1 / 20

Detecting Selective Dropping Attacks in BGP

Detecting Selective Dropping Attacks in BGP. Mooi Chuah Kun Huang {chuah,kuh205}@cse.lehigh.edu November 2006. Outline. BGP Security Issues Selective Dropping Attack Detecting Selective Dropping Attack Evaluation of IANP on DETER Conclusion. BGP Security Issues. BGP4 (RFC1771)

kiri
Download Presentation

Detecting Selective Dropping Attacks in BGP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang {chuah,kuh205}@cse.lehigh.edu November 2006

  2. Outline • BGP Security Issues • Selective Dropping Attack • Detecting Selective Dropping Attack • Evaluation of IANP on DETER • Conclusion

  3. BGP Security Issues • BGP4 (RFC1771) • Inter-domain routing, Autonomous System • Path vector protocol, shortest path • Policy based routing [Gao’s] • E.g. customer will not export routes learned from one provider to another • Messages of interests: (BGP updates) • ANNOUNCE: AS_PATH, PREFIX • WITHDRAW: PREFIX

  4. BGP Security Issues • Vulnerabilities • No encryption: eavesdropping • No timestamp: replaying • No signature: masquerading • MOAS -- multiple origin AS • Selective dropping • Proposed Solutions • S-BGP, So-BGP, Pretty Good BGP

  5. Selective Dropping Attack • AS3 use path 3-2-1 for prefix 1 • Link 1-2 break • AS2 filters WITHDRAW PREFIX1 to AS3 • AS3 still use stale path 3-2-1 for prefix 1 • AS2 has full control of traffic from AS3 for prefix 1 AS2 Prefix 2 W: 1 AS3 Prefix 3 AS1 Prefix 1 AS4 Prefix 4

  6. Detecting Selective Dropping Attack • Instability Analysis with Neighbor Probing • Identify key events by BGP message volume at particular monitor node • Use locating instability alg. [Mao’s] to locate an instability e.g. a link break • Check instability against a monitor’s routing table to detect poisoned routes, correct it if found e.g. a route using the broken link • Issue warning msg to neighbors when suspecting a selective dropping attack (msg. includes instability info.) • Issue probing msg to neighbors when locating alg. fails to find the source of instability (msg. includes burst period)

  7. Detecting Selective Dropping Attack • 1-2 link breaks • At AS4, we know • Routes not changed: • to prefix 1 via AS1, 4-1 • to prefix 5 via AS1, 4-1-5 • … • {1-4,1-5, …} candidate stable set • Routes changed: • to prefix 2 via AS1, 4-1-2  4-1-5-2 • {1-2} candidate instable set for prefix 2 • So, ∩candidate instable per prefix – U candidate stable per prefix = {1-2} is instable, flood warnings • Instability Analysis AS2 Prefix 2 W: 1 AS3 Prefix 3 AS1 Prefix 1 AS5 Prefix 5 AS4 Prefix 4

  8. Detecting Selective Dropping Attack Compute instable Classify events Compute instable Compute instable final instable

  9. Detecting Selective Dropping Attack • Detecting Malicious Routes AS2 Prefix 2 W: 1 AS3 Prefix 3 • AS4 finds 1-2 link break, warning msg. reaches AS3, AS3 routing table has 3-2-1 • Disable 3-2-1 route • Use 3-4-1 route AS1 Prefix 1 AS5 Prefix 5 AS4 Prefix 4

  10. Detecting Selective Dropping Attack Possible warning probing

  11. Detecting Selective Dropping Attack • Warning and probing • If can’t locate the source of instability, probe neighbors within Q hops (e.g. Q=1) • If suspects an attack, warn neighbors within K hops (e.g. K=2) • Router scoring • Score BGP router reputation by counting warning messages

  12. Evaluation of IANP on DETER • Setup • 3 30-node topologies generated by BRITE • Emulation on DETER using Quagga package • 10 experiments per topology • In each exp., one link is broken and one node launches a selective dropping attack against a neighbor node • Post processing BGP messages and routing table using IANP module • Warning neighbors within 2 hops • Metric • Damage Cost = # of poisoned best routes / # of total best routes • # of total best routes= 30*29

  13. Evaluation of IANP on DETER • Test 1: 14 drops messages to 15

  14. Evaluation of IANP on DETER • Test 1: W1= unable to locate instability, DC = damage cost

  15. Evaluation of IANP on DETER • Test 2: 16 drops messages to 23

  16. Evaluation of IANP on DETER • Test 2: W1= unable to locate instability, DC = damage cost

  17. Evaluation of IANP on DETER • Test 3: 15 drops messages to 23

  18. Evaluation of IANP on DETER • Test 3: W1= unable to locate instability, DC = damage cost

  19. Evaluation of IANP on DETER • Overall performance • Without IANP • 0-30% ASes can’t find broken link • Damage is range from 0-22.7% • With IANP no warning • Failure of finding broken link decrease by 0-23% • Damage cost is very low, max=4.8%, mostly < 2.0% • With IANP and warning • Everyone can find the broken link • Damage cost decreases to 0

  20. Conclusion • Encryption and authentication do not mitigate selective dropping attack • Instability analysis is useful information in selective dropping attack • IANP standalone version reduces damage cost • IANP warning version reduces damage cost to 0 • IANP is promising, and worth further research • Impact of warning scope • damage cost • message overhead • Deployment of IANP based on internet topology hierarchy • Large scale simulation on internet scale

More Related