2006.02.14 talk 4 Flooding attacks
A new talk added right before lunch by
Randy Bush will push us to 12:25.
Two talks coming up about DoS attacks
against control information
Flooding Attacks by exploiting persistent
Introduction: routing determines forwarding path.
Transient forwarding loops happen all the time
during convergence; that’s normal. But this
focuses on persistent fowarding loops.
why would persistent loops exist?
Example on neglecting pull-up routes.
Router announces 18.0/16 to internet
router A has default pointing to B
router A uses 18.0.0/24 only
Any traffic to 188.8.131.52-184.108.40.206
will enter the forwarding loop between
A and B
Risk of persistent forwarding loops can
amplify based on ttl of packets injected into
the looping pair of routers.
Can create a denial of service by flooding the
upstream links between routers in front of host
they want to knock off.
any other hosts behind that link are “imperiled
balancing granularity and overhead
samples 2 addresses in each /24 IP block
Addresses space collection
addresses covered by RouteView table
de-aggregate prefixes into /24 prefixes
traceroute to 5.5 million fine-grained prefixes
measurement lasts for 3 weeks in sept 2005
Almost 2.5% of routable addresses have persistent
Almost .8% of routable addresses are imperiled addresses.
Validating these persistent forwarding loops
from multiple places
from asia, europe, west and east cost of US
90% of shadowed prefixes consistently have persistent
Validation to multiple addresses in shadowed prefixes
sampling 50 addresses in each shadowed prefix
68% of shadowed prefixes shows that…
Properties of the loops
How long are the loops?
86.6% of loops are 2 hops long
0.4% are more than 10 hops long
some are more than 15 hops
82.2% of persistent loops happen within destination
significantly amplify attacking traffic
can be exploited from different places.
(oops. Matt gets paged out to deal with issue, so no
more notes for a while).