Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dennis Beard Sandra Murphy Yi Yang March 2003 Threats to Routing Protocols.

Published byDwain Hunt Modified over 9 years ago

Similar presentations

Presentation on theme: "Dennis Beard Sandra Murphy Yi Yang March 2003 Threats to Routing Protocols."— Presentation transcript:

1 Dennis Beard Sandra Murphy Yi Yang March 2003 Threats to Routing Protocols

2 Outline Scope Routing Functions Threat Definition Threat Source, Action & Consequence Generally Identifiable Routing Threat Actions Threats against Multicast Routing Protocols

3 Scope All routing protocols Intent: advise routing protocol designers about security get them thinking about vulnerabilities set requirements (MUST, SHOULD, MAY) Intra- and Inter-domain (IGP and EGP) Security of the protocol, not of the operational environment it works in

4 Routing Functions Transport subsystem the subsystem that carries the data between routers can be attacked - impact on routing protocol can carry attack to the routing protocol Neighbor state determine peer and establish relationship attacks can break relationship - disrupt routing [typo: draft said BGP and CEASE msg]

5 Routing Functions (cont) Database maintenance sometimes a separate step, sometimes an implicit result of the communication of topology info like wireless keeping interesting routes topology computation from database Each function has control and data parts different consequences from each

6 Threat definition “A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.” Robert Shirey, RFC2828: Internet Security Glossary The RFC definitions are the basis for the expression of our model

7 Threat Model - Sources Intruders or malicious programs launched by the intruder  Compromised (or subverted??) links  Compromised (or subverted??) routers  Masquerading routers (illegitimately assumes identity/ role)  Unauthorized devices  Should RP designers worry about subverted links?  Should we distinguish masquerading from unauthorized routers? * A router may play multiple roles simultaneously

8 Threat Model - Actions Attacks and other intentional malicious actions against the routing protocols Address proper protocol design to mitigate threat Need to identify external factor that protocol should protect  Deliberate exposure  Sniffing/ wiretapping  Traffic analysis  Spoofing  Falsification  Interference  Overload * An attacker may launch multiple actions simultaneously

9 Threat Model - Consequences Compromises and the damage done by the malicious actions Zones (impact to router(s), Autonomous System(s), Global) Period (smaller, equal or greater than threat action duration)  Disclosure Unauthorized access to routing info  Deception Belief of false routing info  Disruption Operation degradation or interruption  Usurpation Control/ modification of legitimate router services / functions * An action may cause multiple consequences

10 Deliberate Exposure Intentional release of routing information Sniffing Monitor routing exchange between legitimate routers Traffic Analysis Indirect access to routing info gained by monitoring data traffic Spoofing Assume other’s identity Falsification Declare invalid routing information Interference Impact routing exchanges Overload Place excessive burdens Generally Identifiable Threat Actions

11 Deliberate Exposure Intentional release of routing information to unauthorized devices All attackers Disclosure Is this a valid threat against routing protocols?

12 Sniffing/ Wiretapping Monitor / record routing information Compromised / subverted links Disclosure

13 Traffic Analysis Analyze data traffic to learn routing information Compromised / subverted links Disclosure Is this a valid threat against routing protocols?

14 Spoof Illegally assumes a legitimate router's identity All attackers Attackers become masquerading routers after successful spoof It is a threat, as well as a means to launch threat Consequences: Deception (on peer relationship) and Dos based on the Deception Accounting Disclosure (on routing information)

15 Falsification Make and distribute invalid routing information Sources: Originator: All attackers except compromised / subverted links Overclaiming Underclaiming Misclaiming Is underclaiming a valid threat? (not-existing vs. not defendable) Forwarder: all attackers Overstatement Understatement Misstatement

16 Falsification (cont) Consequences: Deception Usurpation Disruption

17 Interference Inhibit routing exchanges All attackers Disruption

18 Overload Place excess burden Against control plane or data plane Should we care about data plane in routing protocol design? All attackers Disruption

19 Byzantine Failures Caused by faulty routers So general that redundant to other threat actions: falsification, overload… Should not be listed separately

20 Discarding of control packets Similar to underclaiming? OLSR

21 Network Mapping Threats Threat action or consequence? If this is action, is it redundant to sniffing/traffic analysis?

22 Multicast Routing Threat Actions Introduction of misleading route information via non- existent (black hole) or incorrect routes is a key MC routing vulnerability MC routing protocols are at least as susceptible as Unicast. Updates can be: Fabricated Modified Replayed Deleted Snooped

23 Sandy’s Comments Summarized Section 3.1: content Section 4.1: Deliberate Exposure: content Section 4.3: Traffic Analysis: content Section 4.4: Spoofing: editorial Section 4.5: Underclaiming: content Section 4.5a: “ownership”: editorial Section 4.7: Overload: editorial/content Section 4.8: Byzantine Failures: editorial Section 4.9: Discard of Control Messages: content Section 4.10: Network Mapping: editorial Multicast Routing: editorial (redundant, inconsistent)

24 Sandy’s Comments: Some Themes privacy of routing data - important? comments both ways on mailing list nemo group wants “location privacy” Section 4.1: Deliberate Exposure Section 4.3: Traffic Analysis not attack in routing protocol (or not addressable) Section 4.3: Traffic Analysis Section 4.7: Overload Section 2: Transport Subsystem correctness vs security Section 4.5: Underclaiming Section 4.9: Discard of Control messages

25 Sanity Checks Need to compare to BGP Attack Tree document see if there are attacks there not represented here and vice versa many of that document’s attacks are operational in nature (I.e., not the business of this analysis) Need to compare to SOBGP/SBGP see if those approaches deal with these threat actions, sources, consequences see if there are any further vulnerabilities unprotected Need to compare to other routing protocol expressed security requirements (e.g., nemo)

26 In Closing… We have presented a model to: Document threats & related consequences Provide a format to help prioritize results Enable a process to: 1. Address top threat actions 2. Make a decision on medium/ low threat actions Must be included Acceptable risk (future work)

27 Next Step Need your input to address the following: Structure Content Thank You!

Download ppt "Dennis Beard Sandra Murphy Yi Yang March 2003 Threats to Routing Protocols."

Similar presentations

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
The Sybil Attack By John R. Douceur Presented by Samuel Petreski March 31, 2009.

The Sybil Attack By John R. Douceur Presented by Samuel Petreski March 31, 2009.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.
NS-H0503-02/11041 Attacks. NS-H0503-02/11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.
BGP Security APNIC Open Policy Meeting Routing SIG 23 February 2005 Kyoto, Japan Russ Housley

BGP Security APNIC Open Policy Meeting Routing SIG 23 February 2005 Kyoto, Japan Russ Housley
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.
IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.

IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.

Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
SUMP: A Secure Unicast Messaging Protocol for Wireless Ad Hoc Sensor Networks Jeff Janies, Chin-Tser Huang, Nathan L. Johnson.

SUMP: A Secure Unicast Messaging Protocol for Wireless Ad Hoc Sensor Networks Jeff Janies, Chin-Tser Huang, Nathan L. Johnson.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Introduction (Pendahuluan)  Information Security.

Introduction (Pendahuluan)  Information Security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
1 ECE453 – Introduction to Computer Networks Lecture 10 – Network Layer (Routing II)

1 ECE453 – Introduction to Computer Networks Lecture 10 – Network Layer (Routing II)
1 Kyung Hee University Prof. Choong Seon HONG Network Control.

1 Kyung Hee University Prof. Choong Seon HONG Network Control.

Similar presentations

Ads by Google