 In these set of slides, we will look at DDoS mitigation. One of the underlying mechanisms often in use in DDoS attacks in general, and at the basis of reflection and amplification attacks in particular, is spoofing. Spoofing means that the attacker, which reside in, let's say, Nectar 2.2 slash 16, crafts a packet with fake source address, the address of the victim, let's say 4.4.0.2. This isn't principle sufficient to ensure that the reply traffic will be sent to the victim. The server has often no way to distinguish between a legitimate request from 4.4.0.2 and a spoofed one with the same source. It is clear, however, that if we will be able to stop spoofed traffic, we will effectively be blocking one of the enabling mechanisms for DDoS attacks. Luckily for us, there are mechanisms that have the potential of stopping spoofing. Let's look at our reflection and amplification picture again. In this case, we have expanded the network host in the malicious host to focus on its internal functioning. We have said that the network has range 2.2 slash 16. This information tells us that no traffic with source IP other than an IP in the network block 2.2 slash 16 should originate from this network, assuming it is a well-formed, legit packet. In other words, the network administrators have locally a way for identifying and acting on spoofed traffic. This traffic should simply not be allowed to leave the network. Therefore, traffic from a well-behaving host wanting to contact an external server will be allowed to exist on the network, while malicious spoofed traffic simply will be dropped. This mechanism is described in an ETF best current practice document on network ingress filtering, published in the year 2000 and commonly known as BCP-38. BCP-38 is a simple and effective way of blocking spoofed traffic and if widely implemented, it has the potential for solving a large spectrum of DDoS attacks. Unfortunately, there is still a significant portion of our networks in the open internet that do not implement BCP-38. The spoofed project, now maintained by Kaida, was originally set up with the goal of measuring the portion of networks that allow spoofing. The project currently reports that roughly 20% of the address space, 30% of the prefixes and 40% of the autonomous system are spoofable. This percentage is still too high to have a positive impact on DDoS attacks, as we can see from the number and the intensity of some of nowadays attacks. A second consideration with respect to mitigation refers to proper network management, which to be honest should already include implementing BCP-38. In addition to that, obsolete service, think about charging as an example, should either be removed or blocked at host level, and if possible, or should at least be filtered at the router level. For example, charging attacks can be stopped if no traffic to and from port 19 is allowed. Some services should be offered for internal use and not made open to the entire internet. This is the case, for example, of an open DNS resolver. In general, one should assume that if a service is open, it will be found and used for attacks. Last, for existing services, one should exercise a very tight control on the available remote options, especially turning off features that are not fundamental to be offered to the service, but can be misused. For example, NDP amplification attacks works by remotely issuing a monlist command to NDP server, which results in the server returning the list of up to 600 host that he has last interacted with. This is a monitoring feature of the protocol, which does not need to be openly available to anyone, and it should therefore be blocked. In the meanwhile, the hype around DDoS attacks has created a market for DDoS protection systems, or DDoS protection networks, which are companies specializing in DDoS mitigation. Let's assume we have a target host or organization, which is under DDoS attacks. Legit requests can reach the online service of the organization anymore, which translate directly in a loss of turnover for the targeted organization. Ideally, what the target wants is to be able to drop the attack traffic and to deal only with legit requests. This is exactly what a DDoS protection system promises to do. One way of achieving this is to place the dedicated hardware in line, close to the hedge of the target network. This type of dedicated appliance has the goal of cleaning the traffic from DDoS traffic. However, an inline device can be ineffective in case of volumetric attacks, in which the access line is saturated. In this case, the attack is just successful in any case, just by exhausting network resources. An alternative is to rely on a DDoS protection system based on traffic diversion. Traffic diversion is a mechanism for redirecting the traffic originally intended for the target to a DDoS protection system. Once a DDoS protection system becomes active for a certain target, all traffic originally intended for the target organization or service either for capture by the infrastructure of the DDoS protection systems, which cleans it, meaning that it is applied algorithm for distinguish between attack traffic and normal traffic, and delivers to the end system only normal traffic. There are different mechanisms that allows for diverting traffic to the target towards the DDoS protection system in a way that is transparent for the user and for the attacker. For example, if the target is a web server of an organization, the diversion can be achieved by setting the A record for the target website to an IP address in the network of the DDoS protection system. In this case, the DDoS protection system acts like a content delivery network serving the protected website and at the same time absorbing the malicious traffic. Alternatively, the target organization can start using the name server of the DDoS protection system, which means that the DDoS protection system has the freedom of changing the IP addresses of the protected domain to an IP under its control. Last, the DDoS protection system can implement a BGP-based diversion by temporarily announcing the address space of the target and therefore capturing its traffic. Although the DDoS protection system seems to be effective in protecting against DDoS attacks, they also introduce questions with respect to how this traffic is handled. By subscribing to a DDoS protection system, one allows for traffic diversion and inspection by a third party entity. Where is the traffic routed to, how it is manipulated, under which jurisdiction it falls and ultimately where access to it are all open issues that should be taken into account in order to make an informed decision if traffic diversion and its possible impact on privacy is a worthy price to pay.