bgp communities even more worms in the routing can
play

BGP Communities: Even more Worms in the Routing Can ACM IMC 2018, - PowerPoint PPT Presentation

Apr 10, 2023 •761 likes •1.6k views

BGP Communities: Even more Worms in the Routing Can ACM IMC 2018, Boston, MA, USA Florian Streibelt 1 <fstreibelt@mpi-inf.mpg.de> , Franziska Lichtblau 1 , Robert Beverly 2 , Cristel Pelsser 3 , Georgios Smaragdakis 4 , Randy Bush 5 , Anja

  1. BGP Communities: Even more Worms in the Routing Can ACM IMC 2018, Boston, MA, USA Florian Streibelt 1 <fstreibelt@mpi-inf.mpg.de> , Franziska Lichtblau 1 , Robert Beverly 2 , Cristel Pelsser 3 , Georgios Smaragdakis 4 , Randy Bush 5 , Anja Feldmann 1 Nov 1, 2018 1 Max Planck Institute for Informatics (MPII), 2 Naval Postgraduate School (NPS), 3 University of Strasbourg, 4 TU Berlin (TUB), 5 Internet Initiative Japan (IIJ)

  2. Introduction

  3. Contributions. . . • We provide an analysis of BGP community propagation on the Internet • We show that BGP communities (as used by operators to realize traffic management) can be used as attack vector • We verify this via experiments in the lab as well as in the wild • We provide some hints on the secure usage of BGP communities 1

  4. BGP Community usage is increasing 70k ● # Unique ASes in Communities 7B ● # Unique Communities ● ● ● 40k 4B ● ● ● ● 20k ● 2B ● 10k 1B 5k 0.5B ● ● ● ● ● ● 3k ● 0.3B ● ● 2k # Absolute Communities 0.2B # BGP table entries 2010 2012 2014 2016 2018 Year 2

  5. BGP Community usage is increasing 70k # Unique ASes in Communities 7B ● # Unique Communities ● ● ● 40k 4B ● ● ● +296% ● ● 20k 2B ● 10k 1B 5k 0.5B 3k 0.3B 2k # Absolute Communities 0.2B # BGP table entries 2010 2012 2014 2016 2018 Year Increasing usage warrants a closer look. 2

  6. BGP (Border Gateway Protocol) 3

  7. BGP (Border Gateway Protocol) AS2 AS4 AS6 AS1 AS3 AS5 3

  8. BGP (Border Gateway Protocol) AS2 AS4 AS6 p AS1 p AS3 AS5 Origin−AS • AS1 announces prefix p 3

  9. BGP (Border Gateway Protocol) p AS2 AS4 AS6 p AS1 p p AS3 AS5 Origin−AS • AS1 announces prefix p, upstreams pickup p 3

  10. BGP (Border Gateway Protocol) p p AS2 AS4 AS6 p p AS1 p p p AS3 p AS5 AS−Paths for p in AS6 AS6, AS4, AS2, AS1 Origin−AS AS6, AS5, AS3, AS1 • AS1 announces prefix p, upstreams pickup p • AS6 receives first anouncements for p 3

  11. BGP (Border Gateway Protocol) p p AS2 AS4 AS6 p p AS1 p p p AS3 p AS5 AS−Paths for p in AS6 AS6, AS4, AS2, AS1 p AS6, AS4, AS5, AS3, AS1 Origin−AS AS6, AS5, AS3, AS1 AS6, AS5, AS4, AS2, AS1 For simplicity assuming AS2−AS5 are transit providers • AS1 announces prefix p, upstreams pickup p • AS6 receives first anouncements for p • eventually AS6 sees multiple available paths for p 3

  12. BGP (Border Gateway Protocol) p p AS2 AS4 AS6 p p AS1 p p p AS3 AS5 p AS−Paths for p in AS6 AS6, AS4, AS2, AS1 p AS6, AS4, AS5, AS3, AS1 Origin−AS AS6, AS5, AS3, AS1 AS6, AS5, AS4, AS2, AS1 For simplicity assuming AS2−AS5 are transit providers BGP • BGP communicates reachability information • Announcement messages also carry various attributes • One of these attributes are BGP-Communities 4

  13. BGP Communities • RFC 1997: Optional Attribute in 0x00000000011110110000000111001000 BGP message (32 bit) 32 bit • By convention written ASN:VALUE 0x1111011 0x111001000 • ASN can be both sender or intended ’recipient’ 16 bit 16 bit • Every network decides the semantics behind the 123 456 : values 16 bit AS−Number community−value • New standard: Large Communities (96 bit), not yet widely deployed 5

  14. BGP Communities: Usage Informational Communities Action Communities (Passive Semantics) (Active Semantics) • Location tagging • Remote triggered blackholing • RTT tagging • Path prepending • Local pref/MED • Selective announcements Used by operators to realize policies. Without documentation, you can not tell if a community is active or passive! 6

  15. BGP Communities As Attack Vector? Given the increasing popularity of BGP communities and the ability to trigger actions as well as relay information , one question arises: To which extend can BGP communities be leveraged for attacks? 7

  16. Propagation behavior • RFC 1997: Communities as a transitive optional attribute • RFC 7454: Scrub own, forward foreign communities • 14% of transit providers propagate received communities (2.2k of 15.5k) • Ratio seems small, but AS graph is highly connected Still many people do not expect communities to propagate that widely. 8

  17. Potential (for) misuse • Propagated communities might trigger actions multiple AS-hops away • No way of knowing if intended or not, e.g., for traffic management • But are there also unintended consequences? Our assessment is that there is a high risk for attacks! 9

  18. Observations

  19. BGP Dataset BGP updates and table dumps of April 2018 from publicly available BGP Collector Projects: RIPE RIS, Routeviews, Isolario, PCH. BGP messages 38.98 bn IPv4 prefixes 967,499 IPv6 prefixes 84,953 Collectors 194 AS peers 2,133 Communities 63,797 More than 75% of all BGP announcements have at least one BGP community set, 5,659 ASes are using communities. 10

  20. BGP Communities propagation 11

  21. BGP Communities propagation AS1 AS2 AS3 AS4 11

  22. BGP Communities propagation AS1 AS2 AS3 AS4 p p p • AS1 announces prefix p 11

  23. BGP Communities propagation AS1 AS2 AS3 AS4 p p p AS4 AS−Path: AS4, AS3, AS2, AS1 • AS1 announces prefix p, AS4 receives announcement 11

  24. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 AS2 adds community AS4 2:303 informational community of AS2 AS−Path: AS4, AS3, AS2, AS1 • AS1 announces prefix p, AS4 receives announcement • Informational community 2:303 is added by AS2 11

  25. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 2:303 AS2 adds communities AS3 forwards communities AS4 2:303 informational community of AS2 AS−Path: AS4, AS3, AS2, AS1 Communities: 2:203 • AS1 announces prefix p, AS4 receives announcement • Informational community 2:303 is added by AS2 11

  26. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 2:303 3:123 AS2 adds communities AS3 forwards communities AS4 2:303 informational community of AS2 AS−Path: AS4, AS3, AS2, AS1 3:123 action community towards AS3 Communities: 2:203 • AS1 announces prefix p, AS4 receives announcement • Informational community 2:303 is added by AS2 • AS2 also adds action community 3:123 for AS3 11

  27. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 2:303 3:123 3:123 AS2 adds communities AS3 forwards communities AS4 2:303 informational community of AS2 AS−Path: AS4, AS3, AS2, AS1 3:123 action community towards AS3 Communities: 2:203, 3:123 • AS1 announces prefix p, AS4 receives announcement • Informational community 2:303 is added by AS2 • AS2 also adds action community 3:123 for AS3 • Both communities are forwarded by AS3 to AS4 11

  28. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 2:303 3:123 3:123 AS4 AS−Path: AS4, AS3, AS2, AS1 Communities: 2:203, 3:123 12

  29. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 2:303 3:123 3:123 AS4 AS−Path: AS4, AS3, AS2, AS1 Communities: 2:203, 3:123 • We can only infer which AS added a specific community 12

  30. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 2:303 3:123 3:123 AS4 AS−Path: AS4, AS3, AS2, AS1 Communities: 2:203, 3:123 • We can only infer which AS added a specific community • We assume that a community n:value was added by AS n 12

  31. BGP Communities propagation AS1 AS2 AS3 AS4 p p p 2:303 2:303 3:123 3:123 inferred travel−distance is a lower bound! AS4 2:303 traversed at least two AS−links AS−Path: AS4, AS3, AS2, AS1 3:123 traversed at least one AS−link Communities: 2:203, 3:123 • We can only infer which AS added a specific community • We assume that a community n:value was added by AS n • This gives a lower bound for the ‘travel distance’ • In above example we calculate AS-hop-count 1 for 3:123 12

  32. BGP Community Propagation Observations Fraction of communities (ECDF) 1.0 ● ● ● ● ● ● 0.8 ● 0.6 ● 0.4 ● 0.2 ● ● 0.0 ● 0 2 4 6 8 10 AS hop count • 10% of communities have a AS hop count of more than six • More than 50% of communities traverse more than four ASes • Longest community propagation observed: 11 AS hops 13

  33. BGP Community Propagation Observations Fraction of communities (ECDF) 1.0 0.8 0.6 0.4 0.2 0.0 0 2 4 6 8 10 AS hop count • 10% of communities have a AS hop count of more than six • More than 50% of communities traverse more than four ASes • Longest community propagation observed: 11 AS hops 13

  34. BGP Community Propagation Observations Fraction of communities (ECDF) 1.0 0.8 0.6 0.4 0.2 0.0 0 2 4 6 8 10 AS hop count • 10% of communities have a AS hop count of more than six • More than 50% of communities traverse more than four ASes • Longest community propagation observed: 11 AS hops 13

  35. BGP Community Propagation Behavior AS3 AS2 AS1 AS4 14

  36. BGP Community Propagation Behavior AS3 p AS2 AS1 p p AS4 • AS1 announces prefix p 14

  37. BGP Community Propagation Behavior AS3 p AS2 AS1 3:123 p 3:123 p 3:123 AS4 • AS1 announces prefix p, tagged with 3:123 14

  38. BGP Community Propagation Behavior AS3 p AS2 AS1 3:123 p 3:123 p 3:123 AS4 • AS1 announces prefix p, tagged with 3:123 • Community is intended for signaling towards AS3 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BGP Large Communities: a new BGP Routing Heuristic Montevideo, Uy | 21/09/2017 BGP Large

BGP Large Communities: a new BGP Routing Heuristic Montevideo, Uy | 21/09/2017 BGP Large

BGP Large Communities: a new BGP Routing Heuristic Montevideo, Uy | 21/09/2017 BGP Large Communities: a new BGP Routing Heuristic Lucenildo Aquino Jnior Agenda BGP Communities BGP Extended Communities BGP Large Communities

549 views • 26 slides
FILARIAL WORMS Found mainly in tropical regions in Asia Threadlike worms live in the

FILARIAL WORMS Found mainly in tropical regions in Asia Threadlike worms live in the

FILARIAL WORMS Found mainly in tropical regions in Asia Threadlike worms live in the blood and lymph vessels of birds and mammals. They are transmitted by mosquitoes. Cause severe infections Worms block passage of lymph

390 views • 8 slides
Early DoS and Worms Examples of recent worms and DoS attacks Slammer Worm Shaft DoS attack

Early DoS and Worms Examples of recent worms and DoS attacks Slammer Worm Shaft DoS attack

Outline Introduction to worms Potential damage that *could* be caused (theoretical) Early DoS and Worms Examples of recent worms and DoS attacks Slammer Worm Shaft DoS attack Ben Wilde Mstream DoS attack 7 February, 2005

718 views • 14 slides
4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has columns for the destination network (or hosts) with the corresponding cost and the next router address to reach a destination. Additional

1.08k views • 84 slides
Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing [Kleinberg04] J. Kleinberg, A. Slivkins, T. Wexler. Triangulation and Embedding using Small Sets of Beacons. Proc. 45th IEEE Symposium on Foundations of

450 views • 32 slides
On Instant Messaging Worms, Analysis and Countermeasures Mohammad Mannan School of Computer

On Instant Messaging Worms, Analysis and Countermeasures Mohammad Mannan School of Computer

COMP 4108 Presentation - Sept 20, 2005 On Instant Messaging Worms, Analysis and Countermeasures Mohammad Mannan School of Computer Science Carleton University, Canada Goals of this talk Discuss a few IM worms Analyze well-known

402 views • 26 slides
fka Can of Worms Harrison Community Center June 13, 2016 Purpose To introduce the

fka Can of Worms Harrison Community Center June 13, 2016 Purpose To introduce the

fka Can of Worms Harrison Community Center June 13, 2016 Purpose To introduce the potential Twin Ports Interchange (TPI) project. Jct I-35/I- 535/Hwy 53 fka Can of Worms I-535 at Garfield Avenue Gather community input

225 views • 18 slides
Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing forwarding: to select an output port based on destination address and routing table routing: process by which routing table is built

543 views • 13 slides
1 Routing Table Routing Table Destination network Next router

1 Routing Table Routing Table Destination network Next router

Lecture 12. Lecture 12. Introduction to Introduction to IP Routing IP Routing Giuseppe Bianchi Why introduction? Why introduction? Routing: very complex issue need in-depth study entire books on routing our scope: give a

552 views • 19 slides
Malware: Worms CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John

Malware: Worms CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John

Malware: Worms CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ April 14, 2010 The Problem of Worms

582 views • 22 slides
Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local

Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local

Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local forwarding table header value output link in the Internet 0100 3 0101 2 0111 2 1001 1 value in arriving packets header 1 0111 2 3

403 views • 8 slides
Ad Hoc Wireless Routing CS 218- Fall 2003 Wireless multihop routing challenges Review of

Ad Hoc Wireless Routing CS 218- Fall 2003 Wireless multihop routing challenges Review of

Ad Hoc Wireless Routing CS 218- Fall 2003 Wireless multihop routing challenges Review of conventional routing schemes Proactive wireless routing Hierarchical routing Reactive (on demand) wireless routing Geographic routing

893 views • 60 slides
Routing Algebras What are routing algebras? Created to study properties of routing protocols

Routing Algebras What are routing algebras? Created to study properties of routing protocols

Routing Algebras What are routing algebras? Created to study properties of routing protocols Does the routing protocol converge? Does the routing protocol compute optimal paths? Separates the routing data &amp; algorithm Data

326 views • 11 slides
SELF-PROPAGATING MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2

SELF-PROPAGATING MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2

WORMS AND SELF-PROPAGATING MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Malware: taxonomy JavaScript worms History, evolution, and Spectator : JavaScript progression of worms: worm detection and an

643 views • 51 slides
Responding to Mobile Worms with Location-Based Quarantine Boundaries Baik Hoh (baikhoh@winlab)

Responding to Mobile Worms with Location-Based Quarantine Boundaries Baik Hoh (baikhoh@winlab)

Responding to Mobile Worms with Location-Based Quarantine Boundaries Baik Hoh (baikhoh@winlab) Marco Gruteser (gruteser@winlab) Research Review 2006 1 Threats of Mobile Worms Current Trends in Pervasive Devices Multi-radio support :

791 views • 20 slides
CS 557 ARPANet Routing Algorithms An Overview of the New Routing Algorithm for the ARPANET J.

CS 557 ARPANet Routing Algorithms An Overview of the New Routing Algorithm for the ARPANET J.

