how secure are secure inter-domain routing protocols?
DESCRIPTION
How Secure are Secure Inter-Domain Routing Protocols?. SIGCOMM 2010 Presenter: kcir. Main Purpose. Think like a normal node : Security analysis of nowadays inter-domain routing protocols Think like a malicious node : Strategy and impact analysis of 1) attraction and 2) interception attacks. - PowerPoint PPT PresentationTRANSCRIPT
How Secure are Secure Inter-Domain Routing Protocols?
SIGCOMM 2010Presenter: kcir
Main Purpose
• Think like a normal node: Security analysis of nowadays inter-domain routing protocols
• Think like a malicious node: Strategy and impact analysis of1) attraction and 2) interception attacks.
Some Preliminaries
• AS (Autonomous System)Collection of connected IP prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet.
• BGP (Broadcast Gateway Protocol)Protocol used by ASes to find and announce paths.
I have 140.112.xx
x.xxx
I know a path towards 140.112.xxx.
xxx
I know a path towards 140.112.xxx.
xxx
I know a path towards 140.112.xxx.
xxxI know a
path towards 140.112.xxx.
xxx
140.112.123.45
Outline
• Modeling• BGP Protocols• Attraction Attack• Interception Attack• Finding the Optimal Attack• Conclusion
Outline
• Modeling- Inter-domain routing- Routing policies- Threat Models
• BGP Protocols• Attraction Attack• Interception Attack• Finding the Optimal Attack• Conclusion
Inter-Domain RoutingGraph• Dataset: Real world AS
topologies measurement• Graph is relative static to
protocol execution.Nodes• Routing policy 1: Path ranking • Routing policy 2: Export policyEdges• Customer-Provider link• Peer-to-peer link
Routing Policy
• Policies are different from ASes, but there are some global iron rules.
• Path Ranking1. Loop avoiding2. Local preference:
customer > peer > provider3. Shortest path4. Tie break
Routing Policy
• Export Policy- AS should only be willing to load his own
network with transit traffic if he gets paid to do so.
- ASb will only announce a path via ASc to ASa if at least one of a and c are customers of b.
Threat Models
• Single manipulator, single victim• Attraction attack• Interception attack
(attraction attack without ‘blackhole’ effect)• Quantifying the impact of attack
Fraction of traffic attracted to the manipulator.
Outline• Modeling• BGP Protocols
- BGP- Origin Authentication- soBGP- S-BGP- Defensive filtering
• Attraction Attack• Interception Attack• Finding the Optimal Attack• Conclusion
BGP
• Broadcast Gateway Protocol• No validating, just naively trusts every
information.Attack: Prefix hijackImpact: 75% traffic attracted.
Origin Authentication
• Requires a trusted database to guarantee the righteousness of prefix owning.
• Blunt hijackers.• Only guarantee the ‘origin,’ i.e. the end node
of a path.Attack: false path announcementImpact: 25% traffic attracted.
soBGP
• Secure Origin BGP• Requires a trusted database to guarantee that
the path physically exists.Attack: announce paths that do not obey the
preference (customer > peer > provider.)Impact: 10% traffic attracted.
S-BGP
• Secure BGP• Using cryptographic signatures to guarantee that
the path is righteously announced.Attack: announce paths that do not obey the
business model. (Announce a shorter, expensive provider path, while actually forwarding traffic on the cheaper, longer customer path.)
Impact: 1.7% traffic attracted.
Defensive Filtering
• This is not a protocol but rather a policy.• Stub AS: AS that does not have any customers.• Defensive filtering
= Blocking stub announcementsThe usefulness of this policy will be shown later.
Outline
• Modeling• BGP Protocols• Attraction Attack
- Strategy- Performance- Possible effecting factors
• Interception Attack• Finding the Optimal Attack• Conclusion
Strategy
“Shortest-Path Export-All”• Announce the shortest path that will not be
detected as bogus.• Exports the paths to every neighbor.
Performance
• DF is crucial (85% ASes are stubs)
• BGP: uniform dist.• soBGP & S-BGP:
identical.
Probability
Fraction of Attraction
P(Finding shorter path)
Possible Effecting Factors
• Path length• Export policy
• Shortest-All vs. Normal-All• Normal-All vs. Normal-NormalExport policy dominates path length.
Probability
S-BGP
Outline
• Modeling• BGP Protocols• Attraction Attack• Interception Attack
- Avoiding blackhole effect- Strategy- Performance
• Finding the Optimal Attack• Conclusion
Avoiding Blackhole Effect
• blackhole
Avoiding Blackhole Effect
• Taking the “Shortest-path, Export-all” strategy.
• Tier 1 AS: > 250 customers• Tier 2 AS: > 25 customers• The probabilities of blackhole effect on different
types of manipulators are different.• The result is supported by [Gao01]
Strategy
• “Shortest-Available-path, Export-all”Mimicking soBGP and S-BGP to only announce available paths.
• “Hybrid Interception“1. Run “Shortest-path, Export-all”2. Check if an available path exists, if yes,
announce; if no, continue.3. Run “Shortest-Available-path, Export-all”
Performance
• Announce All: ignore blackhole effect.• Hybrid Interception: > 10% attracted for
more than half chance!
Outline
• Modeling• BGP Protocols• Attraction Attack• Interception Attack• Finding the Optimal Attack Strategy
- Longer path announcement- Export to fewer neighbors- Exploiting loop detection- Finding the optimal attack is NP-Hard
• Conclusion
Finding The Optimal Attack Strategy
• So far, the strategies we introduced (for both attraction and interception attack) are still far from optimal but rather heuristic guesses.
• For some cases, strategies that are against our intuition may have more severe impact.- Longer path announcement- Fewer exporting- Exploiting the loop detection mechanism
Longer Path Announcement
• soBGP, S-BGP running• Short: (m,a1,v,Prefix); Long: (m,a2,a3,v,Prefix)• Customer edge is more preferred than peer• 16% attraction -> 56%
Short Long
Export to Fewer Neighbors
• soBGP, S-BGP running• All: T1a,T2a,T2,v; Fewer: T1a,T2a,T2,v• Forcing T2 to detour, making it unpopular.• 40% attraction -> 50%
Export All Export fewer
Exploiting Loop Detection
• BGP running (hijacking)• Normal: (m,Prefix); Loop: (m,a2,Prefix)• Paralyzing a2-a1, making T1a more popular.• 32010 attractions -> 32370
Normal Loop
Finding The Optimal Attack is NP-Hard
• [Goldberg10] and [Gao01]• Sketch of proof• The ‘DILEMMA’ pattern
Outline
• Modeling• BGP Protocols• Attraction Attack• Interception Attack• Finding the Optimal Attack• Conclusion
Conclusion
• Nowadays BGPs are still not capable with dealing Inter-domain traffic attacks.- Hard to detect- Hard to define
• This work only provides lower bounds of the impacts of attack, which is already concerning enough.
• The complexity of finding the optimal attack strategy is proofed to be NP-hard, which means that the competition between manipulators and defenders may never ends.