1. Technological Field
The present disclosure relates generally to the field of networking data center operations, and specifically in one aspect, to apparatus and methods for mitigation of network attacks by dynamically re-routing network traffic, including e.g., enhancements to network operation such as improved response/recovery times, and reduced network management overhead and overall capital expenditures.
2. Description of Related Technology
The Internet is a network of networks that consists of private, public, academic, business, and government networks that are connected via so-called “backbone” networks. Backbone networks link data centers, where each data center locally distributes network traffic to edge routers and so-called “last mile” delivery networks. The “last mile” is a common colloquialism referring to the portion of the telecommunications network chain that physically reaches the end or destination premises. Generally, backbone services are provided by a commercial wholesale bandwidth provider who guarantees certain Quality of Service (QOS) or Service Level Agreements (SLAs) to e.g., a retailer (e.g., Internet Service Provider (ISP)), network operator (e.g., cellular network operator), etc.
Malicious activity is an issue for the Internet generally; however, backbone service providers are especially concerned with network “attacks” that overwhelm network equipment with malicious data. For example, one common network attack is a so-called “Distributed Denial of Service” (DDoS) attack that attempts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. DDoS attacks commonly involve a so-called “botnet” (computers that have been infected with malware) that repeatedly request service from a target host; the target host is flooded with dummy service requests and accordingly cannot service legitimate requests. The number and strength of DDoS attacks on the Internet have increased at an accelerating rate. In 2010, a DDoS attack in the tens of Gbps (Gigabits per second) would be considered “large” with most capping out at 100 Gbps; in 2014, such attacks have escalated to 400-500 Gbps using various new User Datagram Protocol (UDP) reflection techniques.
Conceptually, filtering out DDoS attacks require that the backbone service provider routes “dirty” traffic to specialized scrubbing appliances that filter out illegitimate traffic, and forward the “cleaned” traffic to the target server (typically, a more specific route is injected into the service provider's routing table that is seen as more preferred than the existing route, so that all traffic destined for the given host is intercepted and redirected to the scrubbing appliances). Since DDoS attacks could originate from any number of source addresses, dirty traffic is primarily identified by its intended destination (the target or victim host, such as e.g., a server). Unfortunately, directly re-introducing the cleaned traffic to the network creates a new problem; specifically, cleaned traffic with the target host address is processed as if “dirty”, and re-routed to the scrubbing appliance in an endless network loop. For instance, in one such case, the “cleaned” traffic simply follows the route injected to intercept the mix of clean & dirty traffic, because there can be only one “best path” (and the network doesn't know the difference between clean and dirty traffic).
In actual implementation, dirty network traffic is directed to the scrubbing appliance, and the cleaned traffic is isolated from other network traffic and provided to the target host. Typically, isolation is performed with software “tunnels” (e.g., via virtual private networks or VPNs), or hardware cabling e.g., a direct logical or physical connection between two distinct nodes of the same network. From a practical standpoint, modifying the network topology to insert the scrubbing appliance requires significant manual intervention; anecdotally, this process can take days, if not weeks, during which service to the target host is degraded or disabled. While the tunnel is being configured, the network traffic to the target host is handled via e.g., a Remotely Triggered Black Hole (RTBH) service which indiscriminately discards all traffic destined for the victim host. Such delays and complete “blackouts” are often unacceptable to customers or users operating the target host, thereby resulting in increased customer or user dissatisfaction with the service provider and potentially lost revenue. Moreover, customers or users exposed to one or more such service interruptions are much more likely to switch service providers.
It is noted that alternate mechanisms to reduce the cycle time of the foregoing manual intervention may be implemented, such as e.g., automation; however, implementing suitable automation mechanisms has its own challenges (including significant delay), such that this approach is not optimal for many service providers.
In addition, one alternative approach to using the aforementioned RTBH, is for the service provider to do nothing until the selected mitigation mechanism is ready. Thus, the DoS attack in such cases is successful, and may cause impact to other hosts sharing resources, e.g., firewalls, network segments, etc.
It is also noted that, generally speaking, the longer the DDoS attack is allowed to continue without a mitigating response, the more severe and widespread it can become. This is largely due to often unchecked propagation of the malware across the Internet and other connected LANs, MANs, WANs, etc., such as via the foregoing unwitting user becoming infected with a “bot”. Hence, DDoS attacks which are “nipped in the bud” generally result in fewer impacts on the customer or user, as well as the service provider; time to implement mitigating measures is a very significant factor for the service provider (and the customer/user).
The converse may also be true—often, DDoS attacks are targeted for short-term disruption (e.g., “booters” in the gaming community), and are fairly ephemeral. Accordingly, it is often impractical to try to protect against such brief attacks unless the system to mitigate them is substantially flexible and agile, and can effectively respond in such brief periods of time. Otherwise, the attack may be terminated before mitigation is even implemented.
Additionally, tunneling the scrubbing appliance to the target server is optimally performed over short distances; thus, the scrubbing appliance should be within close proximity to the target host. At current market prices (circa 2015), each scrubbing appliance costs approximately one (1) million USD. At these prices, deploying numerous scrubbing appliances across the United States is an economically untenable proposition. Moreover, even targeted deployments to remedy DDoS attacks significantly impacts a backbone service provider's “bottom line”.
Accordingly, improved solutions are needed to rapidly neutralize network attacks such as e.g., DDoS attacks. In particular, solutions should be able to mitigate attacks without requiring the often lengthy and laborious construction of tunnels from the scrubber to the target server or host. An optimal solution would be disposed at least proximate (topology-wise) to the sources of incoming attack traffic, and may include in some cases substantially centralized scrubbing appliances, rather than performing scrubbing from individual data centers at the edge of the network. Preferably, where used, a centralized scrubbing appliance location could service the national/regional coverage footprint in a limited number (e.g., one or two) operations management complexes.
Moreover, from a procurement standpoint, desirable solutions should be vendor agnostic (so as to allow for competitive bidding), and leverage existing equipment solutions for detecting attacks and triggering mitigation. Practical implementations should provide for sufficient throughput and processing capacity, with response times on the order of seconds or minutes from attack detection.