CS 557 ARPANet Routing Algorithms An Overview of the New Routing Algorithm for the ARPANET J. McQuillan, I. Richer, and E. Rosen, 1979 The Revised ARPANET Routing Metric Atul Khanna and John Zinky, 1989 Spring 2013 Routing Algorithm Basics

894 views • 29 slides
The Internet of Things Naif Almakhdhub , Abraham Clements, Mathias Payer, and Saurabh Bagchi 1

The Internet of Things Naif Almakhdhub , Abraham Clements, Mathias Payer, and Saurabh Bagchi 1

BenchIoT: A Security Benchmark for The Internet of Things Naif Almakhdhub , Abraham Clements, Mathias Payer, and Saurabh Bagchi 1 Internet of Things The number of IoT devices is expected to exceed 20 billion by 2020. Many will be

546 views • 25 slides
Secondary Mathematics Masterclass Gustavo Lau Introduction On what day were you born? Worksheet

Secondary Mathematics Masterclass Gustavo Lau Introduction On what day were you born? Worksheet

Modular arithmetic Secondary Mathematics Masterclass Gustavo Lau Introduction On what day were you born? Worksheet 1 Going round in circles Modulo 12 How to represent time? 12 t 0 1 2 3 6 9 t 12 9 3 6 Modulo 12 Instead of 13 =

960 views • 79 slides
PENNSYLVANIA DEPARTMENT OF TRANSPORTATION, DISTRICT 11-0 Kenmawr Bridge Replacement Project

PENNSYLVANIA DEPARTMENT OF TRANSPORTATION, DISTRICT 11-0 Kenmawr Bridge Replacement Project

Introductions PENNSYLVANIA DEPARTMENT OF TRANSPORTATION, DISTRICT 11-0 Kenmawr Bridge Replacement Project SWISSVALE AND RANKIN BOROUGHS Kenmawr Bridge Existing Conditions Project Team John Myler PENNDOT D-11 Construction

454 views • 17 slides
Incoop: MapReduce for Incremental Computations Bhatotia, P., Wieder, A., Rodrigues, R., Acar,

Incoop: MapReduce for Incremental Computations Bhatotia, P., Wieder, A., Rodrigues, R., Acar,

Incoop: MapReduce for Incremental Computations Bhatotia, P., Wieder, A., Rodrigues, R., Acar, U.A., and Pasquin, R. (2011). Reviewed by Neil Satra Why? You are calculating PageRank at Google. Crawling petabytes of web pages. 1% of web pages

302 views • 12 slides
FreningsSparbanken Kjell Hedman Group EVP and Head of Payments business area 1 Payments -

FreningsSparbanken Kjell Hedman Group EVP and Head of Payments business area 1 Payments -

FreningsSparbanken Kjell Hedman Group EVP and Head of Payments business area 1 Payments - growth and opportunities 2 The payment area Card issuing Clearing card transactions National and international payments

404 views • 26 slides
Acquisition of Accelerating our growth in Africa through online payments and mobile money 28 th

Acquisition of Accelerating our growth in Africa through online payments and mobile money 28 th

Acquisition of Accelerating our growth in Africa through online payments and mobile money 28 th July 2020 Disclaimer IMPORTANT NOTICE This document is not for release, publication or distribution (in whole or in part), directly or indirectly

327 views • 28 slides
VALUEx Vail June 19, 2014 Ma6 Griffith, CFA

VALUEx Vail June 19, 2014 Ma6 Griffith, CFA

VALUEx Vail June 19, 2014 Ma6 Griffith, CFA @Ma6GGriffith Disclaimer The data in this presentaFon has been obtained from sources believed to be

403 views • 19 slides
Shift to Digital Strategy Shift to Digital Strategy Contents Introduction The Digital

Shift to Digital Strategy Shift to Digital Strategy Contents Introduction The Digital

Shift to Digital Strategy Shift to Digital Strategy Contents Introduction The Digital Value Chain Edenred Digital Strategy Financial Impacts New Growth Opportunities 2 Why shifting to digital makes sense for all

300 views • 29 slides

More recommend