Presentation is loading. Please wait.

Presentation is loading. Please wait.

No Direction Home: The True cost of Routing Around Decoys

Published byErlin Hardja Modified over 6 years ago

Similar presentations

Presentation on theme: "No Direction Home: The True cost of Routing Around Decoys"— Presentation transcript:

1 No Direction Home: The True cost of Routing Around Decoys
Presented by : Pallavi Kasula

2 Background Autonomous systems (AS) Border Gateway Protocol (BGP)
Internet Censorship Decoy Routing Routing Around Decoys(RAD)

3 Autonomous System(AS)
Internet Comprises of interconnected Autonomous Systems Autonomous System: Collection of Networks with Same routing policy Usually under single ownership, trust and administrative control

4 BGP -Border Gateway Protocol
Designed to exchange routing and reachability information between autonomous systems (AS) on the Internet. BGP is the path-vector protocol provides routing information for autonomous systems on the Internet via its AS-Path attribute Shortest AS_Path, Multi_Exit_Disc

5 Internet Censorship the control or suppression of what can be accessed, published, or viewed on the Internet. The extent of Internet censorship varies on a country-to-country basis Content suppression methods include Internet Protocol(IP) address blocking DNS Name filtering and redirection Circumvention using Proxy Server has been in use which needs client to connect to a specific IP address.

6 Decoy Routing Decoy Routing -A mechanism capable of circumventing common network filtering strategies. A client connects to any unblocked host service and then decoy routing is used to connect to blocked destination. Circumvention service is placed in the network. A single device could proxy traffic instead of host.

7 Routing Around Decoys Schuchard et al. proposed Routing Against Decoys attack against decoy routing. Main Idea- ISPs in censorship region have multiple paths to reach destination It can instruct ISPs under it’s influence to select paths that do not pass through ISPs known to contain Decoys.

8 Objective of this paper
Authors have worked on true costs incurred by following RAD attack. Various parameters have been studied such as Loss of Connectivity, Latency, path length etc.

9 Internet Topology Business Relationship between ASs can be mapped to following three types according to Gao model Customer-to-Provider (c2p) Peer-to-Peer (p2p) Sibling-to-sibling (s2s)

10 Internet Topology Graph

11 Internet Topology Customer Cone : AS and its customers
Edge AS : AS with customer cone size =1 Transit AS : AS whose customer size is greater than 1 and transits other As traffic Path : A sequence of neighbor ASes that connect source AS to destination AS.

12 Valid and Invalid Paths
Valid or Valley-Free(VF) Path Every transit AS in the path a customer who is its immediate neighbor Invalid or Non-Valley-Free (NVF) Path

13 BGP Routing

14 RBGP Routing

15 Costs of Routing Degraded Internet Reachability Less-Preferred Path
Longer Paths Higher path latencies Non-Valley-Free routes New Transit ASes Massive change in Transit Load

16 Placing decoy Routers RAD paper simulated two specific placements of decoys Top - Tier Random But this placement in RAD is biased as decoys were primarily placed in EDGE ASs

17 Placing decoy Routers Authors used following Strategic decoy Placements: Sorted Placement - Decoys are chosen from ASs that transit more traffic for the RAD adversary. sorted-with-ring - Set of ASs not directly controlled by RAD adversary sorted-no-ring - Additionally exclude ASs having business relationship Strategic random placement - ASs are chosen from a set of ASes with a particular customer size. random-c (Random -1 is similar to one used in RAD). random-with-ring-C and random-no-ring-C

18 Simulation Setup and Data Sources
Used CBGP - a popular BGP simulator with python interface to interact and query between ASs. Geo location: “GeoLite Country” dataset to map IP addresses to countries. AS relations : CAIDA’s inferred AS relationship dataset AS ranking: CAIDA’s AS rank dataset Latency: iPlane’s “Inter-PoP links” dataset to estimate BGP and RBGP path latencies. Network origin: iPlane’s “Origin AS mapping” dataset

19 Comparing the Internet connectivity of state-level censors.
Simulation Results Comparing the Internet connectivity of state-level censors. Loss of connectivity for different RAD adversaries assuming the sorted-no-ring decoy placement strategy.

