Next Gen Blackholing to Counter DDoS
Network attacks, including Distributed Denial-of-Service (DDoS), continuously increase in terms of bandwidth along with damage (recent attacks exceed 1.7 Tbps) and …
|Talk Title||Next Gen Blackholing to Counter DDoS|
|Speakers||Christoph Dietzel, DE-CIX / TU Berlin|
|Location||San Francisco, CA|
|Date||Feb 18 2019 - Feb 20 2019|
Network attacks, including Distributed Denial-of-Service (DDoS), continuously increase in terms of bandwidth along with damage (recent attacks exceed 1.7 Tbps) and have a devastating impact on the targeted networks, thus, companies/governments. Over the years, mitigation techniques, ranging from blackholing to ACL filtering at routers, and on to traffic scrubbing, have been added to our defense toolboxes. Even though these mitigation techniques provide some protection, they either yield severe collateral damage, e.g., dropping legitimate traffic, are cost-intensive, or do not scale well for Tbps level attacks. In this talk we present our Next Generation Blackholing system, developed and deployed at DE-CIX by combining available hardware filters with a novel route server-based signaling mechanism. It builds upon the scalability of blackholing while limiting collateral damage by increasing its granularity. We present the design fundamentals and the building blocks while highlighting implementation challenges and performance evaluation.