Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Resilient Interdomain Traffic Exchange: BGP Security and DDos Mitigation

Published

Author(s)

Kotikalapudi Sriram, Douglas C. Montgomery

Abstract

In recent years, numerous routing control plane anomalies, such as Border Gateway Protocol (BGP) prefix hijacking and route leaks, have resulted in denial-of-service (DoS), unwanted data traffic detours, and performance degradation. Large-scale distributed denial-of-service (DDoS) attacks on servers using spoofed internet protocol (IP) addresses and reflection-amplification in the data plane have also been frequent, resulting in significant disruption of services and damages. This special publication on Resilient Interdomain Traffic Exchange (RITE) includes initial guidance on securing the interdomain routing control traffic, preventing IP address spoofing, and certain aspects of DoS/DDoS detection and mitigation. Many of the recommendations in this publication focus on the Border Gateway Protocol (BGP). BGP is the control protocol used to distribute and compute paths between the tens of thousands of autonomous networks that comprise the internet. Technologies recommended in this document for securing the interdomain routing control traffic include Resource Public Key Infrastructure (RPKI), BGP origin validation (BGP-OV), and prefix filtering. Additionally, technologies recommended for mitigating DoS/DDoS attacks focus on prevention of IP address spoofing using source address validation (SAV) with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies (including some application plane methods) such as remotely triggered black hole (RTBH) filtering, flow specification (Flowspec), and response rate limiting (RRL) are also recommended as part of the overall security mechanisms.
Citation
Special Publication (NIST SP) - 800-189
Report Number
800-189

Keywords

Routing security and robustness, Internet Infrastructure Security, Border Gateway Protocol (BGP), Security, Prefix Hijacks, IP address spoofing, distributed denial-of-service (DDos), Resource Public Key Infracture (RPK)
Created December 17, 2019