how secure are secure inter- domain routing protocols? sigcomm 2010 presenter: kcir
TRANSCRIPT
![Page 1: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/1.jpg)
How Secure are Secure Inter-Domain Routing Protocols?
SIGCOMM 2010Presenter: kcir
![Page 2: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/2.jpg)
Main Purpose
• Think like a normal node: Security analysis of nowadays inter-domain routing protocols
• Think like a malicious node: Strategy and impact analysis of1) attraction and 2) interception attacks.
![Page 3: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/3.jpg)
Some Preliminaries
• AS (Autonomous System)Collection of connected IP prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet.
• BGP (Broadcast Gateway Protocol)Protocol used by ASes to find and announce paths.
![Page 4: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/4.jpg)
I have 140.112.xx
x.xxx
I know a path towards 140.112.xxx.
xxx
I know a path towards 140.112.xxx.
xxx
I know a path towards 140.112.xxx.
xxxI know a
path towards 140.112.xxx.
xxx
140.112.123.45
![Page 5: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/5.jpg)
Outline
• Modeling• BGP Protocols• Attraction Attack• Interception Attack• Finding the Optimal Attack• Conclusion
![Page 6: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/6.jpg)
Outline
• Modeling- Inter-domain routing- Routing policies- Threat Models
• BGP Protocols• Attraction Attack• Interception Attack• Finding the Optimal Attack• Conclusion
![Page 7: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/7.jpg)
Inter-Domain Routing
Graph• Dataset: Real world AS
topologies measurement• Graph is relative static to
protocol execution.Nodes• Routing policy 1: Path ranking • Routing policy 2: Export policyEdges• Customer-Provider link• Peer-to-peer link
![Page 8: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/8.jpg)
Routing Policy
• Policies are different from ASes, but there are some global iron rules.
• Path Ranking1. Loop avoiding2. Local preference:
customer > peer > provider3. Shortest path4. Tie break
![Page 9: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/9.jpg)
Routing Policy
• Export Policy- AS should only be willing to load his own
network with transit traffic if he gets paid to do so.
- ASb will only announce a path via ASc to ASa if at least one of a and c are customers of b.
![Page 10: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/10.jpg)
Threat Models
• Single manipulator, single victim• Attraction attack• Interception attack
(attraction attack without ‘blackhole’ effect)• Quantifying the impact of attack
Fraction of traffic attracted to the manipulator.
![Page 11: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/11.jpg)
Outline
• Modeling• BGP Protocols
- BGP- Origin Authentication- soBGP- S-BGP- Defensive filtering
• Attraction Attack• Interception Attack• Finding the Optimal Attack• Conclusion
![Page 12: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/12.jpg)
BGP
• Broadcast Gateway Protocol• No validating, just naively trusts every
information.Attack: Prefix hijackImpact: 75% traffic attracted.
![Page 13: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/13.jpg)
Origin Authentication
• Requires a trusted database to guarantee the righteousness of prefix owning.
• Blunt hijackers.• Only guarantee the ‘origin,’ i.e. the end node
of a path.Attack: false path announcementImpact: 25% traffic attracted.
![Page 14: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/14.jpg)
soBGP
• Secure Origin BGP• Requires a trusted database to guarantee that
the path physically exists.Attack: announce paths that do not obey the
preference (customer > peer > provider.)Impact: 10% traffic attracted.
![Page 15: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/15.jpg)
S-BGP
• Secure BGP• Using cryptographic signatures to guarantee
that the path is righteously announced.Attack: announce paths that do not obey the
business model. (Announce a shorter, expensive provider path, while actually forwarding traffic on the cheaper, longer customer path.)
Impact: 1.7% traffic attracted.
![Page 16: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/16.jpg)
Defensive Filtering
• This is not a protocol but rather a policy.• Stub AS: AS that does not have any customers.• Defensive filtering
= Blocking stub announcementsThe usefulness of this policy will be shown later.
