Download presentation
Presentation is loading. Please wait.
Published byClyde Rose Modified over 8 years ago
1
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, 20071 A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang AT&T Labs-Research Joint work with Ying Zhang and Z. Morley Mao University of Michigan
2
A Firewall for Routers: Protecting Against Routing Misbehavior2 June 26, 2007 Interdomain routing: Border Gateway Protocol (BGP) Disseminating routing information between ISPs Disseminating routing information between ISPs Incremental: an update indicates a routing change Path vector based: list of ASes in the path Policy based: route selection based on each ISP’s policy Controlling packet forwarding in the data plane Controlling packet forwarding in the data plane AS A AS B C BR C AS C C BR C Internet AS D “I can reach 141.213.15.0/24” “ I can reach 141.213.15.0/24 via AS A” “ I can reach 141.213.15.0/24 via AS B A”
3
A Firewall for Routers: Protecting Against Routing Misbehavior3 June 26, 2007 Example: IP prefix hijacking AS B C BR AS C C BR C AS D destination source Path:d =[A]Path:d =[BA]Path:d =[CBA] AS A C BR p: [CBA] p: [CF] BGP Announcement: (prefix p) Prefix p AS F
4
A Firewall for Routers: Protecting Against Routing Misbehavior4 June 26, 2007 Internet routing security problems Routers assume updates from neighbor are correct Routers assume updates from neighbor are correct Routing correctness is vulnerable to misconfigurations, attacks, and protocol ambiguities Routing correctness is vulnerable to misconfigurations, attacks, and protocol ambiguities There is no security guarantee in BGP There is no security guarantee in BGP Secure protocol, e.g. SBGP, is slowly adopted and cannot eliminate misconfigurations
5
A Firewall for Routers: Protecting Against Routing Misbehavior5 June 26, 2007 Our approach Q: can a network locally protects against routing misbehavior from external networks? A: a proactive scheme to correct routing updates locally Route Normalizer Route Normalizer Sits between local router and remote router Detects and corrects problems by taking advantage of local information
6
A Firewall for Routers: Protecting Against Routing Misbehavior6 June 26, 2007 Outline Design of Route Normalizer Design of Route Normalizer Functionality of Route Normalizer Functionality of Route Normalizer Prototype implementation and evaluation Prototype implementation and evaluation Empirical results Empirical results Discussion Discussion
7
A Firewall for Routers: Protecting Against Routing Misbehavior7 June 26, 2007 Route Normalizer architecture Route Normalizer Policy Engine Optional config input (e.g. local router configuration) Policy configuration Aggregated alarm reports Optional data input (e.g. external BGP data) BGP traffic Individual alarms
8
A Firewall for Routers: Protecting Against Routing Misbehavior8 June 26, 2007 Design principles Perform basic checking to ensure protocol semantic correctness Perform basic checking to ensure protocol semantic correctness Make use of local network information Make use of local network information Take advantage of external information to assist route anomaly detection Take advantage of external information to assist route anomaly detection Assume dominant history behavior is mostly correct Assume dominant history behavior is mostly correct Use anomaly detection to influence route selection to avoid anomalous routes Use anomaly detection to influence route selection to avoid anomalous routes
9
A Firewall for Routers: Protecting Against Routing Misbehavior9 June 26, 2007 Deployment scenario I C BR Route NormalizerRemote routerLocal router Data traffic BGP traffic Data traffic Normalized BGP traffic Alarm reports, policy improvements BGP session Route Normalizer observes data plane traffic Route Normalizer observes data plane traffic No configuration changes on remote router No configuration changes on remote router Case I: transparent TCP proxy setup Case II: two BGP sessions
10
A Firewall for Routers: Protecting Against Routing Misbehavior10 June 26, 2007 Deployment scenario II C BR Route Normalizer Remote router Local router Data traffic BGP traffic Normalized BGP traffic Alarm reports, policy improvements BGP session BGP traffic No data traffic traverse Route Normalizer No data traffic traverse Route Normalizer Route Normalizer peers with both routers Route Normalizer peers with both routers Configuration changes on local router Configuration changes on local router
11
A Firewall for Routers: Protecting Against Routing Misbehavior11 June 26, 2007 Outline Design of Route Normalizer Design of Route Normalizer Functionality of Route Normalizer Functionality of Route Normalizer Prototype implementation and evaluation Prototype implementation and evaluation Empirical evaluation using BGP data Empirical evaluation using BGP data Discussion Discussion
12
A Firewall for Routers: Protecting Against Routing Misbehavior12 June 26, 2007 Functionality of Route Normalizer Fix violation of BGP semantics Fix violation of BGP semantics Fix violation of routing policy Fix violation of routing policy Detect routing anomalies Detect routing anomalies Manage load and instability Manage load and instability
13
A Firewall for Routers: Protecting Against Routing Misbehavior13 June 26, 2007 Fix violation of BGP semantics Mal-formed BGP updates Mal-formed BGP updates Incorrect attribute values, e.g. AS level loops Attributes with private information Missing mandatory attribute values Route Normalizer action Route Normalizer action Modify or drop the updates Avoid router crashes Avoid router crashes Avoid ambiguity if alternate route exists Avoid ambiguity if alternate route exists Generate alarms
14
