internet control plane security
play

Internet Control Plane Security Yongdae Kim KAIST Two Planes Data - PowerPoint PPT Presentation

Dec 26, 2023 •6 likes •396 views

Internet Control Plane Security Yongdae Kim KAIST Two Planes Data Plane: Actual data delivery Control Plane To support data delivery (efficiently, reliably, and etc.) Routing information exchange In some sense, every protocol

  1. Internet Control Plane Security Yongdae Kim KAIST

  2. Two Planes  Data Plane: Actual data delivery  Control Plane ▹ To support data delivery (efficiently, reliably, and etc.) ▹ Routing information exchange ▹ In some sense, every protocol except data delivery is considered to be control plane protocols  Example network ▹ Peer-to- peer network, Cellular network, Internet, … 2

  3. Historical List of Botnet Cr Creat ation Na Name # of of Bot Bots Spam am Cont Control 2004 Bagle 230K 5.7 B/day Centralized 2007 Storm > 1,000K 3 B/day P2P 2008 Mariposa 12,000K ? Centralized 2008 Waledac 80K ? Centralized 2008 Conficker >10,000K 10 B/day Ctrlzd/P2P 2009? Mega-D 4,500K 10 B/day Centralized 2009? Zeus >3,600K ? 2009 BredoLab 30,000K 3.6 B/day Centralized 2010 TDL4 4,500K ? P2P

  4. Misconfigurations and Redirection  1997: AS7007  2008: Pakistan Youtube ▹ Claimed shortest path to the whole ▹ decided to block Youtube Internet ▹ One ISP advertised a small part of ▹ Causing Internet Black hole YouTube's (AS 36561) network  2004: TTNet (AS9121)  2010: China ▹ Claimed shortest path to the whole ▹ 15% of whole Internet traffic was routed Internet through China for 18 minutes ▹ Lasted for several hours ▹ including .mil and .gov domain  2006: AS27056  2011: China ▹ "stole" several important prefixes on ▹ All traffic from US iPhone to Facebook the Internet ▹ routed through China and Korea ▹ From Martha Stewart Living to The New York Daily News

  5. 3ooGbps DDoS  300 Gbps DDoS against Spamhous from Stophous  Mitigation by CloudFlare using anycast  Stophous turn targets to IX (Internet Exchange)  Korea – World IX Bandwidth ▹ KT: 560 Gbps, SKB: 235 Gbps, LGU+: 145 Gbps, SKT: 100 Gbps ▹ Total: 1 Tbps 5

  6. How to Crash (or Save) the Internet? Max Schuchard, Eugene Vasserman, Abedelaziz Mohaisen, Denis Foo Kune, Nicholas Hopper, Yongdae Kim

  7. Losing Control l of the In Internet Ho How to to cras rash the the Inte nternet et – ZD ZDNe Net - Usin ing the Data Pla lane His thes Hi thesis: : How How to to cra rash the the Inte nternet – St Star ar Tri Tribune to Attack the Control l Pla lane – The cyb The yberweapo pon that that could ld take take dow own the the inte nternet et – New New Sc Scien entis ist Boff offin ins devi evise 'cy cyberweapo pon' ' to to take take dow own int nternet – The The Reg egis ister Net etwork and d Di Dist stributed Sy Syst stem Se Securit ity (N (NDSS) ) 2011 011 Pro Prof. Say Says New New Cyb Cyberweapo pon Coul uld d Take Take Down the the Inte ternet – CBS

  8. Shutting Down the Internet  Fast propagating worm ▹ CodeRed, Slammer Worm  Router misconfiguration ▹ AS7007  2011 ▹ Egypt, Libya: Internet Kill Switch ▹ US government discussing Internet Kill Switch Bill in emergency situation

  9. Other Internet Control Plane News  April 2008: Whole youtube traffic directed to Pakistan  April 2010: 15% of whole Internet traffic was routed through China for 18 minutes (including .mil and .gov domain)  March 2011: All traffic from US iPhone to Facebook was routed through China and Korea

  10. Losing Control  Attack on the Internet's control plane  Overwhelm routers with BGP updates  Launched using only a botnet  Defenses are non trivial  Different from DDoS on web servers

  11. Attack Model  No router compromise or misconfiguration ▹ BGPSEC or similar technologies  Our attack model: Unprivileged adversary ▹ can generate only data plane events ▹ does not control any BGP speakers ▹ botnet of a reasonable size » 50, 100, 250, 500k nodes 11

  12. Can we shut down the Internet only using data plane events? How much control plane events can be generated by data plane events caused by coordinated set of compromised computers?

  13. AS, BGP and the Internet  AS (Autonomous System) ▹ Core AS: High degree of connectivity ▹ Fringe AS: very low degrees of connectivity, sitting at the outskirts of the Internet ▹ Transit AS: core ASes, which agree to forward traffic to and from other Ases  BGP (Border Gateway Protocol) ▹ the de facto standard routing protocol spoken by routers connecting different ASes. ▹ BGP is a path vector routing algorithm, allowing routers to maintain a table of AS paths to every destination. ▹ uses policies to preferentially use certain AS paths in favor.

  14. 1.0.0.0/8 A DST: 1.0.0.0/8 Path: A DST: 1.0.0.0/8 DST: 1.0.0.0/8 Path: B, A C Path: C, A B DST: 1.0.0.0/8 DST: 1.0.0.0/8 Path: D, B, A Path: E, C, A D E

  15. 1.0.0.0/8 A DST: 1.0.0.0/8 DST: 1.0.0.0/8 DST: 1.0.0.0/8 Path: B, A C Path: C, A Path: B, C, A B DST: 1.0.0.0/8 DST: 1.0.0.0/8 DST: 1.0.0.0/8 DST: 1.0.0.0/8 Path: D, B, A Path: D, C, A Path: E, B, A Path: E, C, A D E

  16. 1.0.0.0/8 A DST: 1.0.0.0/8 DST: 1.0.0.0/8 DST: 1.0.0.0/8 Path: B, A C Path: C, A Path: B, C, A B DST: 1.0.0.0/8 DST: 1.0.0.0/8 DST: 1.0.0.0/8 DST: 1.0.0.0/8 Path: D, B, A Path: E, B, A Path: D, C, A Path: E, C, A D E

  17. How does the attacker pick links? How does the attacker direct traffic? UPD PDATE! UPD PDATE! C B E D UPD PDATE! UPD PDATE!

  18. {AB, AC, ABE, ABD} s st ( e ) å å C B ( e ) = C B ( e ) = path st ( e ) A s st s ¹ t Î V s ¹ t Î V 4 8 {CA, CB, CD, CE} CB {BA, BC, BD, BE} BC 2 C B 7 1 7 1 D E {DB, DBA, DBAC, DBE} {EB, EBA, EBAC, EBD}

  19. {AB, AC, ABE, ABD} A 4 8 {CA, CB, CD, CE} {BA, BC, BD, BE} 2 C B 7 1 7 1 D E {DB, DBA, DBAC, DBE} {EB, EBA, EBAC, EBD}

  20. A Sp Spread attack flow lows! s! B C E D

  21. A C B

  22. One e Targe get per er Attack Flow low! A C B

  23. Simulation Overview  Simulator to model network dynamics ▹ Topology generated from the Internet  Routers fully functional BGP speakers  Bot distribution from Waledac  Bandwidth model worst case for attacker

  24. Targeted link: Any link selected for disruption Last mile links: un-targeted links that connect fringe ASes to the rest of the network Transit link: Any link that does not fit the other two 100 90 Percent of failed links 80 70 60 50 40 30 20 10 0 Last mile Targeted Critical

  25. Factors of Normal Load 1.0 0.9 0.8 0.7 0.6 CDF 0.5 0.4 64k Nodes 0.3 125k Nodes 0.2 250k Nodes 0.1 500k Nodes 0.0 0 500 1000 1500 2000 2500 3000 Factors of normal load

  26. 90 th percentile of of message loads experienced by routers under attack 1.0 0.9 0.8 0.7 0.6 CDF 0.5 0.4 64k Nodes 0.3 125k Nodes 0.2 250k Nodes 0.1 500k Nodes 0.0 0 200 400 600 800 1000 1200 1000’s of messages per 5-seconds

  27. Core Routers Update Time 200.0 Average Time to Process 64k bots 180.0 BGP Updates (mins) 125k bots 160.0 250k bots 140.0 500k bots 120.0 100.0 80.0 60.0 40.0 20.0 0.0 0 200 400 600 800 1000 1200 Simulated Time (secs)

  28. Possible Defenses  Short Term Hold ld Tim ime e = Max axIn Int  Long Term Pe Perfect QOS

  29. HoldTime = MaxInt 1.0 0.9 0.8 0.7 0.6 CDF 0.5 0.4 0% 0.3 10% 0.2 25% 0.1 50% 0.0 0 500 1000 1500 2000 Factors of normal load

  30. HoldTime = MaxInt 120.0 Average Time to Process 0% BGP Updates (mins) 100.0 10% 80.0 60.0 40.0 20.0 0.0 0 200 400 600 800 1000 1200 Simulated Time (secs)

  31. Perfect QoS  Needs to guarantee control packets must be sent ▹ Does not guarantee they will be processed due to oversubscription  Recommendation ▹ (Virtually) Separating control and data plane ▹ Sender sides QoS ▹ Receiving nodes must process packets in line speed

  32. Conclusion  Adversarial route flapping on an Internet scale  Implemented using only a modest botnet  Defenses are non-trivial, but incrementally deployable

  33. Future Work (in progress)  Cascaded failure ▹ Router failure modeling  Attacks using remote compromised routers ▹ Targeted Attack: Internet Kill Switch  Router Design for the Future Internet ▹ Software router? 33

  34. BGP Stress Test  Routers placed in certain states fail to provide the functionality they should.  Unexpected but perfectly legal BGP messages can place routers into those states  Any assumptions about the likelyhood of encountering these messages do not apply under adversarial conditions. Peer Pressure: Exerting Malicious Influence on Routers at a Distance, Max Schuchard, Christopher Thompson, Nicholas Hopper and Yongdae Kim, ICDCS 2013

  35. Attacking Neighborhood (Memory)  How many BGP updates needed to consume 1GB memory? About 2,000,000 BGP updates is needed to succeed this attack

  36. Attacking Neighborhood (Memory)  Distinct/long length AS paths and community attribute 300,000 BGP updates is enough for this attack

  37. Attacking Neighborhood (CPU)  Hash collision makes router spend more processing time

  38. Back Pressure

  39. Questions?  Yongdae Kim ▹ email: yongdaek@kaist.ac.kr ▹ Home: http://syssec.kaist.ac.kr/~yongdaek ▹ Facebook: https://www.facebook.com/y0ngdaek ▹ Twitter: https://twitter.com/yongdaek ▹ Google “Yongdae Kim” 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network Layer: Control Plane Goal: understand principles behind network control plane

Network Layer: Control Plane Goal: understand principles behind network control plane

Network Layer: Control Plane Goal: understand principles behind network control plane traditional (intra-domain) routing algorithms SDN controllers and their instantiation, implementation in the Internet: OSPF, RIP, OpenFlow, ODL

1.31k views • 75 slides
1 Background | Problems | Challenges | Design | Evaluation | Summary Control Plane Applications

1 Background | Problems | Challenges | Design | Evaluation | Summary Control Plane Applications

SPEED Resource-Ef+icient and High-Performance Deployment for Data Plane Programs Xiang Chen , Hongyan Liu, Qun Huang, Peiqiao Wang, Dong Zhang, Haifeng Zhou, Chunming Wu Control Plane Applications Monitor Security Routing Data Plane

826 views • 45 slides
SCION: Control Plane Overview Adrian Perrig Network Security Group, ETH Zrich SCION Control

SCION: Control Plane Overview Adrian Perrig Network Security Group, ETH Zrich SCION Control

SCION: Control Plane Overview Adrian Perrig Network Security Group, ETH Zrich SCION Control Plane Overview Control plane: How to find and distribute end-to-end paths [Chapter 2.1, Chapter 7] Path exploration Path registration

411 views • 22 slides
Network Layer: Control Plane Part II Routing in the Internet: Intra vs. Inter-AS Routing

Network Layer: Control Plane Part II Routing in the Internet: Intra vs. Inter-AS Routing

Network Layer: Control Plane Part II Routing in the Internet: Intra vs. Inter-AS Routing Intra-AS: RIP and OSPF (quick recap) Inter-AS: BGP and Policy Routing Internet Control Message Protocol: ICMP network management

888 views • 61 slides
A TVWS ZigBee Prototype Cognitive Plane Control Plane Application Protocol Plane Customer

A TVWS ZigBee Prototype Cognitive Plane Control Plane Application Protocol Plane Customer

A TVWS ZigBee Prototype Cognitive Plane Control Plane Application Protocol Plane Customer API James Jody Neel Security Propagation benefits ZigBee james.neel@crtwireless.com 32- / 64- / 128-bit encryption Alliance might enable

773 views • 24 slides
Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane Hongil Kim , Jiho

Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane Hongil Kim , Jiho

Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane Hongil Kim , Jiho Lee, Eunkyu Lee, and Yongdae Kim 2019 IEEE Symposium on Security and Privacy LTE communication is everywhere Public safety services Autonomous driving

605 views • 34 slides
Todays Topic This lecture is about control plane of Service(s) & Internet routers

Todays Topic This lecture is about control plane of Service(s) & Internet routers

Lic.(Tech.) Marko Luoma (1/23) Lic.(Tech.) Marko Luoma (2/23) Todays Topic This lecture is about control plane of Service(s) & Internet routers and especially Customers Service Level Agreement S38.180 Palvelunlaatu

238 views • 6 slides
Advanced Systems Security: Control-Flow Integrity Trent Jaeger Systems and Internet

Advanced Systems Security: Control-Flow Integrity Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Control-Flow Integrity Trent

1.55k views • 36 slides
Internet Identity and Access Control Dr Ken Klingenstein, Director, Middleware and Security,

Internet Identity and Access Control Dr Ken Klingenstein, Director, Middleware and Security,

Internet Identity and Access Control Dr Ken Klingenstein, Director, Middleware and Security, Internet2 Topics Whats happening/ impacts See lunch talk The Research Angle Researchers as users Security Researchers New

499 views • 10 slides
The Internet Security Alliance The Internet Security Alliance is a collaborative effort with

The Internet Security Alliance The Internet Security Alliance is a collaborative effort with

The Internet Security Alliance The Internet Security Alliance is a collaborative effort with Carnegie Mellon University. It is a cross-sector, internationally- based trade association devoted to cyber security. ISA has individual corporate

349 views • 30 slides
Network Security Network Security Adolfo Rodriguez CPS 214 Telco/Internet Comparison

Network Security Network Security Adolfo Rodriguez CPS 214 Telco/Internet Comparison

Network Security Network Security Adolfo Rodriguez CPS 214 Telco/Internet Comparison Telco/Internet Comparison Internet Telephone System no central authority central authority end systems in control network in control

1.07k views • 59 slides
mami Plane 1 In the beginning there was ping , and it was good. (still the only

mami Plane 1 In the beginning there was ping , and it was good. (still the only

Platforms and Tools for Internet Measurement: Current and Future Developments Brian Trammell IRTF/ISOC Workshop on Research and Applications of Internet Measurements Yokohama, Japan, 31 October 2015 mami Plane 1 In the beginning

683 views • 32 slides
Pratyaastha: An Efficient Elastic Distributed SDN Control Plane Anand Krishnamurthy, Shoban P.

Pratyaastha: An Efficient Elastic Distributed SDN Control Plane Anand Krishnamurthy, Shoban P.

Pratyaastha: An Efficient Elastic Distributed SDN Control Plane Anand Krishnamurthy, Shoban P. Chandrabose and Aaron Gember-Jackobson 1 Motivation Architecture Evaluation Summary SDN Control Plane Operator goals: 1. Better Performance

364 views • 9 slides
A Case for a Coordinated Video Control Plane Xi Liu, Florin Dobrian, Henry Milner, Junchen

A Case for a Coordinated Video Control Plane Xi Liu, Florin Dobrian, Henry Milner, Junchen

A Case for a Coordinated Video Control Plane Xi Liu, Florin Dobrian, Henry Milner, Junchen Jiang, Vyas Sekar, Ion Stoica , Hui Zhang (Conviva, CMU, Intel, and UC Berkeley) Video Is Dominating the Internet Traffic Netflix traffic alone exceeds

757 views • 46 slides
Performance and Security Evaluation of SDN Networks in OMNeT++/INET Marco Tiloca, Alexandra

Performance and Security Evaluation of SDN Networks in OMNeT++/INET Marco Tiloca, Alexandra

Performance and Security Evaluation of SDN Networks in OMNeT++/INET Marco Tiloca, Alexandra Stagkopoulou, Gianluca Dini Software Defined Networking - Overview Key concepts Separation of Control plane and Data plane Centralized SDN

386 views • 22 slides
Internet congestion control: TCP Internet congestion control: TCP 1988: "Congestion

Internet congestion control: TCP Internet congestion control: TCP 1988: "Congestion

Internet congestion control: TCP Internet congestion control: TCP 1988: "Congestion Avoidance and Control" (Jacobson/Karels) Combined congestion/flow control for TCP Goal: stability - in equilibrum, no packet is sent into the

482 views • 24 slides
Why is Microsoft investing in Functional Programming? Don Syme With thanks to Leon Bambrick,

Why is Microsoft investing in Functional Programming? Don Syme With thanks to Leon Bambrick,

Why is Microsoft investing in Functional Programming? Don Syme With thanks to Leon Bambrick, Chris Smith and the puppies All opinions are those of the author and not necessarily those of Microsoft Simplicity Economics Fun What Investments?

719 views • 45 slides
UNIX michael.fink@uibk.ac.at 2017 Overview History Practicalities User Interface Shell

UNIX michael.fink@uibk.ac.at 2017 Overview History Practicalities User Interface Shell

UNIX michael.fink@uibk.ac.at 2017 Overview History Practicalities User Interface Shell Toolbox Processes Users, Groups File System Development System Cluster Computing UNIX / Linux History 1969 UNIX at Bell Labs (antithesis to

1.4k views • 112 slides
Prr s Prrs

Prr s Prrs

Prr s Prrs tt r t t tr tst

1.84k views • 159 slides
L5 June 14, 2017 1 Lecture 5: Advanced Data Structures CSCI 1360E: Foundations for Informatics

L5 June 14, 2017 1 Lecture 5: Advanced Data Structures CSCI 1360E: Foundations for Informatics

L5 June 14, 2017 1 Lecture 5: Advanced Data Structures CSCI 1360E: Foundations for Informatics and Analytics 1.1 Overview and Objectives Weve covered list, tuples, sets, and dictionaries. These are the foundational data structures in

376 views • 9 slides
The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself - Hardware YE - Topic Outline May 29, 2018 10.4. Kick Off, IPv6 1 IPv6 BGP 17.4. 2 Minilab 1 2 mini labs Advanced Wireless Playground BGP

1.64k views • 125 slides
Numerical Python Hans Petter Langtangen Intro to Python programming Simula Research Laboratory

Numerical Python Hans Petter Langtangen Intro to Python programming Simula Research Laboratory

Numerical Python Hans Petter Langtangen Intro to Python programming Simula Research Laboratory Dept. of Informatics, Univ. of Oslo March 2008 Numerical Python p. 1 Intro to Python programming p. 2 Make sure you have the software

816 views • 58 slides
30000BC Palaeolithic peoples in central Europe and France record numbers on bones.

30000BC Palaeolithic peoples in central Europe and France record numbers on bones.

30000BC Palaeolithic peoples in central Europe and France record numbers on bones. 5000BC A decimal number system is in use in Egypt. 4000BC Babylonian and Egyptian calendars in use. 3400BC The first symbols for numbers,

1.12k views • 110 slides
2. Integers std::cout << "Compute a^8 for a = ?"; std::cin >> a; r = a

2. Integers std::cout << "Compute a^8 for a = ?"; std::cin >> a; r = a

Example: power8.cpp int a; // Input int r; // Result 2. Integers std::cout << "Compute a^8 for a = ?"; std::cin >> a; r = a a; // r = a^2 Evaluation of Arithmetic Expressions, Associativity and Precedence, r = r

430 views • 13 slides

More recommend