![Page 17: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/17.jpg)
Outline
• Modeling• BGP Protocols• Attraction Attack
- Strategy- Performance- Possible effecting factors
• Interception Attack• Finding the Optimal Attack• Conclusion
![Page 18: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/18.jpg)
Strategy
“Shortest-Path Export-All”• Announce the shortest path that will not be
detected as bogus.• Exports the paths to every neighbor.
![Page 19: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/19.jpg)
Performance
• DF is crucial (85% ASes are stubs)
• BGP: uniform dist.• soBGP & S-BGP:
identical.
Probability
Fraction of Attraction
P(Finding shorter path)
![Page 20: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/20.jpg)
Possible Effecting Factors
• Path length• Export policy
• Shortest-All vs. Normal-All• Normal-All vs. Normal-NormalExport policy dominates path length.
Probability
S-BGP
![Page 21: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/21.jpg)
Outline
• Modeling• BGP Protocols• Attraction Attack• Interception Attack
- Avoiding blackhole effect- Strategy- Performance
• Finding the Optimal Attack• Conclusion
![Page 22: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/22.jpg)
Avoiding Blackhole Effect
• blackhole
![Page 23: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/23.jpg)
Avoiding Blackhole Effect
• Taking the “Shortest-path, Export-all” strategy.
• Tier 1 AS: > 250 customers• Tier 2 AS: > 25 customers• The probabilities of blackhole effect on different
types of manipulators are different.• The result is supported by [Gao01]
![Page 24: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/24.jpg)
Strategy
• “Shortest-Available-path, Export-all”Mimicking soBGP and S-BGP to only announce available paths.
• “Hybrid Interception“1. Run “Shortest-path, Export-all”2. Check if an available path exists, if yes,
announce; if no, continue.3. Run “Shortest-Available-path, Export-all”
![Page 25: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/25.jpg)
Performance
• Announce All: ignore blackhole effect.• Hybrid Interception: > 10% attracted for
more than half chance!
![Page 26: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/26.jpg)
Outline
• Modeling• BGP Protocols• Attraction Attack• Interception Attack• Finding the Optimal Attack Strategy
- Longer path announcement- Export to fewer neighbors- Exploiting loop detection- Finding the optimal attack is NP-Hard
• Conclusion
![Page 27: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/27.jpg)
Finding The Optimal Attack Strategy
• So far, the strategies we introduced (for both attraction and interception attack) are still far from optimal but rather heuristic guesses.
• For some cases, strategies that are against our intuition may have more severe impact.- Longer path announcement- Fewer exporting- Exploiting the loop detection mechanism
![Page 28: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/28.jpg)
Longer Path Announcement
• soBGP, S-BGP running• Short: (m,a1,v,Prefix); Long: (m,a2,a3,v,Prefix)• Customer edge is more preferred than peer• 16% attraction -> 56%
Short Long
![Page 29: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/29.jpg)
Export to Fewer Neighbors
• soBGP, S-BGP running• All: T1a,T2a,T2,v; Fewer: T1a,T2a,T2,v• Forcing T2 to detour, making it unpopular.• 40% attraction -> 50%
Export All Export fewer
![Page 30: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/30.jpg)
Exploiting Loop Detection
• BGP running (hijacking)• Normal: (m,Prefix); Loop: (m,a2,Prefix)• Paralyzing a2-a1, making T1a more popular.• 32010 attractions -> 32370
Normal Loop
![Page 31: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/31.jpg)
Finding The Optimal Attack is NP-Hard
• [Goldberg10] and [Gao01]• Sketch of proof• The ‘DILEMMA’ pattern
![Page 32: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/32.jpg)
Outline
• Modeling• BGP Protocols• Attraction Attack• Interception Attack• Finding the Optimal Attack• Conclusion
![Page 33: How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649e9f5503460f94ba24a5/html5/thumbnails/33.jpg)
Conclusion
• Nowadays BGPs are still not capable with dealing Inter-domain traffic attacks.- Hard to detect- Hard to define
• This work only provides lower bounds of the impacts of attack, which is already concerning enough.
• The complexity of finding the optimal attack strategy is proofed to be NP-hard, which means that the competition between manipulators and defenders may never ends.