Presentation is loading. Please wait.

Presentation is loading. Please wait.

13 June 2013 Dave Risius Chris Wood

Published byวิศิษฏ์ สมิธ Modified over 5 years ago

Similar presentations

Presentation on theme: "13 June 2013 Dave Risius Chris Wood"— Presentation transcript:

1 13 June 2013 Dave Risius Chris Wood
Internet Network Diversion 13 June 2013 Dave Risius Chris Wood 1

2 Agenda Network Diversion Overview Internet as a Network CAIDA Data Set
Assumptions Methodology Three Model Solution Results Future Work Conclusions 23 May 2019 Network Diversion Project

3 Network Diversion Goal Conventional Solutions As an Internet Problem
To coerce network traffic to flow through a specified point Conventional Solutions Incentivize Cheese Restriction Walls As an Internet Problem Want data to pass through a sensor or exploitation node Need to nerd-out a bit… 23 May 2019 Network Diversion Project

4 The Internets Devices, routers, protocols, and networks between them
# Connections: 2(1969) -> 360k(2000) -> 2.4b(2012) Basic Internet Routing Internet Connection Your Computer Qwest: East Internet Host Layer Network Layer Physical Layer Data Manipulation Internet Connection Comcast: NorCal My Computer 23 May 2019 Network Diversion Project

5 Autonomous Systems & BGP
AS: Group of networks and routers managed by a single organization, assigned a unique number Comcast: Norcal = ASN 2165 External Border Gateway Protocol Inter-AS Routing Protocol utilizing ‘shortest path’ (but not really) “3 hops” AS IP: “2 hops” IP: AS “2 hops” Qwest:East = ASN 3144 AS 23 May 2019 Network Diversion Project

6 Internet Data CAIDA (Cooperative Association for Internet Data)
Ark Measurement Infrastructure The IPv4 Routed /24 AS Links Dataset 71 Globally distributed active network sensors Pings data, captures route traveled from IP to IP Abstracts IPs to AS’ Data Summary 24 hours of global internet traffic (01-02 April 2013) ~30k nodes with 80k edges Filtered into undirected graph Nodes = AS (split to allow for node interdiction) Initial Formulation Node-Split Edge Length = 1 hop AS-AS Edge Length = 0 BGP Formulation = # of ‘hops’ to destination 23 May 2019 Network Diversion Project

7 Network Diversion Problem Statement
Given a network of Autonomous System with starting AS (S) and ending AS (T), how do we divert flow through an Interceptor AS (I)? I 1 2 3 1 S T 1 i i' ASN: X 2 1 23 May 2019 Network Diversion Project

8 Limitations and Assumptions
Limited knowledge of and access to real-world BGP routing Assumptions For this project, the CAIDA data collected is sufficient to form a complete AS topology of the internet. Project assumes there is a method to attack nodes (AS), however we do not specify how to attack them. (Possibly Traffic Overflows, altering BGP Routing Tables) Edge lengths are representative of BGP routing (shortest path from current AS to destination AS) 23 May 2019 Network Diversion Project

9 Network Diversion Methodology
BUILD NETWORK Python – NetworkX Module Construct/Split Nodes Construct Arcs Build ASN Locations Produce Candidate Paths Input Data -Open Source -CAIDA -24 hours Internet Traffic COMPLETE GRAPH Candidate Path From Start to End Node TXT Files Node Files ARC Files Attack Edges Graph Files Refine Method Produce Solutions Python Decreasing S.P. Sliding S.P. GAMS -Min-Cut Option LIST OF FEASIBLE SOLUTIONS GAMS OUTPUT PYTHON OUTPUT 23 May 2019 Network Diversion Project

10 Simple Network; Incentive (Decreasing Shortest Path)
Current Shortest Path: 1 -2 -1 1 1 1 1 1 1 23 May 2019 Network Diversion Project

11 Create Best Shortest Path (Incentivize Yourself)
Method (Incentivize yourself into the shortest path). Apply unit lengths to all edges in the network. Find candidate path between desired start node and end node containing the intercept node. Iterate over increasingly negative lengths to the intercept edge Stop once intercept edge is in shortest path Interpretation. Required decrement quantity gives you measure of level of incentive necessary to route traffic through your node. Traffic looks for shortest path first, then executes once found. Issues. Really can’t create negative paths in BGP May be more applicable to talk about incentivizing your path instead of your point. S +3 +2 +1 -4 +1 +1 T 23 May 2019 Network Diversion Project

12 Simple Network; Restriction (Sliding Shortest Path)
Current Shortest Path: 1 2 3 2 3 1 1 2 1 23 May 2019 Network Diversion Project

13 Sliding Shortest Path Algorithm (Limit Alternatives)
Method (trim network, one link at a time until your edge is included in path). Find shortest path from start node to intercept node. Find first node in shortest path from start node to end node. If first node isn’t same as first node in start-intercept path, cut it. Continue until all nodes in start-end shortest path are in start-intercept shortest path. Interpretation. Trims from destination to target, thus removing AS connections in the same way the data would route (look up BGP tables in advance of traffic flow). Issues. Produces an inefficient and possibly catastrophic network once complete. S I T 23 May 2019 Network Diversion Project

