Vasileios Kotronis

“Effectiveness of recovering from attack on an allocated prefix, for example of a /24, is dependent on others collaborating as well (mitigation method 2 above). Does not this defy the concept of having a self contained and self reliant mitigation strategy? If the upstream providers do not permit advertising more specific prefixes and also do not collaborate, what would be the option then to thwart an attack?”

This is a correct observation. We have identified two possible mitigation options: prefix deaggregation, where feasible (e.g., complying to filtering rules), and BGP advertisement outsourcing, using a similar model as the one used by DDoS mitigation services (as described in our ToN paper). Focusing on self-contained-only strategies, that do not employ third parties (therefore excluding outsourcing), we would welcome more ideas besides deaggregation. I think that filtering issues could be bypassed using special communities agreed between the victim and e.g., its upstream provider(s), so that the defense mechanism can work for the duration of the incident. Would you have more feedback on such mechanisms? Thanks again for the very useful remark!

“The impact is far higher than 1% BGPStream alone detected 13935 incidents There are 64409 ASN numbers activated on the Internet as at May 2019 Probability of attack is # of ASN / # of incidence ~ 13935/64409 ~ 21% chance you will be impacted by an attack BGP Hijacks are happening all the time and most operators are not aware of it. Operators are willing to Pay for DDoS and Security Filtering but not for routing validation that is impacting their traffic before it gets to this infrastructure? ARTEMIS does not actually neutralize an attack and being an open source toolset has little continued assurance of business SLA. Whilst price may be an issue, how is that ranked against business continuity? The importance placed by the research paper for this ranked issues none of which an open source tool can provide a) Effectiveness of Mitigation (awareness is not mitigation) b) Fast Mitigation (RIPE/Routeviews/BGPSteam are all 5-15 minutes out of date, detection needs to be < 3 minutes) c) Ease of Operating / Troubleshooting... <> open source, who's going to take your support ticket for bug? d) Low Cost.. I guess it depends on the Value, a US service provider lost $60Mil USD as a result of a Route Leak.. is cost an issue now? e) Ease of Installation... <> opensource this is a starting point only ... etc etc. The real question is how does ARTEMIS address the whole ASN network vs a single prefix”

Dear Martin, thank you for your comment. I did not get what you mean by the 1% impact, could you please elaborate? ARTEMIS allows for real-time detection of an attack, enabling automatic mitigation. In the current open-source code we have a wrapper for operators to plug-in their own scripts (e.g., Ansible, etc.) to configure routers in case of such attacks. ARTEMIS itself can be configured to mitigate, and we are working heavily on providing more wrappers and interfaces to be able to talk to multiple router types (currently only the wrapper/trigger is available in the open-source version). Regarding the issues you mention: a) Effectiveness of Mitigation --> Please check section 6 of our ToN paper (https://arxiv.org/pdf/1801.01085.pdf) b) Fast Mitigation --> RIPE RIS offers real-time streaming. As well as the public beta BMP feed of BGPStream, and the exaBGP interface to local routers is also real-time. c) Ease of Operating / Troubleshooting --> We are considering commercialization options in this context. More information soon! Till then, we are doing our best to address bugs on GitHub, using the "issue" primitive (you can check the list of resolved issues and added features). d) Low Cost --> Apparently yes, see Fig. 3b and 3k of https://arxiv.org/pdf/1801.02918.pdf It seems that despite the high impact of these attacks, the problem persists and available tools and mechanisms are not able to fully counter this. By the way, I think that in your comment the cost of the tool itself is confused with the cost of an actual attack, which of course can be very high. e) Ease of Installation --> I agree, and as described above we are looking at commercialization options around open-source. However, we will in any case try to maintain and deliver a high-quality open-source software to assist the community detect such incidents in real-time. For more feedback/questions please contact the dev team using the information of https://github.com/FORTH-ICS-INSPIRE/artemis , we would be happy to answer them. For example, regarding the ASN vs single prefix question, we are working on automating parts of the configuration process of ARTEMIS, making it easier for the operator to set up ARTEMIS for large networks.