Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing

Compared to attacks against end hosts, Denial of Service (DoS) attacks against the Internet infrastructure such as those targeted at routers can be more devastating due to their global impact on many networks. We discover that the recently identified low-rate TCP-targeted DoS attacks can have severe impact on the Border Gateway Protocol (BGP). As the interdomain routing protocol on today’s Internet, BGP is the critical infrastructure for exchanging reachability information across the global Internet. We demonstrate empirically that BGP routing sessions on the current commercial routers are susceptible to such low-rate attacks launched remotely, leading to session resets and delayed routing convergence, seriously impacting routing stability and network reachability. This is a result of a fundamental weakness with today’s deployed routing protocols: there is often no protection in the form of guaranteed bandwidth for routing traffic. Using testbed and Internet experiments, we thoroughly study the effect of such attacks on BGP. We demonstrate the feasibility of launching the attack in a coordinated fashion from wide-area hosts with arbitrarily lowrate individual attack flows, further raising the difficulty of detection. We explore defense solutions by protecting routing traffic using existing router support. Our findings highlight the importance of protecting the Internet infrastructure, in particular control plane packets.