How Secure are Secure How Secure are Secure Interdomain Routing - - PowerPoint PPT Presentation

How Secure are Secure

DIMACS Workshop On Secure Routing March 10, 2010

How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $

Sharon Goldberg Microsoft Research & Boston University

Princeton University

y

Michael Schapira

Yale & Berkeley

Pete Hummon

Princeton

Jennifer Rexford

Princeton

Today Internet routing is surprisingly insecure Today Internet routing is surprisingly insecure

Overview

Today, Internet routing is surprisingly insecure Today, Internet routing is surprisingly insecure

• Decade of research on secure routing protocols

Our Goal: Compare the effectiveness of these protocols. Our Goal: Compare the effectiveness of these protocols.

• Each has a different set of security properties
• Each has a different set of security properties.
• How well do they prevent traffic attraction attacks?

Our approach: Evaluate via simulation on real data. Our approach: Evaluate via simulation on real data.

• Data: Map of Internet & business relationships
• Data: Map of Internet & business relationships
• … both [CAIDA] and [UCLA Cyclops]

We use a (standard) model of routing policies

$

• We use a (standard) model of routing policies
• … based on the Gao-Rexford conditions

BGP BGP: The Internet’s Routing Protocol (1a)

The Border Gateway Protocol (BGP) sets up paths The Border Gateway Protocol (BGP) sets up paths from Autonomous Systems (ASes) to destination IP addresses.

$

Verizon UPC Init 7 AG Zurich

$

peer peer IP Prefix 43284 provider 20984

$

customer Prefer customer paths

• ver peer paths
• ver provider paths

A model of routing policies: p p A model of routing policies:

• Prefer cheaper paths. Then, prefer shorter paths.

BGP BGP: The Internet’s Routing Protocol (1b)

The Border Gateway Protocol (BGP) sets up paths The Border Gateway Protocol (BGP) sets up paths from Autonomous Systems (ASes) to destination IP addresses.

$ $

Verizon UPC Init 7 AG Zurich

$ $

$

IP Prefix

$

43284

$ $

20984

$

Prefer customer paths

• ver peer paths
• ver provider paths

A model of routing policies: p p A model of routing policies:

• Prefer cheaper paths. Then, prefer shorter paths.

BGP BGP: The Internet’s Routing Protocol (2)

The Border Gateway Protocol (BGP) sets up paths

UPC, Prefix UPC, Prefix

The Border Gateway Protocol (BGP) sets up paths from Autonomous Systems (ASes) to destination IP addresses. Verizon UPC Init 7 AG Zurich

Init 7, UPC, Prefix

IP Prefix 43284

Verizon, UPC, Prefix

$ $

20984

43284, Init 7, UPC, Prefix

A model of routing decisions: A model of routing decisions:

• Prefer cheaper paths. Then, prefer shorter paths.

BGP BGP: The Internet’s Routing Protocol (3)

The Border Gateway Protocol (BGP) sets up paths The Border Gateway Protocol (BGP) sets up paths from Autonomous Systems (ASes) to destination IP addresses. Verizon UPC Init 7 AG Zurich IP Prefix 43284

$ $

Losing $$ Losing $$

20984

20984,Verizon, UPC, Prefix

A model of routing decisions:

Losing $$ Losing $$

A model of routing decisions:

• Prefer cheaper paths. Then, prefer shorter paths.
• Only carry traffic if it earns you money.

This talk

Part 1: A model of Part 1: A model of Interdomain Interdomain Routing Routing

$

Part 2: Secure Routing Protocols and Attacks Part 2: Secure Routing Protocols and Attacks Plain BGP Plain BGP Origin Authentication Origin Authentication Secure BGP Secure BGP Interlude: Finding the Optimal Attack Interlude: Finding the Optimal Attack Defensive Defensive Filtering Filtering Defensive Defensive Filtering Filtering Interlude: Attract more by announcing less Interlude: Attract more by announcing less Part 3: Results and Implications Part 3: Results and Implications

Traffic Attraction Attacks (1)

Attacker wants max number of ASes to route thru its network.

UPC, Prefix

Attacker wants max number of ASes to route thru its network. (For eavesdropping, dropping, tampering, … ) Verizon UPC Init 7 AG Zurich

$

?

IP Prefix

$

$

?

43284

20984, Prefix

$

20984 20984 A model of routing decisions: A model of routing decisions:

• Prefer cheaper paths. Then, prefer shorter paths.
• Only carry traffic if it earns you money.

Traffic Attraction Attacks (2)

Attacker wants max number of ASes to route thru its network.

UPC, Prefix

Attacker wants max number of ASes to route thru its network. (For eavesdropping, dropping, tampering, … ) Verizon UPC Init 7 AG Zurich

$

?

$

$

?

IP Prefix 43284

20984, Prefix

$

20984 20984 A model of routing decisions: A model of routing decisions:

• Prefer cheaper paths. Then, prefer shorter paths.
• Only carry traffic if it earns you money.

Traffic Attraction Attacks (3)

Attacker wants max number of ASes to route thru its network.

UPC, Prefix UPC, Prefix

Attacker wants max number of ASes to route thru its network. (For eavesdropping, dropping, tampering, … ) Verizon UPC Init 7 AG Zurich

$

?

43284, 20984, Prefix

$

$

?

IP Prefix 43284

20984 Prefix 20984, Prefix

$

20984

20984, Prefix

20984 A model of routing decisions: A model of routing decisions:

• Prefer cheaper paths. Then, prefer shorter paths.
• Only carry traffic if it earns you money.

Traffic Attraction Attacks (4)

Attacker wants max number of ASes to route thru its network.

UPC, Prefix UPC, Prefix

Attacker wants max number of ASes to route thru its network. (For eavesdropping, dropping, tampering, … ) Verizon UPC Init 7 AG Zurich

?

43284, 20984, Prefix

?

IP Prefix 43284

20984 Prefix 20984, Prefix



20984

20984, Prefix

20984 A model of routing decisions: A model of routing decisions:

• Prefer cheaper paths. Then, prefer shorter paths.
• Only carry traffic if it earns you money.

Traffic Attraction Attacks (5)

Attacker wants max number of ASes to route thru its network.

UPC, Prefix UPC, Prefix

Attacker wants max number of ASes to route thru its network. (For eavesdropping, dropping, tampering, … ) Verizon UPC Init 7 AG Zurich IP Prefix

Simulations Simulations show he show he attracts 62% attracts 62%



43284 20984 20984

attracts 62% attracts 62%

• f Internet!
• f Internet!

A model of routing decisions: A model of routing decisions:

• Prefer cheaper paths. Then, prefer shorter paths.
• Only carry traffic if it earns you money.

Security Mechanism: Origin Origin Authentication Authentication (1)

Origin Authentication: A secure database that maps

UPC, Prefix

g p IP Prefixes to their owner ASes. Verizon UPC Init 7 AG Zurich IP Prefix 43284

20984, UPC, Prefix

20984 20984

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path I can get away with to all my neighbors! I can get away with to all my neighbors!

Security Mechanism: Origin Origin Authentication Authentication (2)

Origin Authentication: A secure database that maps

UPC, Prefix

g p IP Prefixes to their owner ASes. Verizon UPC Init 7 AG Zurich

$

?

$

$

?

IP Prefix 43284

20984, UPC, Prefix

$

20984 20984

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path I can get away with to all my neighbors! I can get away with to all my neighbors!

Security Mechanism: Origin Origin Authentication Authentication (3)

Origin Authentication: A secure database that maps

UPC, Prefix

g p IP Prefixes to their owner ASes. Verizon UPC Init 7 AG Zurich

$

?

$

$

?

IP Prefix 43284

20984, UPC, Prefix

$

20984 20984

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path I can get away with to all my neighbors! I can get away with to all my neighbors!

Security Mechanism: Origin Origin Authentication Authentication (4)

Origin Authentication: A secure database that maps

UPC, Prefix UPC, Prefix

g p IP Prefixes to their owner ASes. Verizon UPC Init 7 AG Zurich

43284, 20984, UPC, Prefix

IP Prefix 43284

20984 UPC Prefix 20984, UPC, Prefix

20984

20984, UPC, Prefix

20984

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path I can get away with to all my neighbors! I can get away with to all my neighbors!

Security Mechanism: Origin Origin Authentication Authentication (5)

Origin Authentication: A secure database that maps

UPC, Prefix UPC, Prefix

g p IP Prefixes to their owner ASes. Verizon UPC Init 7 AG Zurich

43284, 20984, UPC, Prefix

IP Prefix 43284

20984 UPC Prefix 20984, UPC, Prefix

20984

20984, UPC, Prefix

20984

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path I can get away with to all my neighbors! I can get away with to all my neighbors!

Security Mechanism: Origin Origin Authentication Authentication (6)

Origin Authentication: A secure database that maps g p IP Prefixes to their owner ASes. Verizon UPC Init 7 AG Zurich IP Prefix

Simulations Simulations show he show he attracts 58% attracts 58%

43284 20984 20984

attracts 58% attracts 58%

• f Internet!
• f Internet!

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path I can get away with to all my neighbors! I can get away with to all my neighbors!

Security Mechanism: “Secure BGP” “Secure BGP” [KLS98]

Secure BGP: Origin Authentication +

Verizon: (UPC, Prefix)

g Cannot announce a path that was not announced to you.

Init7: (UPC, Prefix)

Verizon UPC Init 7 AG Zurich

( )

IP Prefix

I it 7 (UPC P

43284

Init 7: (UPC, Pr 43284: (Init7, U

20984

Public Key Signature: Anyone who knows UPC’s public key can authenticate that the message was sent by UPC.

Security Mechanism: “Secure BGP” “Secure BGP” [KLS98]

Secure BGP: Origin Authentication +

Verizon: (UPC, Prefix)

g Cannot announce a path that was not announced to you.

Init7: (UPC, Prefix)

Verizon UPC Init 7 AG Zurich

( )

IP Prefix

I it 7 (UPC P

43284

Init 7: (UPC, Pr 43284: (Init7, U

$ $

20984

V i (UPC P fi ) Init 7: (UPC, Prefix)

Public Key Signature: Anyone who knows UPC’s public key can authenticate that the message was sent by UPC.

Verizon: (UPC, Prefix) 20984: (Verizon, UPC, Prefix) 43284: (Init7, UPC, Prefix) 20984: (43284, Init7, UPC, Prefix)

Are attacks still possible with Secure BGP Secure BGP? (0)

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path I can get away with to all my neighbors! I can get away with to all my neighbors!

Verizon UPC Init 7 AG Zurich IP Prefix 43284 20984

V i (UPC P fi ) Init 7: (UPC, Prefix)

20984

Verizon: (UPC, Prefix) 20984: (Verizon, UPC, Prefix) 43284: (Init7, UPC, Prefix) 20984: (43284, Init7, UPC, Prefix)

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path

Are attacks still possible with Secure BGP Secure BGP? (1)

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path I can get away with to all my neighbors! I can get away with to all my neighbors!

Verizon UPC Init 7 AG Zurich IP Prefix 43284 20984

AT&T (UPC P fi )

20984

Verizon: (UPC, Prefix) AT&T: (UPC, Prefix) 20984: (AT&T, UPC, Prefix) 43284: (20984, Verizon, UPC, Prefix) 20984: (Verizon, UPC, Prefix)

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path

Are attacks still possible with Secure BGP Secure BGP? (2)

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path I can get away with to all my neighbors! I can get away with to all my neighbors!

Verizon UPC Init 7 AG Zurich IP Prefix

I it 7 (UPC P

$ $

43284

Init 7: (UPC, Pr 43284: (Init7, U

?

$

20984

AT&T (UPC P fi )

20984

Verizon: (UPC, Prefix) AT&T: (UPC, Prefix) 20984: (AT&T, UPC, Prefix) 43284: (20984, Verizon, UPC, Prefix) 20984: (Verizon, UPC, Prefix)

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path

Are attacks still possible with Secure BGP Secure BGP? (2)

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path I can get away with to all my neighbors! I can get away with to all my neighbors!

Verizon UPC Init 7 AG Zurich IP Prefix

I it 7 (UPC P

$ $

43284

Init 7: (UPC, Pr 43284: (Init7, U

$

20984

AT&T (UPC P fi )

20984

Verizon: (UPC, Prefix) AT&T: (UPC, Prefix) 20984: (AT&T, UPC, Prefix) 43284: (20984, Verizon, UPC, Prefix) 20984: (Verizon, UPC, Prefix)

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path

Are attacks still possible with Secure BGP Secure BGP? (3)

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path I can get away with to all my neighbors! I can get away with to all my neighbors!

Init7: (UPC, Prefix)

Verizon UPC Init 7 AG Zurich ?

$

IP Prefix

$

?

$

43284



Simulations Simulations show he show he fools 16% of fools 16% of

Verizon: (UPC, P

20984 20984

fools 16% of fools 16% of Internet! Internet!

43284: (20984, V 20984: (Verizon I it7 (43284 20

Later we’ll discuss Later we’ll discuss why

why this is an “attack”

this is an “attack”

Init7: (43284, 20

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path

Are attacks still possible with Secure BGP Secure BGP? (4)

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path I can get away with to all my neighbors! I can get away with to all my neighbors!

Verizon UPC Init 7 AG Zurich ?

$

IP Prefix

$

?

$

43284



Simulations Simulations show he show he fools 16% of fools 16% of

20984 20984

fools 16% of fools 16% of Internet! Internet! Later we’ll discuss Later we’ll discuss why

why this is an “attack”

this is an “attack”

Wait! Is this the “best” attack strategy?!?

I can’t lie about my business relationship with AS 43284, so I might as well announce the shortest path I can. 43284 p

$

20984

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path I can get away with to all my neighbors! I can get away with to all my neighbors!

$

g y y g g y y g

Wait! Is this the “best” attack strategy?!?

I can’t lie about my business relationship with AS 43284, so I might as well announce the shortest path I can. 43284 p

$

20984

Smart Attack Strategy: Smart Attack Strategy: Announce the shortest path Announce the shortest path I can get away with to all my neighbors! I can get away with to all my neighbors!

$

Smart Attack Strategy: Smart Attack Strategy: But Not Optimal ! But Not Optimal !

^

g y y g g y y g

Sometimes announcing to fewer neighbors is better! Sometimes longer paths are better!

Theorem: Theorem: it’s NP hard to find the optimal attack strategy. it’s NP hard to find the optimal attack strategy.

fewer neighbors is better! are better!

 Smart Attack Strategy underestimates damage.

Sometimes longer paths are better! (1)

Init1: (UPC, Prefix)

Verizon UPC Init 7 AG Zurich IP Prefix 43284



Init 7: (UPC, Prefix) 43284: (Init7, UPC, Prefix) Init 7: (UPC, Prefix)

20984 20984

20984: (43284, Init7, UPC, Prefix) AT&T: (20984, 43284, Init7, UPC, Prefix) 43284: (Init7, UPC, Prefix) 20984: (43284, Init7, UPC, Prefix)

Sometimes longer paths are better! (2)

Simulations show he attracts 56% of Internet! Simulations show he attracts 56% of Internet! Simulations show he attracts 56% of Internet! Simulations show he attracts 56% of Internet!

With the shorter path, he attracts only 16% of Internet! This is almost as much as attack on insecure BGP: 62%! Verizon UPC Init 7 AG Zurich IP Prefix 517 neighbors 43284



4 neighbors

Why does this Why does this happen? happen? Verizon

20984 20984 g is “bigger” than 43284.

Key Observation: Key Observation: Who Who you announce to is as you announce to is as important as important as what what you announce. you announce.

Wait! Why is this an “attack”?!?

Has 20984 done anything wrong? Has 20984 done anything wrong? He announces the path he actually uses! He announces the path he actually uses!

Verizon UPC Init 7 AG Zurich IP Prefix

A stub should A stub should

43284

$

A stub should A stub should

not not carry

carry traffic for its traffic for its id id Losing $$ Losing $$

A stub: A stub:

has no has no customers customers

20984 20984

$ $

providers. providers.

A model of routing decisions:

customers customers

A model of routing decisions:

• Prefer cheaper paths. Then, prefer shorter paths.
• Only carry traffic if it earns you money.

Security Heuristic: Defensive Filtering Defensive Filtering (1)

Defensive Filtering: The provider drops Defensive Filtering: The provider drops announcements for prefixes not owned by it’s stubs. Verizon UPC Init 7 AG Zurich IP Prefix

Stub 20984: IP1 IP2

…

A stub should A stub should

43284

$

A stub should A stub should

not not carry

carry traffic for its traffic for its id id

20984 20984

$ $

A model of routing decisions:

providers. providers.

A model of routing decisions:

• Prefer cheaper paths. Then, prefer shorter paths.
• Only carry traffic if it earns you money.

Defensive Filtering: The provider drops

Security Heuristic: Defensive Filtering Defensive Filtering (2)

Defensive Filtering: The provider drops announcements for prefixes not owned by it’s stubs.

Verizon: (UPC, Prefix)

Verizon UPC Init 7 AG Zurich

( )

IP Prefix

My stub doesn’t My stub doesn’t

Stub 20984: IP1 IP2

…

43284

My stub doesn t My stub doesn t

• wn this IP prefix!
• wn this IP prefix!

Init 7: (UPC, Prefix) 43284: (Init7, UPC, Prefix) 20984 (43284 I it7 UPC P fi )

20984 20984

Defensive filtering thwarts Defensive filtering thwarts all attacks by stubs! all attacks by stubs!

20984: (43284, Init7, UPC, Prefix) AT&T: (20984, 43284, Init7, UPC, Prefix)

y In the data, 85% of In the data, 85% of ASes ASes are stubs. are stubs.

This talk

Part 1: A model of Part 1: A model of Interdomain Interdomain Routing Routing

$

Part 2: Secure Routing Protocols and Attacks Part 2: Secure Routing Protocols and Attacks Plain BGP Plain BGP Origin Authentication Origin Authentication Secure BGP Secure BGP Interlude: Finding the Optimal Attack Interlude: Finding the Optimal Attack Defensive Defensive Filtering Filtering Defensive Defensive Filtering Filtering Interlude: Attract more by announcing less Interlude: Attract more by announcing less Part 3: Results and Implications Part 3: Results and Implications

Attract More by Exporting Less (Naïve) ! (1)

Cogent 174 TeilaNet 1299 XO Comm 2828 Sprint 1239

$

?

2828 1239

$

$

?

6325 AT&T 7132

$

29993 29993 IP Prefix

CAIDA CAIDA Nov 20, 2009 Nov 20, 2009

Attract More by Exporting Less (Naïve) ! (2)

Cogent 174 TeilaNet 1299 XO Comm 2828 Sprint 1239

$

?

2828 1239

$

$

?

6325 AT&T 7132 29993 29993 IP Prefix

CAIDA CAIDA Nov 20, 2009 Nov 20, 2009

Attract More by Exporting Less (Naïve) ! (3)

Cogent 174 TeilaNet 1299

$ $

? ?

XO Comm 2828 Sprint 1239

$ $

2828 1239 6325 AT&T 7132 29993 29993 IP Prefix

CAIDA CAIDA Nov 20, 2009 Nov 20, 2009

Attract More by Exporting Less (Naïve) ! (4)

Th T i 1’

Cogent 174 TeilaNet 1299

The Teir 1’s announce 4 hop paths.

XO Comm 2828 Sprint 1239 2828 1239 6325 AT&T 7132

Simulations Simulations

29993

Simulations Simulations show AT&T show AT&T attracts 40% attracts 40%

29993 IP Prefix

• f Internet.
• f Internet.

CAIDA CAIDA Nov 20, 2009 Nov 20, 2009

Attract More by Exporting Less (Clever) ! (1)

Cogent 174 TeilaNet 1299 XO Comm 2828 Sprint 1239 2828 1239

X

6325 AT&T 7132 29993 29993 IP Prefix

CAIDA CAIDA Nov 20, 2009 Nov 20, 2009

Attract More by Exporting Less (Clever) ! (2)

Cogent 174 TeilaNet 1299 XO Comm 2828 Sprint 1239

$

?

2828 1239

$

X

?

6325 AT&T 7132 29993 29993 IP Prefix

CAIDA CAIDA Nov 20, 2009 Nov 20, 2009

Attract More by Exporting Less (Clever) ! (3)

Cogent 174 TeilaNet 1299

$ $

XO Comm 2828 Sprint 1239

$

$ $

?

2828 1239

$

X

?

6325 AT&T 7132 29993 29993 IP Prefix

CAIDA CAIDA Nov 20, 2009 Nov 20, 2009

Attract More by Exporting Less (Clever) ! (4)

Cogent 174 TeilaNet 1299 XO Comm 2828 Sprint 1239 2828 1239

X

6325 AT&T 7132 29993 29993 IP Prefix

CAIDA CAIDA Nov 20, 2009 Nov 20, 2009

Attract More by Exporting Less (Clever) ! (5)

Wh ? Wh ? Th T i 1’

Cogent 174 TeilaNet 1299

Why? Why? The Teir 1’s use 3 hop paths!

XO Comm 2828 Sprint 1239 2828 1239

X

6325 AT&T 7132

Simulations Simulations

29993

Simulations Simulations show AT&T show AT&T attracts 50% attracts 50%

29993 IP Prefix

• f Internet.
• f Internet.

CAIDA CAIDA Nov 20, 2009 Nov 20, 2009

This talk

Part 1: A model of Part 1: A model of Interdomain Interdomain Routing Routing

$

Part 2: Secure Routing Protocols and Attacks Part 2: Secure Routing Protocols and Attacks Plain BGP Plain BGP Origin Authentication Origin Authentication Secure BGP Secure BGP Interlude: Finding the Optimal Attack Interlude: Finding the Optimal Attack Defensive Defensive Filtering Filtering Defensive Defensive Filtering Filtering Interlude: Attract more by announcing less Interlude: Attract more by announcing less Part 3: Results and Implications Part 3: Results and Implications

Probability* the Smart Attack Smart Attack attracts 10% of Internet *Probability is taken over random choice of attacker and victim.

0 8 0.9 1 No Defensive Filtering Defensive Filtering y 0 5 0.6 0.7 0.8 0.3 0.4 0.5 15% of Ases 0.1 0.2 are not stubs! BGP Origin Auth Secure BGP

Recall that the Smart Attack Strategy Smart Attack Strategy underestimates damage.

Probability* Smart Attack Smart Attack attracts >x% >x% of Internet (1) *Probability is taken over random choice of attacker and victim.

y

0 8 1 BGP OrAuth soBGP 0.6 0.8 soBGP SBGP Honest BGP + DF

CAIDA CAIDA Nov 20, 2009 Nov 20, 2009

0.4

15% f A

0.2

15% of Ases are not stubs!

0.2 0.4 0.6 0.8 1 Fraction of ASes routing thru Manipulator

Recall that the Smart Attack Strategy Smart Attack Strategy underestimates damage.

