The tragedy of common bandwidth: RDDoS

Reflected distributed denial of service (rDDoS) policy interventions often focus on reflector count reductions. Current rDDoS metrics (max DDoS witnessed) favour commercial responses, but don't frame this as a problem of the commons. This results in non-objective, and non-independent discussion of policy interventions, and holds back discussion of any public health style interventions that aren't commercially motivated. In this paper, we explore multiple questions when it comes to measuring the potential for rDDoS attacks (i.e. how large could a rDDoS attack become?). We also raise some new questions. The paper builds on top of our previous research [6]. Whereas [7] was motivated by understanding properties of the individual rDDoS reflectors, in the current paper we present evidence that chasing high bandwidth reflectors is far more impact-ful in rDDoS harm reduction. If the internet is a commons, then high bandwidth reflectors contribute the most to a tragedy of the commons (see Figure 1). We examine and compare reflector counts, contribution estimation, and empirical contribution verification as methodologies. We also extend previous works on the topic to provide ASN level metrics, and show that the top 5 ASNs contribute between 30-70 percent of the problem depending on the protocol examined. This finding alone, motivates much easier and cheaper layered policy interventions which we discuss within the paper. The motivation of our research is also given by the surprisingly strong increase of actual (r)DDoS attacks as shown by [30]. Given this increase, our aim is to trigger policy change1 when it comes to cleaning up reflectors. Our main contribution in this paper is to show that policy should focus on the high bandwidth reflectors and some top ASNs reduce rDDoS's potential.