![[ANT logo]](../images/logos/ant_logo_1_128px.png){kind=logo}
Plannning for Anycast as Anti-DDoS (PAADDoS)
Project Description
The PAADDoS project’s goal is to defend against large-scale Distributed Denial-of-Service (DDoS) attacks by making anycast-based capacity more effective than it is today. Anycast use Internet routing to associate users with geographically close sites of a replicated service. During DDoS, anycast sites can provide capacity to absorb an attack, and they can be used to isolate the attack to part of the network.
We will work toward our goal of improving anycast use during DDoS by (1) developing tools to map anycast catchments and baseline load, (2) developing methods to plan changes and their effects on catchments, and (3) developing tools to estimate attack load and assist anycast reconfiguration during an attack.
We expect these innovations to improve service resilience in the face of DDoS attacks. Our tools will improve anycast agility during an attack, allowing capacity to be used effectively.
PAADDoS is a joint effort of the ANT Lab involving USC/ISI (PI: John Heidemann) and the Design and Analysis of Communication Systems group at the University of Twente (PI: Aiko Pras). PAADDoS also builds on our collaboration with SIDN Labs.
PAADDoS has websites at USC and U. Twente.
Support
PAADDoS is supported by the DHS HSARPA Cyber Security Division via contract number HSHQDC-17-R-B0004-TTA.02-0006-I, and by NWO.
People
- João Ceron, post-doctoral researcher (University of Twente)
- John Heidemann, PI on this project, project leader and professor (USC/ISI)
- A S M Rizvi, PhD student (USC CS Dept. and ISI)
Publications
- A S M Rizvi, Jelena Mirkovic, John Heidemann, Wes Hardaker and Robert Story 2023. Defending Root DNS Servers Against DDoS Using Layered Defenses (Extended). Ad Hoc Networks Journal. 151, (Dec. 2023). [DOI] [PDF] Details
- A S M Rizvi, Jelena Mirkovic, John Heidemann, Wes Hardaker and Robert Story 2023. Defending Root DNS Servers Against DDoS Using Layered Defenses. Proceedings of the IEEE International Conference on Communications Systems and Networks (COMSNETS) (Bengaluru, India, Jan. 2023), to appear. [PDF] Details
- A S M Rizvi, Leandro Bertholdo, João Ceron and John Heidemann 2022. Anycast Agility: Network Playbooks to Fight DDoS. Proceedings of the 31st USENIX Security Symposium (Aug. 2022), 4201–4218. [DOI] [PDF] Details
- A S M Rizvi and John Heidemann 2022. Chhoyhopper: A Moving Target Defense with IPv6. Proceedings of the IEEE Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb) (San Diego, California, USA, Apr. 2022), to appear. [DOI] [PDF] Details
- Giovane C. M. Moura, John Heidemann, Wes Hardaker, Pithayuth Charnsethikul, Jeroen Bulten, João M. Ceron and Cristian Hesselman 2022. Old but Gold: Prospecting TCP to Engineer and Live Monitor DNS Anycast. Proceedings of the Passive and Active Measurement Workshop (virtual, Mar. 2022), to appear. [DOI] [PDF] Details
- G. Moura, W. Hardaker, J. Heidemann and M. Davids 2022. Considerations for Large Authoritative DNS Server Operators. Technical Report 9199. Internet Request For Comments. [DOI] [PDF] Details
- Giovane C. M. Moura, Sebastian Castro, John Heidemann and Wes Hardaker 2021. TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS. Proceedings of the ACM Internet Measurement Conference (Virtual, Nov. 2021), 398–418. [DOI] [PDF] Details
- Giovane C. M. Moura, John Heidemann, Wes Hardaker, Jeroen Bulten, Joao Ceron and Christian Hesselman 2020. Old but Gold: Prospecting TCP to Engineer DNS Anycast (extended). Technical Report ISI-TR-739b. USC/Information Sciences Institute. [PDF] Details
- ASM Rizvi, Joao Ceron, Leandro Bertholdo and John Heidemann 2020. Anycast Agility: Adaptive Routing to Manage DDoS. Technical Report arxiv:2006.14058v1. arXiv. [PDF] Details
- Lan Wei, Marcel Flores, Harkeerat Bedi and John Heidemann 2020. Bidirectional Anycast/Unicast Probing (BAUP): Optimizing CDN Anycast. Proceedings of the IEEE Network Traffic Monitoring and Analysis Conference (Berlin, Germany, Jun. 2020). [PDF] Details
- Giovane C. M. Moura, Sebastian Castro, John Heidemann and Wes Hardaker 2021. TsuNAME vulnerability and DDoS against DNS. Technical Report ISI-TR-740. USC/Information Sciences Institute. [PDF] Details
- John Heidemann, Wes Hardaker, Jelena Mirkovic, ASM Rizvi and Robert Story 2019. DDoS Defense in Depth for DNS (DDIDD). Invited talk at the Trusted CI Webinar. [PDF] Details
- ASM Rizvi, John Heidemann and Jelena Mirkovic 2019. Dynamically Selecting Defenses to DDoS for DNS (extended). Technical Report ISI-TR-736. USC/Information Sciences Institute. [PDF] Details
- Giovane C. M. Moura, John Heidemann, Ricardo de O. Schmidt and Wes Hardaker 2019. Cache Me If You Can: Effects of DNS Time-to-Live. Proceedings of the ACM Internet Measurement Conference (Amsterdam, the Netherlands, Oct. 2019), to appear. [DOI] [PDF] Details
- Giovane C. M. Moura, John Heidemann, Ricardo de O. Schmidt and Wes Hardaker 2019. Cache Me If You Can: Effects of DNS Time-to-Live (extended). Technical Report ISI-TR-734b. USC/Information Sciences Institute. [PDF] Details
For related publications, please see the ANT publications web page.
Software
- anygility/anygility-peering Tools to build a playbook in peering testbed, parse captured anycast catchment data, and attack traffic
- anygility/anygility-system Tools for offered load estimation and policy selection using a BGP playbook
- anygility/anygility-tangled Tools for anycast experiments in Tangled testbed
- verfploeter/packetcapr A pinger for active measurement of anycast catchements.
- verfploeter/pingextract A ping analyzer for active measurement of anycast catchements.
- verfploeter/plotter Plot a wordmap showing catchments from verfploeter pcaps or text files.
See also the see the ANT distribution web page.
Datasets
We make all datasets and specifically our network outage datasets public through the LACANIC project.
Related Links: