350 likes | 525 Views
17 th ACM CCS Poster (October, 2010) 18 th NDSS Symposium (February 2011). Losing Control of the Internet: Using the Data Plane to Attack the Control Plane. Max Schuchard , Abedelaziz Mohaisen , Denis Foo Kune , Nicholas Hopper, Yongdae Kim University of Minnesota. Eugene Y. Vasserman
E N D
17th ACM CCS Poster (October, 2010) • 18thNDSS Symposium (February 2011) Losing Control of the Internet:Using the Data Plane to Attack the Control Plane Max Schuchard,AbedelazizMohaisen,Denis FooKune, Nicholas Hopper, Yongdae Kim University of Minnesota • Eugene Y. Vasserman • Kansas State University
A Seminar at Advanced Defense Lab Outline • Introduction • Background • The CXPST Attack • Simulation • Toward Defenses • Related Work
BR BR BR C C C A Seminar at Advanced Defense Lab Introduction – New Type DDoS Internet Bots Target link Attackers Target Destination 3
A Seminar at Advanced Defense Lab How serious can the attack be? • In this paper, we propose a new attack • Coordinated Cross Plane Session Termination(CXPST) • We attack BGP sessions
A Seminar at Advanced Defense Lab Shrew Attack [link] • Low-Rate TCP-Targeted Denial of Service Attacks • AleksandarKuzmanovic and Edward W. Knightly (Rice University) • ACM SIGCOMM 2003
Initial window size A Seminar at Advanced Defense Lab TCP Retransmission No packet loss ACKs received packet loss No ACK received TCP Congestion Window Size (packets) minRTO 2 x minRTO 4 x minRTO Time
Initial window size A Seminar at Advanced Defense Lab Shrew Attack (cont.) TCP congestion window size (segments) minRTO 2 x minRTO 4 x minRTO Time
A Seminar at Advanced Defense Lab Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing • Ying Zhang, Z. Morley Mao, Jia Wang(University of Michigan & AT&T Labs Research) • NDSS Symposium 2007 • We term it the ZMW attack
A Seminar at Advanced Defense Lab Border Gateway Protocol [wiki] • The Internet can be divided into two distinct parts • The data plane, which forwards packets to their destination • the control plane, which determines the path to any given destination • The BGP is the de facto standard routing protocol
Keepalive Keepalive BR BR BR BR C C AS 1 BGP HoldTimer expired A Seminar at Advanced Defense Lab BGP Sessions BGP session reset confirm peer liveliness; determine peer reachability BGP session AS 2 Transport: TCP connection
Receiver B Attacker A BR BR C C Router R2 Router R1 A Seminar at Advanced Defense Lab Attacking BGP Sessions UDP-based attack flow Retransmitted BGP Keepalive message minRTO
Receiver B Attacker A BR BR C C Router R2 Router R1 A Seminar at Advanced Defense Lab Attacking BGP Sessions UDP-based attack flow 2nd Retransmitted BGP Keepalive message minRTO 2*minRTO
A Seminar at Advanced Defense Lab Background • BGP update messages • When one router in an AS changes its routing table, it recomputes its routing table, and informs its neighboring ASes of the change via a BGP update message. • This change might trigger the same series of events in other border routers.
A Seminar at Advanced Defense Lab Background (cont.) • BGP Stability • When a set of routes oscillates rapidly between being available and unavailable it is termed route flapping. • Some defense mechanisms • Minimum Route Advertisement Intervals (MRAI) • BGP Graceful Restart [rfc 4724] • Route Flap Damping [rfc 2439]
A Seminar at Advanced Defense Lab The CXPST Attack • We force the targeted links to oscillate between “up” and “down” states. In essence, CXPST induces targeted route flapping. • By creating a series of localized failures that have near global impact, CXPST has the potential to overwhelm the computational capacity of a large set of routers on the Internet.
A Seminar at Advanced Defense Lab The Key Tasks • First, the correct BGP sessions must be selected for attack. • Second, the attacker needs to direct the traffic of his botnet onto the targeted links. • Lastly, the attacker must find a way to minimize the impact of existing mechanisms.
A Seminar at Advanced Defense Lab Selecting Targets (cont.) • Edge betweenness centrality [wiki] • Modified definition
A Seminar at Advanced Defense Lab Selecting Targets • By aggregating the tracerouting results an attacker can generate a rough measure of the BGP betweenness of links. • Equal cost multi-path routing (ECMP) [wiki] • Any links that are possibly using it are removed from the set of potential targets.
A Seminar at Advanced Defense Lab Attack Traffic Management • The strategy fails to take into account the fact that network topology is dynamic. • the attacker must ensure that the path does not contain other links that are being targeted as well.
A Seminar at Advanced Defense Lab Attack Traffic Management (cont.) • there is the possibility that we will saturate bandwidth capacity on the way to the target link. • Sunder and Perrig, “The Coremelt Attack,” ESORICS 2009 • Max flow Algorithm
A Seminar at Advanced Defense Lab Simulation • We started building our simulator’s topology by examining the wealth of data on the AS-level topology of the Internet made available from CAIDA. [link] • Using January 2010 data • The result was a connected graph with 1829 ASes and nearly 13, 000 edges.
A Seminar at Advanced Defense Lab Simulation - Bandwidth • Core AS links • OC-768 (38.5 Gbit/s) • The attacker’s resources • OC-3 (155Mbit/s)
A Seminar at Advanced Defense Lab Simulation - Botnet • Recent papers on botnet enumeration have given us some insight into the distribution of bots throughout the Internet. • Waledacbotnet [link]
A Seminar at Advanced Defense Lab Simulation Results • CXPST was simulated with botnets of 64, 125, 250, and 500 thousand nodes. • Targets were selected from the core routers in our topology, the top 10% of ASes by degree.
A Seminar at Advanced Defense Lab Simulation Results – Failed Sessions
A Seminar at Advanced Defense Lab Simulation Results – BGP Update • Normal loads from RouteViews [link]
A Seminar at Advanced Defense Lab Simulation Results – BGP Update • Median router load under attacks
A Seminar at Advanced Defense Lab Simulation Results – BGP Update • Some top AS under attack
A Seminar at Advanced Defense Lab Simulation Results – Time-to-Process • The default hold time is 180 secs
A Seminar at Advanced Defense Lab Toward Defenses
A Seminar at Advanced Defense Lab Our method • Stop ZMW attack • Remove the mechanism that allows Zhang et al.’s attack to function • This is easier said then done • Disabling hold timer functionality in routers
A Seminar at Advanced Defense Lab Our method - Partially Deployed
A Seminar at Advanced Defense Lab Related Work - Know Attacks on BGP • Bellovin and Gansner • divert existing traffic to a desired set of nodes • assumes a perfect knowledge of the current network topology • Sunder and Perrig • Coremelt
A Seminar at Advanced Defense Lab Related Work – BGP Attack Prevention • Packet-filtering or push-back techniques • Improving resilience by providing failover paths • BGP behavior analysis
A Seminar at Advanced Defense Lab Thank You