Using BGP to Reroute Traffic during a DDoS

Posted by on February 20, 2014

Continuing our discussion about visualizing DDoS attacks from last week, today we are going to look at an attack against a multinational bank. Whereas last week’s example focused on path visualization, this week’s will touch upon how Border Gateway Protocol (BGP) plays a role in rerouting traffic during an attack.

A quick aside on BGP. BGP is an internet routing protocol that broadcasts which Autonomous Systems (AS), large networks connected to the Internet, are reachable from other networks. In this way routers know where to forward packets in order to reach a destination network. Links between networks are ever changing due to hardware failures, downed links, and changes in peering between networks. BGP can also be used to redirect traffic during a DDoS attack to scrubbing centers to filter out malicious traffic, particularly centers operated by cloud-based mitigation vendors.

Let’s join a DDoS attack in progress, with widespread service degradation and packet loss clearly visible in our network metrics (Figure 1).

DDoS begins signaled by global packet loss
Figure 1: Bank website experiencing packet loss from locations around the world.

In response to the DDoS attack, the bank begins rerouting traffic from their own network to that of their cloud-based DDoS mitigation vendor. This is evident from the BGP path changes that are being advertised, switching from the bank’s Autonomous System to that of its mitigation provider in order to begin scrubbing of traffic. In Figure 2, we see BGP path changes propagate, as the previous route to the bank (the white circle) via their ISP, Verizon Business (AS 701), is changed over to new routes to their mitigation vendor (the green circle).

Beginning of DDoS mitigation visualized
Figure 2: Bank uses BGP to reroute traffic from their own Autonomous System (AS) to that of their DDoS mitigation provider.

This changes routed traffic through several global scrubbing centers, as visible on the Path Visualization view. In Figure 3, we can see these scrubbing centers located in Europe and the US, each handling traffic from different regions around the world, listed on the left. The bank’s website is the green circle on the far right.

DDoS mitigation scrubbing centers visualized
Figure 3: During mitigation traffic is routed through scrubbing centers, each serving geographic regions.

Within minutes the effect on application performance is clear, with packet loss dropping dramatically and availability improving to 100% (Figure 4). The DDoS mitigation vendor continues to filter traffic in order to stave off the attack.

DDoS mitigated packet loss drops
Figure 4: After mitigation is underway, packet loss returns to normal.

After the attack has subsided almost 24 hours later, the bank uses BGP to advertise new routes to its network and to no longer use the networks of its DDoS mitigation provider. In Figure 5, we see new routes to the bank’s network (in green) via two upstream ISPs (in gray) as well as the old routes that used to direct to the mitigation vendor (in white).

Rerouting BGP for DDoS mitigation
Figure 5: Once the attack is over, the bank changes BGP paths back to
their own network from that of their DDoS mitigation provider.

Network Visualization of DDoS Attacks

This example shows a relatively successful response to a major DDoS attack. In both this example of a successful mitigation and the previous of a mitigation that had more mixed results, the importance of network visualization during a DDoS is clear to effectively communicate with network operations teams and various vendors involved in the response.

Visibility into an ongoing DDoS attack is critical given how many moving pieces there are. Networks are overloaded and under stress. New DNS records and BGP routes are being advertised to reroute traffic for filtering. Access control lists are being updated to filter out traffic. And the attackers are evolving their attack vectors continuously. During a DDoS attack you’ll want a toolset that can monitor global availability and real-time performance, ensure DDoS mitigation is being deployed correctly, and get continuous insight into mitigation efficacy.

Find out more about monitoring and analyzing DDoS attacks using ThousandEyes with a downloadable PDF ThousandEyes for DDoS Attack Analysis or monitor BGP and DDoS attacks with a free version of ThousandEyes.