Amplification Distributed Denial of Service (DDoS) attacks' traffic and harm are
at an all-time high. To defend against such attacks, distributed
attack mitigation platforms, such as traffic scrubbing centers that operate in
peering locations, e.g., Internet Exchange Points (IXP), have been deployed in
the Internet over the years. These attack mitigation platforms apply
sophisticated techniques to detect attacks and drop attack traffic locally,
thus, act as sensors for attacks. However, it has not yet been systematically evaluated
to what extent coordination of these views by different platforms can lead to more effective mitigation of
amplification DDoS attacks.
In this paper, we ask the question: ``Is it possible
to mitigate more amplification attacks and drop more attack traffic when
distributed attack mitigation platforms collaborate?''
To answer this question, we collaborate with eleven IXPs that operate in three different regions. These IXPs have more than 2,120 network members that exchange traffic at the rate of more than 11 Terabits per second. We collect network data over six months and analyze more than 120k amplification DDoS attacks. To our surprise, more than 80% of the amplification DDoS are not detected locally, although the majority of the attacks are visible by at least three IXPs. A closer investigation points to the shortcomings, such as the multi-protocol profile of modern amplification attacks, the duration of the attacks, and the difficulty of setting appropriate local attack traffic thresholds that will trigger mitigation. To overcome these limitations, we design and evaluate a collaborative architecture that allows participant mitigation platforms to exchange information about ongoing amplification attacks. Our evaluation shows that it is possible to collaboratively detect and mitigate the majority of attacks with limited exchange of information and drop as much as 90% more attack traffic locally.