> The first one is based on a ‘do-it-yourself’ approach, where the network reacts by prefix de-aggregation in order to attract traffic back to its own routers. This technique is effective for all unfiltered prefixes, less specific than /24.
I can't see this being very useful in practice - surely the attackers will just advertise /24's anyway.
Eg the high profile attack on Amazon DNS was by announcing a more specific /24.
> For attacks on /24 prefixes, ARTEMIS can enable a mitigation solution similar to the DDoS protection as-a-service offered today. In particular, the affected AS can request that other (collaborating) networks announce the hijacked prefix from their own premises (multiple origin AS), and then tunnel the traffic they attract back to the victim (for example, via the victim’s upstream providers).
Well that would work but requires a whole lot of setup in advance. Perhaps someone like Cloudflare will offer this as a service otherwise I can't see it being widely deployed as it is lots of tricky network configuration in core routers which (in my experience) operators tend to be very cautious about.
Several vendors offer scrubbing as a service already, so it shouldn't require any additional engineering to use it to try to mitigate BGP hijacking. How effective it would be depends on how widely dispersed the scrubbers are, since you're relying on the scrubbers being closer to users than the hijackers.
Their wiki https://wiki.onosproject.org/display/ONOS/ARTEMIS%3A+an+Auto... has a quickstart guide. You install git, ExaBGP, Quagga, mininet, Java 8, ONOS, Python 3 modules, configure ONOS, and then run it. Should be easy to get a Vagrant node up to play with.
This is primarily a hijack detection framework with flexible operations on detection. How to actually "neutralize" the attack is up to the operator and there isn't really anything new offered in that regard from what I can tell.
Moreover, it's only control-plane hijack detection which is the easier problem. If a hijack is performed at the data-plane, good luck even detecting it.
However the mitigation strategies look weak.
The two mitigation techniques are
> The first one is based on a ‘do-it-yourself’ approach, where the network reacts by prefix de-aggregation in order to attract traffic back to its own routers. This technique is effective for all unfiltered prefixes, less specific than /24.
I can't see this being very useful in practice - surely the attackers will just advertise /24's anyway.
Eg the high profile attack on Amazon DNS was by announcing a more specific /24.
> For attacks on /24 prefixes, ARTEMIS can enable a mitigation solution similar to the DDoS protection as-a-service offered today. In particular, the affected AS can request that other (collaborating) networks announce the hijacked prefix from their own premises (multiple origin AS), and then tunnel the traffic they attract back to the victim (for example, via the victim’s upstream providers).
Well that would work but requires a whole lot of setup in advance. Perhaps someone like Cloudflare will offer this as a service otherwise I can't see it being widely deployed as it is lots of tricky network configuration in core routers which (in my experience) operators tend to be very cautious about.