security mechanisms
play

Security Mechanisms Rahul Hiran , Niklas Carlsson, Nahid Shahmehri - PowerPoint PPT Presentation

Mar 07, 2023 •302 likes •894 views

Does Scale, Size, and Locality Matter? Evaluation of Collaborative BGP Security Mechanisms Rahul Hiran , Niklas Carlsson, Nahid Shahmehri Linkping University, Sweden 1 Routing attacks increasingly common Each day there are large numbers of

  1. Does Scale, Size, and Locality Matter? Evaluation of Collaborative BGP Security Mechanisms Rahul Hiran , Niklas Carlsson, Nahid Shahmehri Linköping University, Sweden 1

  2. Routing attacks increasingly common Each day there are large numbers of bogus route announcements - e.g., cidr-report.org Among these we have seen many serious attacks ... 2

  3. Routing attacks increasingly common Each day there are large numbers of bogus route announcements - e.g., cidr-report.org Among these we have seen many serious attacks ... 3

  4. Routing attacks increasingly common • List of Bogus route announcements as listed on www.cidr- report.org. Each day there are large numbers of bogus route announcements - e.g., cidr-report.org Among these we have seen many serious attacks ... 4

  5. Routing attacks increasingly common • List of Bogus route announcements as listed on www.cidr- report.org. Each day there are large numbers of bogus route announcements - e.g., cidr-report.org Among these we have seen many serious attacks ... 5

  6. Routing attacks increasingly common • List of Bogus route announcements as listed on www.cidr- report.org. Each day there are large numbers of bogus route announcements - e.g., cidr-report.org Among these we have seen many serious attacks ... 6

  7. BGP refresher AS 7

  8. BGP refresher AS 22394 AS 7

  9. BGP refresher AS 22394 AS 66.174.0.0/16 7

  10. BGP refresher ISP 1 Level 3 Verizon Wireless AS 22394 66.174.0.0/16 8

  11. BGP refresher ISP 1 Level 3 Verizon Wireless 22394 66.174.0.0/16 Normal operation: • AS 22394 Origin AS announces prefix • Route announcements propagate between ASes • Helps ASes learn about “good” paths to reach prefix 66.174.0.0/16 8

  12. BGP refresher ISP 1 VZW, 22394 66.174.0.0/16 Level 3 Verizon Wireless 22394 66.174.0.0/16 Normal operation: • AS 22394 Origin AS announces prefix • Route announcements propagate between ASes • Helps ASes learn about “good” paths to reach prefix 66.174.0.0/16 8

  13. BGP refresher Level3, VZW, 22394 66.174.0.0/16 ISP 1 VZW, 22394 66.174.0.0/16 Level 3 Verizon Wireless 22394 66.174.0.0/16 Normal operation: • AS 22394 Origin AS announces prefix • Route announcements propagate between ASes • Helps ASes learn about “good” paths to reach prefix 66.174.0.0/16 8

  14. BGP refresher Level3, VZW, 22394 66.174.0.0/16 ISP 1 VZW, 22394 66.174.0.0/16 Level 3 Verizon Wireless 22394 66.174.0.0/16 Normal operation: • AS 22394 Origin AS announces prefix • Route announcements propagate between ASes • Helps ASes learn about “good” paths to reach prefix 66.174.0.0/16 12

  15. BGP refresher Level3, VZW, 22394 66.174.0.0/16 ISP 1 Level 3 Verizon Wireless AS 22394 66.174.0.0/16 12

  16. BGP refresher Level3, VZW, 22394 66.174.0.0/16 ISP 1 Level 3 Verizon Attacker Wireless AS 22394 66.174.0.0/16 12

  17. Prefix hijack attack Level3, VZW, 22394 66.174.0.0/16 ISP 1 Level 3 Verizon Attacker Wireless AS 22394 66.174.0.0/16 13

  18. Prefix hijack attack Level3, VZW, 22394 Attacker 66.174.0.0/16 66.174.0.0/ 16 ISP 1 Level 3 Verizon Attacker Wireless AS 22394 66.174.0.0/16 13

  19. Prefix hijack attack Level3, VZW, 22394 Attacker 66.174.0.0/16 66.174.0.0/ 16 ISP 1 Level 3 Verizon Attacker Wireless AS relationships: AS 22394 • Customer-provider • Peer-peer 66.174.0.0/16 13

  20. Prefix hijack attack Customer path? ? Level3, VZW, 22394 Attacker 66.174.0.0/16 66.174.0.0/ 16 ISP 1 Level 3 Verizon Attacker Wireless AS relationships: AS 22394 • Customer-provider • Peer-peer 66.174.0.0/16 14

  21. Prefix hijack attack Level3, VZW, 22394 Attacker 66.174.0.0/16 66.174.0.0/ 16 ISP 1 Level 3 Verizon Attacker Wireless AS 22394 66.174.0.0/16 15

  22. Prefix hijack attack Attacker path is shorter ? Level3, VZW, 22394 Attacker 66.174.0.0/16 66.174.0.0/ 16 ISP 1 Level 3 Verizon Attacker Wireless AS 22394 66.174.0.0/16 15

  23. Subprefix hijack attack Level3, VZW, 22394 Attacker 66.174.0.0/16 66.174.161.0/ 24 ISP 1 Level 3 Verizon Attacker Wireless AS 22394 66.174.0.0/16 16

  24. Subprefix hijack attack Attacker prefix is more specific ? Level3, VZW, 22394 Attacker 66.174.0.0/16 66.174.161.0/ 24 ISP 1 Level 3 Verizon Attacker Wireless AS 22394 66.174.0.0/16 16

  25. Imposture attack Level3, VZW, 22394 Attacker 66.174.0.0/16 66.174.161.0/ 24 ISP 1 Level 3 Verizon Attacker Wireless AS 22394 66.174.0.0/16 17

  26. Interception attack Level3, VZW, 22394 Attacker 66.174.0.0/16 66.174.161.0/ 24 ISP 1 Level 3 Verizon Attacker Wireless AS 22394 66.174.0.0/16 18

  27. Interception attack Level3, VZW, 22394 Attacker 66.174.0.0/16 66.174.161.0/ 24 ISP 1 Level 3 Verizon Attacker Wireless AS 22394 66.174.0.0/16 18

  28. Examples of systems to secure BGP Information Prefix Subprefix Interception Imposture Example shared hijack hijack solutions Prefix origin Route (Hijack filtering, prevention) RPKI, ROVER Route path PHAS, updates PrefiSec, (Hijack PG/BGP detection) Passive CrowdSec measurements Active Zheng at. al., measurements PrefiSec 19

  29. Security gain when large ASes collaborate 20

  30. Security gain when large ASes collaborate • Several ASes with few large size AS gives good security • Locality aspects often not considered 20

  31. AS Relationship issues • In October, 2010, Sprint severed its connection with Cogent • These two ASes had issues with peering relationship that allowed them to exchange traffic at no cost • ASes do not agree with each other 22

  32. AS Relationship issues • In October, 2010, Sprint severed its connection with Cogent • These two ASes had issues with peering relationship that allowed them to exchange traffic at no cost • ASes do not agree with each other 22

  33. AS Relationship issues • In October, 2010, Sprint severed its connection with Cogent • These two ASes had issues with peering relationship that allowed them to exchange traffic at no cost • ASes do not agree with each other • Global collaboration not practical • Collaboration among networks within same region plausible, for example, through legislation 22

  34. Research questions • How are attack prevention/detection rates affected – When location of participant ASes is considered? – When size of participant ASes is considered? – When number of ASes participating in the collaboration is considered? • In the context of last two questions, we consider the locality aspects 23

  35. Research questions • How are attack prevention/detection rates affected – When location of participant ASes is Vs considered? – When size of participant ASes is considered? – When number of ASes participating in the collaboration is considered? • In the context of last two questions, we consider the locality aspects 23

  36. Research questions • How are attack prevention/detection rates affected – When location of participant ASes is Vs considered? – When size of participant ASes is considered? Vs – When number of ASes participating in the collaboration is considered? • In the context of last two questions, we consider the locality aspects 23

  37. Research questions • How are attack prevention/detection rates affected – When location of participant ASes is Vs considered? – When size of participant ASes is considered? Vs – When number of ASes participating in the collaboration is considered? • In the context of last two questions, Vs we consider the locality aspects 23

  38. Contributions • Systematic data-driven evaluation • Using real world topologies and routing information we evaluate the impact of: – Locality – Scale – Size • The research questions are evaluated for three different techniques that are based on sharing – Prefix origin – Route path updates – Passively collected RTT 24

  39. Examples of systems to secure BGP Information Prefix Subprefix Interception Imposture Example shared hijack hijack solutions Prefix origin Route filtering, RPKI, ROVER Route path PHAS, updates PrefiSec, PG/BGP Passive CrowdSec measurements Active Zheng at. al., measurements PrefiSec 25

  40. Examples of systems to secure BGP Information Prefix Subprefix Interception Imposture Example shared hijack hijack solutions Prefix origin Route filtering, RPKI, ROVER Route path PHAS, updates PrefiSec, PG/BGP Passive CrowdSec measurements Active Zheng at. al., measurements PrefiSec 25

  41. Contributions • Systematic data-driven evaluation • Using real world topologies and routing information we evaluate the impact of: – Locality – Scale – Size • The research questions are evaluated for three different techniques that share: – Prefix origin  hijack prevention mechanisms – Route path updates  hijack detection mechanisms – Passively collected RTT 26

  42. Hijack prevention technique evaluation • Simulation based evaluation • Simulate route propagation using standard routing policy used over the Internet • Modified and used BSIM tool • AS-level topology and AS relationship information that has 51,507 ASes and 199,540 relationships 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Different aspects of security User authentication Protection mechanisms

Security Overview Different aspects of security User authentication Protection mechanisms

CS399 New Beginnings Jonathan Walpole Security Overview Different aspects of security User authentication Protection mechanisms Attacks: - trojan horses, spoofing, logic bombs, trap doors, buffer overflow attacks, viruses, worms, mobile

825 views • 59 slides
Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography

Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography

CSS441 Introduction Concepts Architecture Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

678 views • 23 slides
Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks Ivan

Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks Ivan

The Automotive Network Threats Protection mechanisms Conclusion Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks Ivan Studnia Vincent Nicomette Eric Alata Yves Deswarte Mohamed Ka aniche Renault

752 views • 40 slides
SCADA deep inside: protocols and security mechanisms Aleksandr Timorin

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin 05|06|07 September 2014 # whoami penetration tester at Positive Technologies SCADA security researcher, main specialisation -

1.03k views • 81 slides
Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum,

Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum,

Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum, Hyperledger Fabric and Corda Marie-Jeanne Lagarde, Master's thesis 2018-2019 Agenda Introduction Motivation 1. Scope 2. Research Questions 3.

467 views • 35 slides
Experimentation with network-based security mechanisms GENI Security Workshop UC Davis G.

Experimentation with network-based security mechanisms GENI Security Workshop UC Davis G.

Experimentation with network-based security mechanisms GENI Security Workshop UC Davis G. Kesidis January 22-23, 2009 EE and CSE Depts Penn State kesidis@engr.psu.edu . George Kesidis, Penn State University GENI Security Workshop 01/22/09

277 views • 12 slides
Bunshin: Compositing Security Mechanisms through Diversification Meng Xu, Kangjie Lu, Taesoo Kim,

Bunshin: Compositing Security Mechanisms through Diversification Meng Xu, Kangjie Lu, Taesoo Kim,

Bunshin: Compositing Security Mechanisms through Diversification Meng Xu, Kangjie Lu, Taesoo Kim, Wenke Lee Georgia Institute of Technology 1 Memory Corruptions Are Costly 2 3 4 Name your phone Nexus 5X %x.%x 5 Battle against

698 views • 56 slides
Presentations Evaluating the Effectiveness of Security Mechanisms at Scale David Nicol

Presentations Evaluating the Effectiveness of Security Mechanisms at Scale David Nicol

Trustworthy Cyber Infrastructure for the Power Grid Presentations Evaluating the Effectiveness of Security Mechanisms at Scale David Nicol University of Illinois Dartmouth College Cornell University Washington State

335 views • 7 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
CS-527 Software Security Defense Mechanisms Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Defense Mechanisms Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Defense Mechanisms Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 A model for Control-Flow Hijack attacks

673 views • 41 slides
I know what you did last summer: New persistent tracking mechanisms in the wild Stefano Belloro

I know what you did last summer: New persistent tracking mechanisms in the wild Stefano Belloro

I know what you did last summer: New persistent tracking mechanisms in the wild Stefano Belloro & Dr Alexios Mylonas $whoami Currently: Lecturer, Cyber Security @BU Previously: PhD in Cyber Security & BSc @AUEB MSc

576 views • 31 slides
Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic

Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic

Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic algorithms 7.4 Digital signatures 7.5 Cryptography pragmatics 7.1. Introduction Why need security mechanisms in DS? Share of resources

364 views • 24 slides
Software Security Ge Zhang Security: When is it software problem Network Problem: caused by

Software Security Ge Zhang Security: When is it software problem Network Problem: caused by

Software Security Ge Zhang Security: When is it software problem Network Problem: caused by the flaws in networking mechanisms such as network protocols. OS Problem: caused by the flaws in OS mechanisms such OS resource management

976 views • 64 slides
Naiad James Thomas Goals High-throughput batch processing Low-latency processing

Naiad James Thomas Goals High-throughput batch processing Low-latency processing

Naiad James Thomas Goals High-throughput batch processing Low-latency processing Iterative computation with streaming updates (novel contribution) For 100% in-memory workloads Novel Application, CIDR 2013 paper

423 views • 13 slides
The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich,

The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich,

The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich, Ph.D. jullrich@sans.edu 1 Housekeeping This presentation consists of slides and audio. If you are experiencing any problems/ issues,

1.12k views • 56 slides
Capturing the Laws of (Data) Nature Hannes Mhleisen, Martin Kersten & Stefan Manegold

Capturing the Laws of (Data) Nature Hannes Mhleisen, Martin Kersten & Stefan Manegold

Capturing the Laws of (Data) Nature Hannes Mhleisen, Martin Kersten & Stefan Manegold CIDR 2015 Statistical Model Fitting & DB? User gave me a model, lets see. I am storing some data. I need some of the observations to fit

464 views • 24 slides
? packets (example: packet voice). It is better to provide degraded service to everyone than

? packets (example: packet voice). It is better to provide degraded service to everyone than

Process Layer Process Process CSCE 515: Computer Network Transport Layer TCP UDP Programming ------ IP routing ICMP, ARP Network Layer IP & Wenyuan Xu RARP Department of Computer Science and Engineering University of South

472 views • 5 slides
IP Routing 12 May, 2002 1 Subnetting: Subnet Addressing

IP Routing 12 May, 2002 1 Subnetting: Subnet Addressing

IP Routing 12 May, 2002 1 Subnetting: Subnet Addressing

346 views • 8 slides
CSE 461 FINAL EXAM REVIEW HELP YOURSELF TO SNACKS FINAL OVERVIEW Online final (through

CSE 461 FINAL EXAM REVIEW HELP YOURSELF TO SNACKS FINAL OVERVIEW Online final (through

CSE 461 FINAL EXAM REVIEW HELP YOURSELF TO SNACKS FINAL OVERVIEW Online final (through Catalyst) Starts Friday, late night Due by Monday, 5:00PM (hard deadline) Open book, open notes, open internet, but not open people

803 views • 51 slides
CS 3700 Networks and Distributed Systems Network Layer (Putting the Net in Internet) Revised

CS 3700 Networks and Distributed Systems Network Layer (Putting the Net in Internet) Revised

CS 3700 Networks and Distributed Systems Network Layer (Putting the Net in Internet) Revised 10/3/19 Network Layer 2 Function: Route packets end-to-end on a Application network, through multiple hops Key challenge:

2.19k views • 172 slides
IP Addressing and Routing 1 Basic IP Addressing Each host connected to the Internet is

IP Addressing and Routing 1 Basic IP Addressing Each host connected to the Internet is

IP Addressing and Routing 1 Basic IP Addressing Each host connected to the Internet is identified by a unique IP address. An IP address is a 32-bit quantity. Expressed as a dotted-decimal notation W.X.Y.Z. Consists of two

486 views • 23 slides

More recommend