodies: DNSFilter Mid-Year Cybersecurity Review (2022)
Equinix: Remotely Triggered Black Hole. https://docs.equinix.com/en-us/Content/Interconnection/IX/IX-rtbh-guide.htm
Giotsas, V., Smaragdakis, G., Dietzel, C., Richter, P., Feldmann, A., Berger, A.: Inferring BGP blackholing activity in the internet. In: Proceedings of the 2017 Internet Measurement Conference. IMC 2017, New York, NY, USA, pp. 1–14. Association for Computing Machinery (2017). https://doi.org/10.1145/3131365.3131379
Jonker, M., Pras, A., Dainotti, A., Sperotto, A.: A first joint look at DoS attacks and BGP blackholing in the wild. In: Proceedings of the Internet Measurement Conference 2018, pp. 457–463 (2018)
Jonker, M., Sperotto, A.: Measuring exposure in DDoS protection services. In: 2017 13th International Conference on Network and Service Management (CNSM), pp. 1–9. IEEE (2017)
Kopp, D., Dietzel, C., Hohlfeld, O.: DDoS never dies? An IXP perspective on DDoS amplification attacks. In: Hohlfeld, O., Lutu, A., Levin, D. (eds.) PAM 2021. LNCS, vol. 12671, pp. 284–301. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-72582-2_17
Krämer, L., et al.: AmpPot: monitoring and defending against amplification DDoS attacks. In: Proceedings of the 18th International Symposium Research in Attacks, Intrusions, and Defenses, pp. 615–636 (2015)
Kristoff, J.: An Internet-wide BGP RTBH service. Technical report (June 2015). https://www.iab.org/wp-content/IAB-uploads/2015/04/CARIS_2015_submission_20.pdf
Krupp, J., Backes, M., Rossow, C.: Identifying the scan and attack infrastructures behind amplification DDoS attacks. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1426–1437 (2016)
Lone, Q., Frik, A., Luckie, M., Korczynski, M., van Eeten, M., Gañán, C.: Deployment of source address validation by network operators: a randomized control trial. In: Proceedings of the 43rd IEEE Symposium on Security and Privacy (S &P 2022) (2022)
Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)
Nawrocki, M., Blendin, J., Dietzel, C., Schmidt, T.C., Wählisch, M.: Down the black hole: dismantling operational practices of BGP blackholing at IXPs. In: Proceedings of the Internet Measurement Conference, pp. 435–448 (2019)
Srivastava, A., Gupta, B.B., Tyagi, A., Sharma, A., Mishra, A.: A recent survey on DDoS attacks and defense mechanisms. In: Nagamalai, D., Renault, E., Dhanuskodi, M. (eds.) PDCTA 2011. CCIS, vol. 203, pp. 570–580. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24037-9_57
Team Cymru: Unwanted traffic removal service. https://www.team-cymru.com/ddos-mitigation-services
Team Cymru: UTRS Peering Guide. https://github.com/team-cymru/network-security-templates/blob/master/UTRS-Peering-Guide/README.md
Turk, D.: Configuring BGP to Block Denial-of-Service Attacks. RFC 3882 (2004). https://doi.org/10.17487/RFC3882, https://rfc-editor.org/rfc/rfc3882.txt
Zhauniarovich, Y., Dodia, P.: Sorting the garbage: filtering out DRDoS amplification traffic in ISP networks. In: Proceedings of the IEEE Conference on Network Softwarization, pp. 142–150 (2019)
Acknowledgements
This work is partly supported by the Dutch Research Council (NWO) under the RAPID project (Grant No. CS.007), by the MITIGATE project (JPJ000254) supported by MIC, Japan, and the commissioned research (No.05201) by NICT. This work was also supported by JSPS KAKENHI Grant Numbers 21H03444 and 21KK0178.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A: List of ASes Mitigating DDoS Attacks
Appendix A: List of ASes Mitigating DDoS Attacks
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Anghel, R. et al. (2024). Peering into the Darkness: The Use of UTRS in Combating DDoS Attacks. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14345. Springer, Cham. https://doi.org/10.1007/978-3-031-51476-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-51476-0_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-51475-3
Online ISBN: 978-3-031-51476-0
eBook Packages: Computer ScienceComputer Science (R0)