The Maestro Attack: Orchestrating Malicious Flows with BGP

Tyler McDaniel, Jared M. Smith, and Max Schuchard
SecureComm 2020

We present the Maestro attack, a novel Link Flooding Attack (LFA) that leverages control-plane traffic engineering techniques to concentrate botnet-sourced Distributed Denial of Service flows on transit links. Executed from a compromised or malicious Autonomous System (AS), Maestro advertises specific-prefix routes poisoned for selected ASes to collapse inbound traffic paths onto a single target link. A greedy heuristic fed by publicly available AS relationship data iteratively builds the set of ASes to poison. Given a compromised BGP speaker with advantageous positioning relative to the target link in the Internet topology, an adversary can expect to enhance total flow density by more than 30%. For a large botnet (e.g., Mirai), that translates to augmenting a DDoS by more than a million additional infected hosts. Interestingly, the size of the adversary-controlled AS plays little role in this amplification effect. Devastating attacks on core links can be executed by small, resource-limited ASes. To understand the scope of the attack, we evaluate widespread Internet link vulnerability across several metrics, including BGP betweenness and botnet flow density. We then assess where an adversary must be positioned to execute the attack most successfully. Finally, we present effective mitigations for network operators seeking to insulate themselves from this attack.