Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > publications : papers : 2018 : potential_bgp_flowspec
On the Potential of BGP Flowspec for DDoS Mitigation at Two Sources: ISP and IXP
N. Hinze, M. Nawrocki, M. Jonker, A. Dainotti, T. Schmidt, and M. Wählisch, "On the Potential of BGP Flowspec for DDoS Mitigation at Two Sources: ISP and IXP", in ACM SIGCOMM Poster, Aug 2018.
|   View full paper:    PDF    DOI    |  Citation:    BibTeX   |

On the Potential of BGP Flowspec for DDoS Mitigation at Two Sources: ISP and IXP

Nico Hinze2
Marcin Nawrocki2
Mattijs Jonker4
Alberto Dainotti1
Thomas C. Schmidt3
Matthias Wählisch2

CAIDA, San Diego Supercomputer Center, University of California San Diego


Freie Universität Berlin


HAW Hamburg


University of Twente

Distributed Denial of Service (DDoS) attacks are a major threat to the Internet ecosystem. DDoS cannot only exhaust resources of end systems but also of provider uplinks. Ideally, DDoS attacks are mitigated close to the attacker, and mitigation only affects malicious traffic. Mitigation on inter-domain level is commonly implemented with remotely triggered blackholing (RTBH). Blackholing enables the victim domain to mark the (usually /32) IP prefix under attack using BGP communities. Based on this tagging, adjacent peers can filter traffic to the victim to prevent over-load. Although RTBH is an easy to implement, cost-efficient and effective mitigation solution, it faces a significant draw-back: since all traffic to the victim is discarded, the victim becomes completely unreachable. A more fine grained filtering is provided in BGP Flowspec [3], which supports filtering rules – exchanged through BGP – for 12 different components (e.g., source and destination address, TCP flags). In this poster, we aim for a better understanding of DDoS traffic from an inter-domain perspective. We analyze malicious traffic based on passive measurements from a national Internet Service Provider and from a large regional Internet Exchange Point. In contrast to previous work (e.g., [2]), we try to characterize collateral damage that occurs while blackholing DDoS traffic, compared to the benefits of deploying Flowspec. Our ongoing analysis shows that (i) current blackholing drops significant portion of valid traffic whereas BGP Flowspec requires very little additional information to improve the situation, (ii) an IXP is a good vantage point to deploy Flowspec close to the attacker.

Keywords: internet outages, measurement methodology, network telescope, security
  Last Modified: Mon Jul-6-2020 22:30:47 UTC
  Page URL: