Detecting and analyzing border gateway protocol blackholing activity

Abstract

SummaryDDoS attack is a traditional malicious attempt to make an authorized system or service inaccessible. Currently, BGP blackholing is an operational countermeasure that builds upon the capabilities of BGP to protect from DDoS attacks. BGP enables blackholing by leveraging the BGP community attribute. This paper presents the analysis of BGP blackholing activity and propose a machine learning‐based mechanism to detect BGP blackholing activity. In BGP blackholing analysis, we find that many networks, including Internet service providers (ISPs) and Internet exchange points (IXPs), offer BGP blackholing service to their customers. We collect networks' blackhole communities and make BGP blackhole communities dictionary. Within 3‐month period (from August to October, 2018), we find a significant number of BGP blackhole announcements (97,532) and distinct blackhole prefixes (8,120). Most of the blackhole prefixes are IPv4 (99.1%). Among IPv4 blackhole prefixes, mostly are /32 (79.9%). The daily patterns of BGP blackholing highlight that there is a variable number of blackhole announcements and distinct blackhole prefixes every day. Furthermore, we apply machine learning techniques to design a BGP blackholing detection mechanism based on support vector machine (SVM), decision tree, and long short‐term memory (LSTM) classifiers. The results are compared based on accuracy and F‐score. Experimental results show that LSTM achieves the best classification accuracy of 95.9% and F‐score of 97.2%. This work provides insights for network operators and researchers interested in BGP blackholing service and DDoS mitigation in the Internet.