Tools About Anycast Agility Against DDoS

anygility/anygility-system

This page contains tools to estimate the true offered load when we have loss in the upstream providers. This also includes tools for policy selection using a BGP playbook.

• anygility-system-1.3.3.tar.gz (2022-05-01); current release

  Added readmes.

• anygility-system-1.3.2.tar.gz (2022-03-21)

  Added RIPE data and minor changes in instruction.

• anygility-system-1.3.tar.gz (2022-03-01)

  First public release at ANT.

anygility - anycast agility system tools

This page contains tools related to our system of anycast agylity. The other datasets and tools are available in the following links:

• Tangled dataset: tangled dataset
• Peering and other dataset: peering and root DNS dataset
• Tangled tools: tangled tools
• Peering tools: peering tools

Components

This page contains tools to defend against Denial of Service (DoS) attacks using anycast agility. We provide a tool to estimate the true offered load when we have loss in the upstreams. We also provide a decision-maker script that selects the best routing configuration based on the current load and network playbook. This decision maker can be used during a Denial of Service (DoS) event to select the best routing configuration.

We provide the following tools to estimate offered load, and use the playbook to take routing decision during an attack event.

• TrafficEstimator: This program estimates the true offered load when we have loss in the upstreams.
• playbook_tuner: Find out the best routing decision based on the given network playbook and attack load.

TrafficEstimator

This program reads the RIPE IPs, parses the incoming traffic, finds the RIPE IPs within the traffic to get the loss rate, and then estimate the true offered load. We provide the attack traces in our dataset page. We used the pcap traces and used tshark (wireshark) tool to get the required part of attack traffic. The list of RIPE IPs during the November 2015 attack period is also provided with the tool.

playbook_tuner

This program will take the anycast setup and playbook as input, and then based on the attack volume, it will suggest the best routing configuration. We provide a sample load file, and a playbook with the software tool.

Synopsis

java -jar TrafficEstimator.java [RIPE_IP_FILE] [SERVER_IPs] [NORMAL_RATE]

playbook_tuner [--setup=Anycast setup and playbook file] [--retries=Number of routing configuration retires before sending to the operator]

TrafficEstimator options

RIPE_IP_FILE=File containing recent RIPE IPs

We pick a RIPE measurement, and then list the IPs of the probes used in the measurement within a period.

SERVER_IPs=Server IPs

We mention the server IPs separated by comma to distinguish the incoming and outgoing traffic.

NORMAL_RATE=Rate during non-attack period

TrafficEstimator uses this rate to find out the loss rate. This is an optional parameter. Without this option, the program measure the incoming rate which can be used to find the NORMAL_RATE parameter.

playbook_tuner options

--setup=Anycast setup and playbook file path

The default setup file is playbook.txt. Client can change it using this option. A sample setup and playbook file is included in the package.

--retries=Number of routing configuration retires before sending to the operator

Default value is 3 retries.

Example

The detailed examples can be found in our artifact appendix.

TrafficEstimator

1. The estimator gets the traffic from a pcap.xz file. It also gets the RIPE IPs, server IPS, and normal traffic rate. xzcat example.pcap.xz | sudo tshark -r - -T fields -e frame.time_epoch -e ip.src | java -jar TrafficEstimator.jar ripe-10010-2015-11-30-065034-300s.txt 192.228.79.201,199.9.14.201,2001:500:84::b,2001:500:200::b 31.0

Please note the traffic traces in pcap.xz format can be downloaded from our dataset page. This dataset is large (around 2TB), containing a whole day of traffic traces. We recommend the users to download a few pcap.xz files for testing purpose. Please refer to the artifact appendix of our USENIX Security paper to learn more about the required trace files and detailed steps to regenerate the results.

Sample output:

Time diff: 3.57 Count-packets: 9 Rate: 2.51

1448866334.10 Count-packets: 1613344 Observed rate: 322668.8 Estimated: 5929935.50

Time diff: 5.17 10 Rate: 1.93

1. The estimator gets the traffic from a pcap.xz file. It also gets the RIPE IPs and server IPS. xzcat example.pcap.xz | sudo tshark -r - -T fields -e frame.time_epoch -e ip.src | java -jar TrafficEstimator.jar ripe-10010-2015-11-30-065034-300s.txt 192.228.79.201,199.9.14.201,2001:500:84::b,2001:500:200::b 31.0

Sample output:

Time diff: 2.70 Count-packets: 84 Rate: 30.99

Time diff: 2.84 Count-packets: 85 Rate: 29.84

Time diff: 2.87 Count-packets: 86 Rate: 29.95

playbook_tuner

1. An anycast operator wants to use the playbook.txt file for the setup and playbook. The load stream is copied to a load.txt file and is sent to the program as standard input.: cat load.txt | ./python playbook_tuner.py

2. Fixing a playbook file and a different number of retries.: cat load.txt | ./python playbook_tuner.py --setup new-playbook.txt --retries 4