14 Simple Network; Restriction (Max Flow Forced Min-Cut)
1 1 1 1 1 1 23 May 2019 Network Diversion Project

15 Forced Minimum Cut (Max Flow) (Limit Alternatives)
Method (Force Yourself into the min-cut). Find candidate path from s-t containing interceptor node. Apply infinite capacity to all edges in candidate path. Apply +1 capacity to the intercept node/edge (forcing it into min cut). Run Min-Cut Linear Program. Interpretation. Min-cut shows exact nodes/edges we need to cut to force traffic through us. Once known, nodes can be influenced to make traffic respond as desired. Issues. ‘Upstream’ candidate path nodes must not overlap with ‘downstream’ nodes Difficult in terms of time and effort to solve min-cut prior to cutting nodes. S 1 T 23 May 2019 Network Diversion Project

16 Results on Example Candidate Path Incentive Restriction
714 7018 2153 32 46749 2152 701 4983 Candidate Path Incentive Decreasing Shortest Path Several Single-Hop paths to overcome AS:32 requires a path incentive of -4 Restriction Sliding Shortest Path Of 26,321 AS and ~80,000 connections between them, only have to affect 355 AS Intuitive due to non-optimality v. forced min-cut Forced Min-Cut (Nodes) Removing 309 AS in order to force traffic through AS:32 23 May 2019 Network Diversion Project

17 Future Work More work to accurately represent edge lengths as BGP hops
Model uses SP to emulate BGP; Reality is that BGP is not an optimal path calculator; it is more dependent on AS-specific routing relationships and complex policies not modeled here (peering contracts between ISPs, favored routes, etc.) Using a set of possible interdiction nodes instead of just one Adding costs to nodes (Cost of Interdicting an AS) Prohibiting attacks on certain nodes (Geopolitical/Technological Concerns) Many real world network problems can be considered in terms of these network diversion models Nuclear Smuggler Problem using dummy detectors to force through hidden real world detectors (Forced Min-Cut) Enemy convoy ambush interdiction operations (Sliding S-P) Defector/Double-Agent Incentivization (Decreasing S-P) Validate on a realistic scale (Internet-wide) 23 May 2019 Network Diversion Project

18 Conclusions Difficult to favor one single solution/model
Decreasing Shortest Path Represents overall incentive, but difficult to apply to BGP Sliding Shortest Path Most disruptive method, likely to have unintended consequences Best chance at success, due to following a similar logic to actual internet data routing Forced Min-Cut Least disruptive, but most process intensive 23 May 2019 Network Diversion Project

19 Resources CAIDA (Cooperative Association for Internet Data Research)
Sliding Shortest Path Algorithm Ramesh Bhandari Laboratory for Telecommunications Sciences, Department of Defense College Park, Maryland 20740 Decreasing Shortest Path Prof David Alderson Naval Postgraduate School, Department of Operations Research CAIDA (Cooperative Association for Internet Data Research) The IPv4 Routed /24 AS Links Dataset - <01Apr Apr2013>, Support for the IPv4 Routed /24 AS Links Dataset is provided by the National Science Foundation, the US Department of Homeland Security, Cisco Systems, and CAIDA Members. 23 May 2019 Network Diversion Project

20 Other Relevant Applications
Enemy Convoy wants to get from S to T. Friendly force wants enemy to go through ambush location by blocking other possible routes. X S X X T X X X

Download ppt "13 June 2013 Dave Risius Chris Wood"

Similar presentations

Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
6.033: Intro to Computer Networks Layering & Routing Dina Katabi & Sam Madden Some slides are contributed by N. McKewon, J. Rexford, I. Stoica.

6.033: Intro to Computer Networks Layering & Routing Dina Katabi & Sam Madden Some slides are contributed by N. McKewon, J. Rexford, I. Stoica.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.
Lecture 3. Notations and examples D. Moltchanov, TUT, Spring 2008 D. Moltchanov, TUT, Spring 2015.

Lecture 3. Notations and examples D. Moltchanov, TUT, Spring 2008 D. Moltchanov, TUT, Spring 2015.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
The Shortest Path Problem

The Shortest Path Problem
ROUTING ON THE INTERNET COSC 6590 1 14-Aug-15. Routing Protocols  routers receive and forward packets  make decisions based on knowledge of topology.

ROUTING ON THE INTERNET COSC Aug-15. Routing Protocols  routers receive and forward packets  make decisions based on knowledge of topology.
NETWORK LAYER (2) T.Najah AlSubaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.

NETWORK LAYER (2) T.Najah AlSubaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.

Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.

Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.
9/15/2015CS622 - MIRO Presentation1 Wen Xu and Jennifer Rexford Department of Computer Science Princeton University Chuck Short CS622 Dr. C. Edward Chow.

9/15/2015CS622 - MIRO Presentation1 Wen Xu and Jennifer Rexford Department of Computer Science Princeton University Chuck Short CS622 Dr. C. Edward Chow.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 6 Routing and Routing Protocols.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 6 Routing and Routing Protocols.
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.

How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.

Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)

David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)
1 Week 5 Lecture 2 IP Layer. 2 Network layer functions transport packet from sending to receiving hosts transport packet from sending to receiving hosts.

1 Week 5 Lecture 2 IP Layer. 2 Network layer functions transport packet from sending to receiving hosts transport packet from sending to receiving hosts.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 6: Static Routing Routing and Switching Essentials.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 6: Static Routing Routing and Switching Essentials.
TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_a Routing Protocols: RIP, OSPF, BGP Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.

TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_a Routing Protocols: RIP, OSPF, BGP Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.
1 An Arc-Path Model for OSPF Weight Setting Problem Dr.Jeffery Kennington Anusha Madhavan.

1 An Arc-Path Model for OSPF Weight Setting Problem Dr.Jeffery Kennington Anusha Madhavan.

Similar presentations

Ads by Google