Understanding Border Gateway Protocol
Most articles about Distributed Denial of Service (DDoS) attacks begin with descriptions of the incursions, including their composition, source, or target. Some write-ups delve into the damage done by such attacks or the motivations of those that create or launch them. In this series of blogs, however, we will take a step back to consider the environment in which DDoS threats occur. These environments, in turn, affect where and how DDoS attacks are mitigated.
At a high level, vendor-neutral DDoS attack mitigations in the cloud function by intercepting traffic bound for the target, “scrubbing” out the bad traffic, and sending legitimate traffic on to its intended destination. The most prevalent ways to redirect traffic include changes to Border Gateway Protocol (BGP) announcements or changes to the Domain Name System (DNS). In this blog we will consider the first option, BGP redirection, starting with a basic overview of the protocol itself.
Routing, in general terms, is the mechanism by which a path is selected for traffic transiting a network. Routers on the internet make use of BGP almost exclusively when exchanging routing and reachability information between a single network or a group of networks, otherwise known as an Autonomous System (AS). BGP shares information about AS that the router is directly connected to, as well as data stored in its routing table, which contains information that it has learned about from peers.
Speed is a primary attribute of how the internet processes traffic, and BGP is central to how this works. Because of the overall size of the internet, there are many different routes/combinations of routes to any single AS. The “best” route is measured by the number of routers that a packet must pass through to get to its destination, referred to as “hops.” BGP, which is controlled by individual network administrators, calculates routes using algorithms and policies set by admins to determine the best path to the next hop router, referencing either networks to which it is directly connected or information that it has learned. Routers exchange this information, in a process known as route propagation. If a router along the way goes down or network topology changes, this information is propagated, and alternate routes can be selected. A route swing occurs when a new route is advertised from a different location than its source, which is how DDoS mitigation happens. When a customer is under attack, the mitigation provider announces a new route to the customer’s site which runs through the provider’s scrubbing centers. That new route is then propagated throughout the internet.
The key point to understand is that even though the internet is remarkably fast and resilient, changes do take time.
How Does All this Relate to DDoS?
There are several types of DDoS attacks where the relatively short gaps between an attack being detected, a mitigation being triggered, and full redirect to the mitigation provider’s scrubbing center can be exploited. One such attack is called a burst attack. These threats feature an intense amount of attack traffic that appears suddenly and disappears just as quickly. A similar attack type is called a pulse attack, or a pulse wave attack. This threat type initially looks like a burst attack, but the bursts just keep coming. Pulse attacks, which are often aimed at ISPs or large enterprises, may include carpet bombing attacks in which a burst of traffic hits a particular subnet then disappears, only to pop up again at another subnet. Still another twist is to change the attack vector or vectors while a DDoS is underway.
Both attack types feature the same problem; by the time a customer is aware that they are being attacked and moves to mitigation, the attack is over. Even worse, the target may be completely unprotected during the period that a route swing/propagation is underway. A savvy attacker will wait until this period to hit hardest.
The length of time that a customer is undefended depends upon what sort of DDoS mitigation they have. In the case where a customer has no active detection, it could take 5 minutes or more to start a mitigation. In situations in which a customer might not want to pay for always-on but does have their network set up for detection and alerting with automatic mitigation, the route swing and propagation could still take about 3 minutes. Many customers with mission-critical networks have moved to always-routed solutions, where mitigations are in the order of seconds.
The Bottom Line
So how do you know what is the right type of mitigation for you? Start with a look at the asset you are protecting. In situations where customer resources are referenced solely/largely by IP address vs. hostname, a form of BGP redirect is likely the right method to use to switch traffic over for mitigation, (in contrast to other vendor-neutral methods, such as DNS redirection, which is not practical in some cases).
There are generally several different types of BGP redirections, which can also depend upon the asset under consideration. The advent of burst or pulse attacks is relatively recent, but they are different enough from a traditional attack type to render on-demand protection typical defenses at least momentarily ineffective.
Whatever type of asset that you are trying to protect, the right defense type is available for your environment if you are aware of the basics of how BGP functions, the mitigation types available, and your tolerance for risk. The combination is invaluable when determining how to protect yourself in the ever-changing world of DDoS.
Read the next blog, Exploring Proxies and Traffic Redirection