Anycast in the Age of Hypergiants: Towards Tools and Techniques for the other 99% of ASes
Leandro Bertholdo is a PhD student in the department Design and Analysis of Communication Systems. (Co)Promotors are prof.dr.ir. R.M. van Rijswijk-Deij, prof.dr. C.E.W. Hesselman and dr. R. Holz from the faculty Electrical Engineering, Mathematics and Computer Science.
Over the past 40 years, the Internet has undergone a remarkable transformation, evolving from an academic network to an integral part of the daily lives of over 60% of the global population in 2023. Just during the pandemic this number grew by 10 percentage points, demonstrating those years of investments in research and development of the Internet worthwhile in these difficult times. Nowadays, the Internet has solidified its position as arguably the most significant form of global communication.
However, this substantial growth has not solely driven the broadening of business, the digital economy, and government services for the public benefit. It has also created new avenues for criminal endeavors.
One such crime is the Distributed Denial of Service (DDoS) attack. This occurs when criminals disrupt a service or company's Internet presence, often seeking profit through ransoms or intending to inflict infrastructural damage. This was recently illustrated during the war in Ukraine in the context of which there have been regular DDoS attacks against civil society on both sides of the conflict.
A common victim of DDoS attacks is the Internet's infrastructure, particularly the Domain Name System (DNS). DNS forms a critical part of the Internet's public core. It is responsible for mapping the website names we use daily to their corresponding IP addresses, or mapping domain names in e-mail addresses to mail servers.
Over time, DDoS attacks have escalated, reaching a magnitude of terabits per second, a volume too large for a regular company with an Internet connection to handle. This situation has compelled companies to seek the use of specialized services, leading to a concentration of Internet control in the hands of major tech firms, known as Hypergiants. The DNS infrastructure is following the same trend towards concentration, causing concerns among governments.
One defense mechanism against large-scale DDoS attacks is a technology known as anycast. Anycast enables the replication of the same IP address across servers distributed worldwide, thereby enhancing the resilience of services like DNS against volumetric DDoS attacks.
Anycast is a state-of-the-art technique that employs properties of the Internet's inter-domain routing system. Anycast reuses the same IP address at different sites across the Internet, it allows the redistribution of DDoS attack load among these sites.
In this thesis, we take the first steps to promote greater diversity among anycast operators, particularly those operating DNS services. Currently, the use of anycast technology is limited to a few companies due to its operational complexities, leading to an undesired concentration of this critical service. We investigate this concentration of anycast and the challenges that make it difficult for smaller operators to run anycast networks. We develop and test tools to simplify the adoption, usage, and management of anycast, including automated responses to DDoS attacks.
In our first contribution, we enhance the existing state of the art by developing a novel method to locate and quantify other anycast networks on the Internet. This enables us to gain a more comprehensive understanding of anycast adoption on the Internet.
Additionally, we establish a collaborative infrastructure for conducting research on anycast. This allows us to test anycast in real-world conditions, free from limitations of static datasets or restrictions on configuration tests.
As our second contribution, we identify the challenges associated with operating anycast sites on Internet Exchanges (IXPs). IXPs play a crucial role in the Internet infrastructure, offering direct connections with thousands of other Autonomous Systems (ASes) almost without bandwidth restrictions and at low cost—important points when we face volumetric DDoS attacks. We analyze IXPs in terms of coverage and the preferences of participants for delivering traffic through the IXP fabric. We also examine the impact of an outage at an IXP on the anycast network.
We then turned our attention to identifying problems at IXPs that can cause operational challenges for anycast operators that peer at IXPs. We were the first to quantify the traffic asymmetry of IXPs. Traffic asymmetry is a problem because it makes it hard to use routing-based techniques to deflect traffic as a DDoS defense.
We also observed that some major participants exhibit the unusual behavior of never returning traffic towards the IXP, and developed a method to identify them. This allows anycast operators to avoid these participants, thereby enhancing the quality of routes from IXP prefixes.
Our third contribution is that we demonstrate that the management of anycast can be made more intuitive for operators. We have developed, tested, and openly provided a tool that enables operators to manage their networks that is as easy as tuning a radio.
In our fourth contribution, we facilitate decision-making and automation for anycast networks under DDoS attacks. We demonstrate that a playbook of potential operator responses can be constructed, and a decision can be made based on the size of a DDoS attack.
We have developed, validated, and openly provided tools to help anycast operators make informed decisions and quickly respond during a DDoS attack. The operator can estimate the size of the attack and choose whether to absorb or redistribute a given DDoS attack against the anycast network.
As our final contribution, we look towards the future. Given the growing concentration of anycasted DNS services, we propose a new approach aimed at addressing the current centralization of anycast in a few companies by enabling smaller DNS operators to expand their infrastructure. We engaged in discussions and interviews with ISPs, DNS operators, and National Research and Education Network (NREN) operators about the centralization scenario for DNS resolvers. These discussions led us to propose a federated model for anycast networks between ISPs and DNS operators. As a result, we identified the main requirements and suggested an agenda aimed at building an anycast federation for DNS resolvers.
Through these contributions, we facilitate the adoption of anycast worldwide. By lowering the entry costs associated with infrastructure and simplifying operations, new providers of anycasted services can emerge. Over time, this can have the potential to reverse the current trend of centralization in the DNS.
