BGP DDOS

External BGP DDOS Diversion

In 2005 during our Master year at the OS3 – System and Network engineering department (part of University of Amsterdam), Ruben Valcke and myself (Wouter Borremans) worked on a solution for protecting ISP networks against DDOS attacks. After a research period at NL-IX (Netherlands Internet Exchange) we’ve worked on a solution based on BGP. At the time we were one of the first students to come up will be a solid solution for protecting networks against DDOS attacks.

By using BGP DDoS diversion, ISPs will have an external mechanism to prevent their entire network becoming unreachable as the result of a DDoS attack. An external BGP diversion mechanism will be used to announce a specific part of the provider's network to (a part of) the Internet. Announcing a specific part of his network will prevent other parts of the provider's network becoming  nreachable, this gives the provider the ability to continue providing services to the rest of his network. The goal of this project is to investigate how and under which conditions a BGP diversion mechanism can be implemented.

You can find our research here:

1. External BGP DDOS Diversion Report (PDF)
2. External BGP DDOS Diversion presentation (PDF)

See the archive of all the student master reports.