330 likes | 465 Views
How Secure are Secure Inter-Domain Routing Protocols?. SIGCOMM 2010 Presenter: kcir. Main Purpose. Think like a normal node : Security analysis of nowadays inter-domain routing protocols Think like a malicious node : Strategy and impact analysis of 1) attraction and 2) interception attacks.
E N D
How Secure are Secure Inter-Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir
Main Purpose • Think like a normal node: Security analysis of nowadays inter-domain routing protocols • Think like a malicious node: Strategy and impact analysis of1) attraction and 2) interception attacks.
Some Preliminaries • AS (Autonomous System)Collection of connected IP prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet. • BGP (Broadcast Gateway Protocol)Protocol used by ASes to find and announce paths.
I have 140.112.xxx.xxx I know a path towards 140.112.xxx.xxx I know a path towards 140.112.xxx.xxx I know a path towards 140.112.xxx.xxx I know a path towards 140.112.xxx.xxx 140.112.123.45
Outline • Modeling • BGP Protocols • Attraction Attack • Interception Attack • Finding the Optimal Attack • Conclusion
Outline • Modeling- Inter-domain routing- Routing policies- Threat Models • BGP Protocols • Attraction Attack • Interception Attack • Finding the Optimal Attack • Conclusion
Inter-Domain Routing Graph • Dataset: Real world AS topologies measurement • Graph is relative static to protocol execution. Nodes • Routing policy 1: Path ranking • Routing policy 2: Export policy Edges • Customer-Provider link • Peer-to-peer link
Routing Policy • Policies are different from ASes, but there are some global iron rules. • Path Ranking • Loop avoiding • Local preference: customer > peer > provider • Shortest path • Tie break
Routing Policy • Export Policy • AS should only be willing to load his own network with transit traffic if he gets paid to do so. • ASbwill only announce a path via AScto ASa if at least one of a and c are customers of b.
Threat Models • Single manipulator, single victim • Attraction attack • Interception attack(attraction attack without ‘blackhole’ effect) • Quantifying the impact of attackFraction of traffic attracted to the manipulator.
Outline • Modeling • BGP Protocols- BGP- Origin Authentication- soBGP- S-BGP- Defensive filtering • Attraction Attack • Interception Attack • Finding the Optimal Attack • Conclusion
BGP • Broadcast Gateway Protocol • No validating, just naively trusts every information. Attack: Prefix hijack Impact: 75% traffic attracted.
Origin Authentication • Requires a trusted database to guarantee the righteousness of prefix owning. • Blunt hijackers. • Only guarantee the ‘origin,’ i.e. the end node of a path. Attack: false path announcement Impact: 25% traffic attracted.
soBGP • Secure Origin BGP • Requires a trusted database to guarantee that the path physically exists. Attack: announce paths that do not obey the preference (customer > peer > provider.) Impact: 10% traffic attracted.
S-BGP • Secure BGP • Using cryptographic signatures to guarantee that the path is righteously announced. Attack: announce paths that do not obey the business model. (Announce a shorter, expensive provider path, while actually forwarding traffic on the cheaper, longer customer path.) Impact: 1.7% traffic attracted.
Defensive Filtering • This is not a protocol but rather a policy. • Stub AS: AS that does not have any customers. • Defensive filtering = Blocking stub announcements The usefulness of this policy will be shown later.
Outline • Modeling • BGP Protocols • Attraction Attack- Strategy- Performance- Possible effecting factors • Interception Attack • Finding the Optimal Attack • Conclusion
Strategy “Shortest-Path Export-All” • Announce the shortest path that will not be detected as bogus. • Exports the paths to every neighbor.
Performance Fraction of Attraction • DF is crucial (85% ASes are stubs) • BGP: uniform dist. • soBGP & S-BGP: identical. Probability P(Finding shorter path)
Possible Effecting Factors • Path length • Export policy • Shortest-All vs. Normal-All • Normal-All vs. Normal-Normal Export policy dominates path length. Probability S-BGP
Outline • Modeling • BGP Protocols • Attraction Attack • Interception Attack- Avoiding blackholeeffect- Strategy- Performance • Finding the Optimal Attack • Conclusion
Avoiding Blackhole Effect • blackhole
Avoiding Blackhole Effect • Taking the “Shortest-path, Export-all” strategy. • Tier 1 AS: > 250 customers • Tier 2 AS: > 25 customers • The probabilities of blackhole effect on different types of manipulators are different. • The result is supported by [Gao01]
Strategy • “Shortest-Available-path, Export-all”Mimicking soBGP and S-BGP to only announce available paths. • “Hybrid Interception“ • Run “Shortest-path, Export-all” • Check if an available path exists, if yes, announce; if no, continue. • Run “Shortest-Available-path, Export-all”
Performance • Announce All: ignore blackhole effect. • Hybrid Interception: > 10% attracted for more than half chance!
Outline • Modeling • BGP Protocols • Attraction Attack • Interception Attack • Finding the Optimal Attack Strategy- Longer path announcement- Export to fewer neighbors- Exploiting loop detection- Finding the optimal attack is NP-Hard • Conclusion
Finding The Optimal Attack Strategy • So far, the strategies we introduced (for both attraction and interception attack) are still far from optimal but rather heuristic guesses. • For some cases, strategies that are against our intuition may have more severe impact. • Longer path announcement • Fewer exporting • Exploiting the loop detection mechanism
Longer Path Announcement • soBGP, S-BGP running • Short: (m,a1,v,Prefix); Long: (m,a2,a3,v,Prefix) • Customer edge is more preferred than peer • 16% attraction -> 56% Short Long
Export to Fewer Neighbors • soBGP, S-BGP running • All: T1a,T2a,T2,v; Fewer: T1a,T2a,T2,v • Forcing T2 to detour, making it unpopular. • 40% attraction -> 50% Export All Export fewer
Exploiting Loop Detection • BGP running (hijacking) • Normal: (m,Prefix); Loop: (m,a2,Prefix) • Paralyzing a2-a1, making T1a more popular. • 32010 attractions -> 32370 Loop Normal
Finding The Optimal Attack is NP-Hard • [Goldberg10] and [Gao01] • Sketch of proof • The ‘DILEMMA’ pattern
Outline • Modeling • BGP Protocols • Attraction Attack • Interception Attack • Finding the Optimal Attack • Conclusion
Conclusion • Nowadays BGPs are still not capable with dealing Inter-domain traffic attacks.- Hard to detect- Hard to define • This work only provides lower bounds of the impacts of attack, which is already concerning enough. • The complexity of finding the optimal attack strategy is proofed to be NP-hard, which means that the competition between manipulators and defenders may never ends.