1 / 35

Losing Control of the Internet: Using the Data Plane to Attack the Control Plane

17 th ACM CCS Poster (October, 2010) 18 th NDSS Symposium (February 2011). Losing Control of the Internet: Using the Data Plane to Attack the Control Plane. Max Schuchard , Abedelaziz Mohaisen , Denis Foo Kune , Nicholas Hopper, Yongdae Kim University of Minnesota. Eugene Y. Vasserman

chidi
Download Presentation

Losing Control of the Internet: Using the Data Plane to Attack the Control Plane

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 17th ACM CCS Poster (October, 2010) • 18thNDSS Symposium (February 2011) Losing Control of the Internet:Using the Data Plane to Attack the Control Plane Max Schuchard,AbedelazizMohaisen,Denis FooKune, Nicholas Hopper, Yongdae Kim University of Minnesota • Eugene Y. Vasserman • Kansas State University

  2. A Seminar at Advanced Defense Lab Outline • Introduction • Background • The CXPST Attack • Simulation • Toward Defenses • Related Work

  3. BR BR BR C C C A Seminar at Advanced Defense Lab Introduction – New Type DDoS Internet Bots Target link Attackers Target Destination 3

  4. A Seminar at Advanced Defense Lab How serious can the attack be? • In this paper, we propose a new attack • Coordinated Cross Plane Session Termination(CXPST) • We attack BGP sessions

  5. A Seminar at Advanced Defense Lab Shrew Attack [link] • Low-Rate TCP-Targeted Denial of Service Attacks • AleksandarKuzmanovic and Edward W. Knightly (Rice University) • ACM SIGCOMM 2003

  6. Initial window size A Seminar at Advanced Defense Lab TCP Retransmission No packet loss ACKs received packet loss No ACK received TCP Congestion Window Size (packets) minRTO 2 x minRTO 4 x minRTO Time

  7. Initial window size A Seminar at Advanced Defense Lab Shrew Attack (cont.) TCP congestion window size (segments) minRTO 2 x minRTO 4 x minRTO Time

  8. A Seminar at Advanced Defense Lab Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing • Ying Zhang, Z. Morley Mao, Jia Wang(University of Michigan & AT&T Labs Research) • NDSS Symposium 2007 • We term it the ZMW attack

  9. A Seminar at Advanced Defense Lab Border Gateway Protocol [wiki] • The Internet can be divided into two distinct parts • The data plane, which forwards packets to their destination • the control plane, which determines the path to any given destination • The BGP is the de facto standard routing protocol

  10. Keepalive Keepalive BR BR BR BR C C AS 1 BGP HoldTimer expired A Seminar at Advanced Defense Lab BGP Sessions BGP session reset confirm peer liveliness; determine peer reachability BGP session AS 2 Transport: TCP connection

  11. Receiver B Attacker A BR BR C C Router R2 Router R1 A Seminar at Advanced Defense Lab Attacking BGP Sessions UDP-based attack flow Retransmitted BGP Keepalive message minRTO

  12. Receiver B Attacker A BR BR C C Router R2 Router R1 A Seminar at Advanced Defense Lab Attacking BGP Sessions UDP-based attack flow 2nd Retransmitted BGP Keepalive message minRTO 2*minRTO

  13. A Seminar at Advanced Defense Lab Background • BGP update messages • When one router in an AS changes its routing table, it recomputes its routing table, and informs its neighboring ASes of the change via a BGP update message. • This change might trigger the same series of events in other border routers.

  14. A Seminar at Advanced Defense Lab Background (cont.) • BGP Stability • When a set of routes oscillates rapidly between being available and unavailable it is termed route flapping. • Some defense mechanisms • Minimum Route Advertisement Intervals (MRAI) • BGP Graceful Restart [rfc 4724] • Route Flap Damping [rfc 2439]

  15. A Seminar at Advanced Defense Lab The CXPST Attack • We force the targeted links to oscillate between “up” and “down” states. In essence, CXPST induces targeted route flapping. • By creating a series of localized failures that have near global impact, CXPST has the potential to overwhelm the computational capacity of a large set of routers on the Internet.

  16. A Seminar at Advanced Defense Lab The Key Tasks • First, the correct BGP sessions must be selected for attack. • Second, the attacker needs to direct the traffic of his botnet onto the targeted links. • Lastly, the attacker must find a way to minimize the impact of existing mechanisms.

  17. A Seminar at Advanced Defense Lab Selecting Targets (cont.) • Edge betweenness centrality [wiki] • Modified definition

  18. A Seminar at Advanced Defense Lab Selecting Targets • By aggregating the tracerouting results an attacker can generate a rough measure of the BGP betweenness of links. • Equal cost multi-path routing (ECMP) [wiki] • Any links that are possibly using it are removed from the set of potential targets.

  19. A Seminar at Advanced Defense Lab Attack Traffic Management • The strategy fails to take into account the fact that network topology is dynamic. • the attacker must ensure that the path does not contain other links that are being targeted as well.

  20. A Seminar at Advanced Defense Lab Attack Traffic Management (cont.) • there is the possibility that we will saturate bandwidth capacity on the way to the target link. • Sunder and Perrig, “The Coremelt Attack,” ESORICS 2009 • Max flow Algorithm

  21. A Seminar at Advanced Defense Lab Simulation • We started building our simulator’s topology by examining the wealth of data on the AS-level topology of the Internet made available from CAIDA. [link] • Using January 2010 data • The result was a connected graph with 1829 ASes and nearly 13, 000 edges.

  22. A Seminar at Advanced Defense Lab Simulation - Bandwidth • Core AS links • OC-768 (38.5 Gbit/s) • The attacker’s resources • OC-3 (155Mbit/s)

  23. A Seminar at Advanced Defense Lab Simulation - Botnet • Recent papers on botnet enumeration have given us some insight into the distribution of bots throughout the Internet. • Waledacbotnet [link]

  24. A Seminar at Advanced Defense Lab Simulation Results • CXPST was simulated with botnets of 64, 125, 250, and 500 thousand nodes. • Targets were selected from the core routers in our topology, the top 10% of ASes by degree.

  25. A Seminar at Advanced Defense Lab Simulation Results – Failed Sessions

  26. A Seminar at Advanced Defense Lab Simulation Results – BGP Update • Normal loads from RouteViews [link]

  27. A Seminar at Advanced Defense Lab Simulation Results – BGP Update • Median router load under attacks

  28. A Seminar at Advanced Defense Lab Simulation Results – BGP Update • Some top AS under attack

  29. A Seminar at Advanced Defense Lab Simulation Results – Time-to-Process • The default hold time is 180 secs

  30. A Seminar at Advanced Defense Lab Toward Defenses

  31. A Seminar at Advanced Defense Lab Our method • Stop ZMW attack • Remove the mechanism that allows Zhang et al.’s attack to function • This is easier said then done • Disabling hold timer functionality in routers

  32. A Seminar at Advanced Defense Lab Our method - Partially Deployed

  33. A Seminar at Advanced Defense Lab Related Work - Know Attacks on BGP • Bellovin and Gansner • divert existing traffic to a desired set of nodes • assumes a perfect knowledge of the current network topology • Sunder and Perrig • Coremelt

  34. A Seminar at Advanced Defense Lab Related Work – BGP Attack Prevention • Packet-filtering or push-back techniques • Improving resilience by providing failover paths • BGP behavior analysis

  35. A Seminar at Advanced Defense Lab Thank You

More Related