20 Simulation Results Simulation results for two different scenarios :
China-World : Decoy chosen from ASs exlcuding the 199 ASs located in China. China is the adversary. China-US :China is the RAD adversary; decoy ASes are selected only from the 13,299 ASes lo- cated in the United States.

21 Percentage of unreachable ASs

22 Non-Valley-Free paths

23 Costly Valley-Free Paths
Using less preferred paths : Results have shown that the percentage of VF paths became from 6% to 21% more expensive for different placement strategies. Longer Paths : Average increase in path length varies from 1.12 to 1.40. Higher Latencies : Even same length paths have higher latencies due to less popular transits.

24 For two neighbor ASes A and B, eLat is calculated as :
Latency Calculation For two neighbor ASes A and B, eLat is calculated as : where Ai represents the ith point-of-presence (PoP) of the AS A and nA is the number of A’s PoPs For a BGP/RBGP path composed of k ASes {T1 , ..., Tk }, we define eLat to be the sum of eLat for all neighbor ASes in the path:

25 The average increase in estimated latency due to the RAD attack.
Simulation Results The average increase in estimated latency due to the RAD attack.

26 need infrastructural changes
Edge ASes acting as transit ASes Increased load on existing transit ASes

27 where I P s(A) is the number of IP addresses owned by the AS A
Traffic Volume To simulate changes in transit loads, it is assumed that traffic volume between two ASes AS1 and AS2 is proportional to the number of IP addresses they respectively possess: Text Maximum transit load increase factor for Chinese transit ASes due to the RAD attack where I P s(A) is the number of IP addresses owned by the AS A Maximum transit load increase factor for Chinese transit ASes due to the RAD attack

28 Conclusions Proposed RAD attack is extremely costly with loss of connectivity to many internet connections and lower QoS. Strategic placement of decoy routers significantly increases cost. Depends on connectivity of country. Regional deployment is effective in defeating the RAD attack. Needs more fine grained and data driven approach.

29 Questions?

Download ppt "No Direction Home: The True cost of Routing Around Decoys"

Similar presentations

Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.

Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.

By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
1 Internet Path Inflation Xenofontas Dimitropoulos.

1 Internet Path Inflation Xenofontas Dimitropoulos.
Part II: Inter-domain Routing Policies. March 8, 20042 What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!

Part II: Inter-domain Routing Policies. March 8, What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.

Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.
Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)

Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)
1 ECE453 – Introduction to Computer Networks Lecture 10 – Network Layer (Routing II)

1 ECE453 – Introduction to Computer Networks Lecture 10 – Network Layer (Routing II)
Inter-domain Routing Outline Border Gateway Protocol.

Inter-domain Routing Outline Border Gateway Protocol.
Chapter 22 Network Layer: Delivery, Forwarding, and Routing

Chapter 22 Network Layer: Delivery, Forwarding, and Routing
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.

Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.

Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.
Introduction to BGP.

Introduction to BGP.
9/15/2015CS622 - MIRO Presentation1 Wen Xu and Jennifer Rexford Department of Computer Science Princeton University Chuck Short CS622 Dr. C. Edward Chow.

9/15/2015CS622 - MIRO Presentation1 Wen Xu and Jennifer Rexford Department of Computer Science Princeton University Chuck Short CS622 Dr. C. Edward Chow.
M.Menelaou CCNA2 ROUTING. M.Menelaou ROUTING Routing is the process that a router uses to forward packets toward the destination network. A router makes.

M.Menelaou CCNA2 ROUTING. M.Menelaou ROUTING Routing is the process that a router uses to forward packets toward the destination network. A router makes.

Similar presentations

Ads by Google