On the Feasibility of Rerouting-Based DDoS Defenses

Explore a critical analysis of routing around congestion (RAC) defense against large-scale DDoS attacks in this IEEE Symposium on Security & Privacy conference talk. Delve into the fundamental trade-offs and limitations of BGP-based rerouting solutions in the current inter-domain infrastructure. Examine the challenges of establishing isolated detour paths for critical flows without global-scale coordination among autonomous systems. Learn why achieving both arbitrary detour path establishment and isolation from non-critical flows is impossible, and understand the implications for RAC defense effectiveness. Discover how adaptive adversaries can exploit vulnerabilities in non-isolated detour paths, and why limited path options restrict reliable RAC operation. Gain insights into the importance of rigorous security analysis, network evaluations, and real-world testing for proposed defense mechanisms. Conclude by understanding why strong end-to-end availability should be a built-in security feature of Internet routing rather than an ad hoc solution exploiting current routing protocols.