How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir
Main Purpose Think like a normal node: Security analysis of nowadays inter-domain routing protocols Think like a malicious node: Strategy and impact analysis of 1) attraction and 2) interception attacks.
Some Preliminaries AS (Autonomous System) Collection of connected IP prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet. BGP (Broadcast Gateway Protocol) Protocol used by ASes to find and announce paths.
I have xx x.xxx I know a path towards xxx. xxx
Outline Modeling BGP Protocols Attraction Attack Interception Attack Finding the Optimal Attack Conclusion
Outline Modeling - Inter-domain routing - Routing policies - Threat Models BGP Protocols Attraction Attack Interception Attack Finding the Optimal Attack Conclusion
Inter-Domain Routing Graph Dataset: Real world AS topologies measurement Graph is relative static to protocol execution. Nodes Routing policy 1: Path ranking Routing policy 2: Export policy Edges Customer-Provider link Peer-to-peer link
Routing Policy Policies are different from ASes, but there are some global iron rules. Path Ranking 1.Loop avoiding 2.Local preference: customer > peer > provider 3.Shortest path 4.Tie break
Routing Policy Export Policy -AS should only be willing to load his own network with transit traffic if he gets paid to do so. -AS b will only announce a path via AS c to AS a if at least one of a and c are customers of b.
Threat Models Single manipulator, single victim Attraction attack Interception attack (attraction attack without ‘blackhole’ effect) Quantifying the impact of attack Fraction of traffic attracted to the manipulator.
Outline Modeling BGP Protocols - BGP - Origin Authentication - soBGP - S-BGP - Defensive filtering Attraction Attack Interception Attack Finding the Optimal Attack Conclusion
BGP Broadcast Gateway Protocol No validating, just naively trusts every information. Attack: Prefix hijack Impact: 75% traffic attracted.
Origin Authentication Requires a trusted database to guarantee the righteousness of prefix owning. Blunt hijackers. Only guarantee the ‘origin,’ i.e. the end node of a path. Attack: false path announcement Impact: 25% traffic attracted.
soBGP Secure Origin BGP Requires a trusted database to guarantee that the path physically exists. Attack: announce paths that do not obey the preference (customer > peer > provider.) Impact: 10% traffic attracted.
S-BGP Secure BGP Using cryptographic signatures to guarantee that the path is righteously announced. Attack: announce paths that do not obey the business model. (Announce a shorter, expensive provider path, while actually forwarding traffic on the cheaper, longer customer path.) Impact: 1.7% traffic attracted.
Defensive Filtering This is not a protocol but rather a policy. Stub AS: AS that does not have any customers. Defensive filtering = Blocking stub announcements The usefulness of this policy will be shown later.
Outline Modeling BGP Protocols Attraction Attack - Strategy - Performance - Possible effecting factors Interception Attack Finding the Optimal Attack Conclusion
Strategy “Shortest-Path Export-All” Announce the shortest path that will not be detected as bogus. Exports the paths to every neighbor.
Performance DF is crucial (85% ASes are stubs) BGP: uniform dist. soBGP & S-BGP: identical. Probability Fraction of Attraction P(Finding shorter path)
Possible Effecting Factors Path length Export policy Shortest-All vs. Normal-All Normal-All vs. Normal-Normal Export policy dominates path length. Probability S-BGP
Outline Modeling BGP Protocols Attraction Attack Interception Attack - Avoiding blackhole effect - Strategy - Performance Finding the Optimal Attack Conclusion
Avoiding Blackhole Effect blackhole
Avoiding Blackhole Effect Taking the “Shortest -path, Export-all” strategy. Tier 1 AS: > 250 customers Tier 2 AS: > 25 customers The probabilities of blackhole effect on different types of manipulators are different. The result is supported by [Gao01]
Strategy “Shortest-Available-path, Export-all” Mimicking soBGP and S-BGP to only announce available paths. “Hybrid Interception“ 1.Run “Shortest-path, Export-all” 2.Check if an available path exists, if yes, announce; if no, continue. 3.Run “Shortest-Available-path, Export-all”
Performance Announce All: ignore blackhole effect. Hybrid Interception: > 10% attracted for more than half chance!
Outline Modeling BGP Protocols Attraction Attack Interception Attack Finding the Optimal Attack Strategy - Longer path announcement - Export to fewer neighbors - Exploiting loop detection - Finding the optimal attack is NP-Hard Conclusion
Finding The Optimal Attack Strategy So far, the strategies we introduced (for both attraction and interception attack) are still far from optimal but rather heuristic guesses. For some cases, strategies that are against our intuition may have more severe impact. -Longer path announcement -Fewer exporting -Exploiting the loop detection mechanism
Longer Path Announcement soBGP, S-BGP running Short: (m,a1,v,Prefix); Long: (m,a2,a3,v,Prefix) Customer edge is more preferred than peer 16% attraction -> 56% Short Long
Export to Fewer Neighbors soBGP, S-BGP running All: T1a,T2a,T2,v; Fewer: T1a,T2a,T2,v Forcing T2 to detour, making it unpopular. 40% attraction -> 50% Export All Export fewer
Exploiting Loop Detection BGP running (hijacking) Normal: (m,Prefix); Loop: (m,a2,Prefix) Paralyzing a2-a1, making T1a more popular attractions -> Normal Loop
Finding The Optimal Attack is NP-Hard [Goldberg10] and [Gao01] Sketch of proof The ‘DILEMMA’ pattern
Outline Modeling BGP Protocols Attraction Attack Interception Attack Finding the Optimal Attack Conclusion
Nowadays BGPs are still not capable with dealing Inter-domain traffic attacks. - Hard to detect - Hard to define This work only provides lower bounds of the impacts of attack, which is already concerning enough. The complexity of finding the optimal attack strategy is proofed to be NP-hard, which means that the competition between manipulators and defenders may never ends.