Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006
Outline BGP Security Issues Selective Dropping Attack Detecting Selective Dropping Attack Evaluation of IANP on DETER Conclusion
BGP Security Issues BGP4 (RFC1771) Inter-domain routing, Autonomous System Path vector protocol, shortest path Policy based routing [Gao’s] E.g. customer will not export routes learned from one provider to another Messages of interests: (BGP updates) ANNOUNCE: AS_PATH, PREFIX WITHDRAW: PREFIX
BGP Security Issues Vulnerabilities No encryption: eavesdropping No timestamp: replaying No signature: masquerading MOAS -- multiple origin AS Selective dropping Proposed Solutions S-BGP, So-BGP, Pretty Good BGP
Selective Dropping Attack AS3 use path for prefix 1 Link 1-2 break AS2 filters WITHDRAW PREFIX1 to AS3 AS3 still use stale path for prefix 1 AS2 has full control of traffic from AS3 for prefix 1 AS1 Prefix 1 AS2 Prefix 2 AS3 Prefix 3 AS4 Prefix 4 W: 1
Detecting Selective Dropping Attack Instability Analysis with Neighbor Probing Identify key events by BGP message volume at particular monitor node Use locating instability alg. [Mao’s] to locate an instability e.g. a link break Check instability against a monitor’s routing table to detect poisoned routes, correct it if found e.g. a route using the broken link Issue warning msg to neighbors when suspecting a selective dropping attack (msg. includes instability info.) Issue probing msg to neighbors when locating alg. fails to find the source of instability (msg. includes burst period)
Detecting Selective Dropping Attack Instability Analysis 1-2 link breaks At AS4, we know Routes not changed: to prefix 1 via AS1, 4-1 to prefix 5 via AS1, … {1-4,1-5, …} candidate stable set Routes changed: to prefix 2 via AS1, {1-2} candidate instable set for prefix 2 So, ∩candidate instable per prefix – U candidate stable per prefix = {1-2} is instable, flood warnings AS1 Prefix 1 AS2 Prefix 2 AS3 Prefix 3 AS4 Prefix 4 W: 1 AS5 Prefix 5
Detecting Selective Dropping Attack Compute instable Classify events Compute instable final instable
Detecting Selective Dropping Attack Detecting Malicious Routes AS4 finds 1-2 link break, warning msg. reaches AS3, AS3 routing table has Disable route Use route AS1 Prefix 1 AS2 Prefix 2 AS3 Prefix 3 AS4 Prefix 4 W: 1 AS5 Prefix 5
Detecting Selective Dropping Attack probing Possible warning
Detecting Selective Dropping Attack Warning and probing If can’t locate the source of instability, probe neighbors within Q hops (e.g. Q=1) If suspects an attack, warn neighbors within K hops (e.g. K=2) Router scoring Score BGP router reputation by counting warning messages
Evaluation of IANP on DETER Setup 3 30-node topologies generated by BRITE Emulation on DETER using Quagga package 10 experiments per topology In each exp., one link is broken and one node launches a selective dropping attack against a neighbor node Post processing BGP messages and routing table using IANP module Warning neighbors within 2 hops Metric Damage Cost = # of poisoned best routes / # of total best routes # of total best routes= 30*29
Evaluation of IANP on DETER Test 1: 14 drops messages to 15
Evaluation of IANP on DETER Test 1: W1= unable to locate instability, DC = damage cost
Evaluation of IANP on DETER Test 2: 16 drops messages to 23
Evaluation of IANP on DETER Test 2: W1= unable to locate instability, DC = damage cost
Evaluation of IANP on DETER Test 3: 15 drops messages to 23
Evaluation of IANP on DETER Test 3: W1= unable to locate instability, DC = damage cost
Evaluation of IANP on DETER Overall performance Without IANP 0-30% ASes can’t find broken link Damage is range from % With IANP no warning Failure of finding broken link decrease by 0-23% Damage cost is very low, max=4.8%, mostly < 2.0% With IANP and warning Everyone can find the broken link Damage cost decreases to 0
Conclusion Encryption and authentication do not mitigate selective dropping attack Instability analysis is useful information in selective dropping attack IANP standalone version reduces damage cost IANP warning version reduces damage cost to 0 IANP is promising, and worth further research Impact of warning scope damage cost message overhead Deployment of IANP based on internet topology hierarchy Large scale simulation on internet scale