Probability* Smart Attack Smart Attack attracts >x% >x% of Internet (2) *Probability is taken over random choice of attacker and victim.

0 8 1 BGP OrAuth soBGP

y

0.6 0.8 soBGP SBGP Honest BGP + DF

UCLA Cyclops UCLA Cyclops Nov 20, 2009 Nov 20, 2009

0.4

15% f A

0.2

15% of Ases are not stubs!

0.2 0.4 0.6 0.8 1 Fraction of ASes routing thru Manipulator

Recall that the Smart Attack Strategy Smart Attack Strategy underestimates damage.

Tier 2’s are the most effective attackers

Probability* of Attracting >x% >x% of the Internet Probability of Attracting >x% >x% of the Internet Attack on BGP (i.e. Originate victim prefix to all neighbors)

1 0 6 0.8 0.4 0.6 Non-Stub

Attacker type:

0.2 Non Stub > 25 Customers > 250 Customers 0.2 0.4 0.6 0.8 1 Fraction of ASes routing thru Manipulator

*Probability is over random victim and attacker from different classes

attacker from different classes

Conclusions (1) : Theory & Simulations

1) 1) Who you tell is as important as what you say Who you tell is as important as what you say 1) 1) Who you tell is as important as what you say. Who you tell is as important as what you say.

• Secure BGP

Secure BGP constrains the paths paths announced

• but not to whom

to whom they are announced … but not to whom to whom they are announced.

2) 2) Finding the optimal attack is NP hard Finding the optimal attack is NP hard

• Announcing shortest paths

shortest paths is not always optimal

• Exporting to all neighbors

to all neighbors is not always optimal

•  its hard to rigorously compare

rigorously compare secure protocols 3) 3) Defensive filtering is crucial even with Secure BGP Defensive filtering is crucial even with Secure BGP

• How to find incentives for providers to police stubs?

How to find incentives for providers to police stubs?

Conclusions (2): Implementing Defensive Filtering Defensive Filtering

Today: The provider locally keeps a list of the prefixes that its stubs own. Verizon

Stub 20984: IP1 IP2

Relies on altruism & trust Relies on altruism & trust

20984

My stub doesn’t My stub doesn’t

• wn this IP prefix!
• wn this IP prefix!

IP2

…

20984

• t

s p e

• t

s p e

Also maintaining this list is annoying and hard Also, maintaining this list is annoying and hard. But, we could use the origin authentication database!

O i i A th ti ti A d t b th t Origin Authentication: A secure database that maps IP Prefixes to their owner ASes.

Add defensive filtering to the Add defensive filtering to the

• rigin authentication standard
• rigin authentication standard

Thanks! Thanks!

T h R t A il bl T h R t A il bl Tech Report Available: Tech Report Available: https://www.cs.bu.edu/~goldbe https://www.cs.bu.edu/~goldbe

How Secure is Routing on the Internet Today? (1)

February 2008 : Pakistan Telecom hijacks Youtube “The Internet” Pakistan YouTube Pakistan Telecom Multinet

I’m YouTube: IP 208.65.153.0 / 24

Telnor Pakistan Aga Khan University Multinet Pakistan y

How Secure is Routing on the Internet Today? (2)

Here’s what should have happened Here s what should have happened…. “The Internet” Drop packets Drop packets Pakistan going to going to YouTube YouTube YouTube Pakistan Telecom Multinet

I’m YouTube: IP 208.65.153.0 / 22

Telnor Pakistan Aga Khan University Multinet Pakistan y Block your own customers.

How Secure is Routing on the Internet Today? (3)

But here’s what Pakistan ended up doing But here s what Pakistan ended up doing… “The Internet”

No, I’m YouTube! IP 208.65.153.0 / 24

Pakistan Pakistan YouTube Pakistan Telecom Multinet

I’m YouTube: IP 208.65.153.0 / 22

Pakistan Telecom Telnor Pakistan Aga Khan University Multinet Pakistan y Draw traffic from the entire Internet!