A Firewall for Routers: Protecting Against Routing Misbehavior14 June 26, 2007 Fix violations of routing policies Specifying policies with best common practice Specifying policies with best common practice Export policy should follow AS relationship constraints Nexthop AS and IP should match the BGP neighbors’ AS and IP Route Normalizer action Route Normalizer action Modify or drop the updates if alternate route exists Generate alarms
15
A Firewall for Routers: Protecting Against Routing Misbehavior15 June 26, 2007 Detect routing anomalies Anomalous routing behavior Anomalous routing behavior Address hijacking Address hijacking Routing inconsistency Routing inconsistency Route Normalizer action Route Normalizer action Drop the updates if alternate route exists Generate alarms
16
A Firewall for Routers: Protecting Against Routing Misbehavior16 June 26, 2007 Load management and instability mitigation Manage router workload Manage router workload Mitigate load due to identical routing updates Mitigate against router DoS attacks Mitigate instability of flapping prefixes Mitigate instability of session resets Route Normalizer action Route Normalizer action Drop duplicate updates Filter BGP attack traffic, delay updates Emulate route flap damping, delay updates Emulate graceful restart, delay updates
17
A Firewall for Routers: Protecting Against Routing Misbehavior17 June 26, 2007 Outline Design of Route Normalizer Design of Route Normalizer Functionality of Route Normalizer Functionality of Route Normalizer Prototype implementation and evaluation Prototype implementation and evaluation Empirical evaluation using BGP data Empirical evaluation using BGP data Discussion Discussion
18
A Firewall for Routers: Protecting Against Routing Misbehavior18 June 26, 2007 Prototype 18 1.Initialization 2.Checking path attributes 3.Anomaly detection
19
A Firewall for Routers: Protecting Against Routing Misbehavior19 June 26, 2007 Prototype evaluation Platform Platform 3 GHz Pentium IV CPU, 1.5GB memory, 100Mbps System throughput System throughput 77.9Mbps or 64,916 packets/sec Slight degradation on throughput with more peers Memory consumption Memory consumption 20MB memory consumption for 16 days data Slight increase on memory consumption with more peers
20
A Firewall for Routers: Protecting Against Routing Misbehavior20 June 26, 2007 Outline Design of Route Normalizer Design of Route Normalizer Functionality of Route Normalizer Functionality of Route Normalizer Prototype implementation and evaluation Prototype implementation and evaluation Empirical evaluation using BGP data Empirical evaluation using BGP data Discussion Discussion
21
A Firewall for Routers: Protecting Against Routing Misbehavior21 June 26, 2007 Normalization statistics Category# updates (% total alarms) # ASes involved # prefixes involved AS path loops1,047 (3.5%)232,483 Private ASes in AS paths930(3.1%)31953 Unusually long AS paths172 (0.57%)1305256 AS relationship violations20,174 (67%)43894 MOAS violations5,976 (19.9%)382267 Unstable prefixes1,785 (5.9%)581496 RouteViews: Oct 2006 (based on three months history data)
22
A Firewall for Routers: Protecting Against Routing Misbehavior22 June 26, 2007 Known routing problems from NANOG: prefix leaking Date: July 11, 2003 Date: July 11, 2003 Observations: traffic from Sprint(AS 1239) traverses ALGX(AS 2828)’s customer. Observations: traffic from Sprint(AS 1239) traverses ALGX(AS 2828)’s customer. Reported by Route Normalizer Reported by Route Normalizer AS path 1239 6359 14751 2828 8001 violates AS relationship Broadwing Communications (AS 6359) did not filter announcement from its customer (AS14751), which is learned from the another provider AS 2828. Broadwing Communications (AS 6359) did not filter announcement from its customer (AS14751), which is learned from the another provider AS 2828.
23
A Firewall for Routers: Protecting Against Routing Misbehavior23 June 26, 2007 Known routing problems from NANOG: instability Date: Oct. 5, 2005 Date: Oct. 5, 2005 Observations: Level 3 (AS 3356) terminated its peering relation with Cogent (AS 174) Observations: Level 3 (AS 3356) terminated its peering relation with Cogent (AS 174) Reported by Route Normalizer Reported by Route Normalizer From Level 3’s perspective, 1063 (100%) distinct prefixes withdrawn from AS 174, reported as anomalous routing behavior
24
A Firewall for Routers: Protecting Against Routing Misbehavior24 June 26, 2007 Outline Design of Route Normalizer Design of Route Normalizer Functionality of Route Normalizer Functionality of Route Normalizer Prototype implementation and evaluation Prototype implementation and evaluation Empirical evaluation using BGP data Empirical evaluation using BGP data Discussion Discussion
25
A Firewall for Routers: Protecting Against Routing Misbehavior25 June 26, 2007 Discussion Attacks towards Route Normalizer Attacks towards Route Normalizer Resource overloaded attacks via increasing routing instability Assigning penalty to detect malicious peers Assigning penalty to detect malicious peers Announcing malicious long AS path to increase computation Optimizing AS relationship checking process Optimizing AS relationship checking process Raising alarms Raising alarms Deployed with centralized routing decision platform, e.g. RCP Deployed with centralized routing decision platform, e.g. RCP
26
A Firewall for Routers: Protecting Against Routing Misbehavior26 June 26, 2007 Conclusion Develop a platform for BGP traffic normalization Develop a platform for BGP traffic normalization Propose the use of routing anomaly detection to achieve more robust routing Propose the use of routing anomaly detection to achieve more robust routing Perform extensive correlation between NANOG emails and anomaly detection using BGP data Perform extensive correlation between NANOG emails and anomaly detection using BGP data
27
A Firewall for Routers: Protecting Against Routing Misbehavior27 June 26, 2007 Thank you! Questions? 27
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.