withdrawing the bgp re routing curtain
play

Withdrawing the BGP Re-Routing Curtain Understanding the Security - PowerPoint PPT Presentation

May 06, 2023 •543 likes •1.25k views

Withdrawing the BGP Re-Routing Curtain Understanding the Security Impact of BGP Poisoning via Real-World Measurements Jared M . Smith , Kyle Birkeland, Tyler McDaniel, Max Schuchard University of Tennessee, Knoxville volsec.org Internet

  1. Withdrawing the BGP Re-Routing Curtain Understanding the Security Impact of BGP Poisoning via Real-World Measurements Jared M . Smith , Kyle Birkeland, Tyler McDaniel, Max Schuchard University of Tennessee, Knoxville volsec.org

  5. Internet Routing: Theory into Practice • Security systems assume how complex infrastructures like the Internet work Claim: “Protocol implies X works, so X must work in practice” • • Methodology: “Inference and passive measurement are enough” • Assumption: “Common logic suggests X does not work, so X must not work” • Our goal: To understand how real-world Internet routing behavior impacts published security literature Actively measure the ability conduct BGP poisoning • Re-evaluate systems measured only in simulation, passively, or with inferences • • Examine if common logic about the Internet holds

  6. The Internet

  7. Autonomous Systems (AS) L3 UTenn AT&T Georgia Tech Hurricane Electric

  8. BGP Advertisement: Border Dest: 1.2.3.0/17 Advertisement: Gateway Path: A Dest: 1.2.3.0/17 Protocol Path: C, A A C D B Advertisement: Advertisement: Dest: 1.2.3.0/17 Dest: 1.2.3.0/17 Path: D, C, A Path: B, A

  9. Inbound Path Manipulation • Mechanisms give hints for which inbound path to take • Example: Multi-Exit Discriminator (MED) • We can use side-effects of protocol-compliant behavior • Example: BGP Poisoning

  10. BGP Poisoning Prefer 2 over 4 AS 2 AS 3 AS 1 But, I’d rather get AS 4 my traffic via 4

  11. BGP Poisoning Prefer 2 over 4 AS 2 AS Path: 1, 2, 1 AS 3 AS 1 AS 4

  12. BGP Poisoning LOOP! *dropping* Prefer 2 over 4 AS 2 AS Path: 1, 2, 1 AS 3 AS 1 AS 4 AS Path: 4, 1, 2, 1

  13. BGP Poisoning LOOP! *dropping* Prefer 2 over 4 AS 2 AS Path: 1, 2, 1 AS 3 AS 1 AS 4 AS Path: 4, 1, 2, 1

  14. BGP Poisoning LOOP! *dropping* Now, I can only use 4 AS 2 AS Path: 1, 2, 1 AS 3 AS 1 AS 4 AS Path: 4, 1, 2, 1

  15. Nyx: Routing Around Congestion Distributed Botnet … DDoS Victim AS … Victim’s Critical AS Alternate path exists!

  16. Nyx: Routing Around Congestion Distributed Botnet … DDoS Victim AS … Victim’s Critical AS Critical AS now using alternate path

  17. Relevant Security Literature Nyx (DDoS Defense – S&P 2018) • RAD (Censorship Circ. – CCS 2012) • Waterfall of Liberty (Censorship Circ. – CCS 2017) • • On Feasibility of Re-Routing (Examination of Nyx - S&P 2019) • …

  18. Diverging Claims Nyx mitigate DDoS by relying on BGP poisoning to re-route inbound traffic Waterfall of Liberty explicitly assumes inbound traffic is challenging to re-route

  19. Diverging Claims Nyx mitigate DDoS by relying on BGP Nyx and Waterfall of Liberty are poisoning to re-route inbound traffic built on polar opposite assumptions , but not tested on the live Internet Waterfall of Liberty explicitly assumes inbound traffic is challenging to re-route

  20. All of this literature makes assumptions about how BGP poisoning works… In reality, problems may occur… • An AS might realize its not actually on the path • An AS might realize we’re lying about the path • An AS might think the path looks anomalous

  21. “Here be dragons”

  22. Internet Topology

  23. Sending BGP Advertisements API Call BGP Advertisement

  24. Collecting BGP Updates Real-Time BGP Updates RIPE RIS/RouteViews Collector BGP Advertisement API Call

  25. Sending Traceroutes API Call Original Traceroute

  26. Infrastructure Details Traceroutes BGP Updates BGP Advertisements 32 collectors 14 PoPs, 3 countries 5,000 vantage points Automated experiment software: https://github.com/volsec/active-bgp-measurement

  27. It’s free! You can use this infrastructure!

  28. Infrastructure Details Traceroutes BGP Updates BGP Advertisements free, application free free Open Source: https://github.com/volsec/active-bgp-measurement

  29. Experimental Ethics • Announced to and engaged with network operators • No production traffic affected • Minimal traffic sent along re-routed paths (< 1 Kbps) • Normal BGP announcements (no malformed) • Conformed to ISP filtering policies

  30. All Experiments 1. Ability to re-route across entire original AS-path 2. Performance of original versus new paths 3. Real-world comparison with prior simulations 4. Predicting who can re-route w/ BGP poisoning 5. Propagating long poisoned paths 6. Filtering of certain poisoned ASes 7. Filtering of long poisoned paths 8. Routing Working Groups behavior 9. Default route prevalence 10. Reachability of /25’s

  31. How well can an AS re-route with poisoning? API Call Poisoned AS Poisoned Advertisement

  32. How well can an AS re-route with poisoning? Success! New Path API Call Poisoned AS Original Traceroute

  33. How well can an AS re-route with poisoning? Failure

  34. How well can an AS re-route with poisoning? Failure

  35. High-Level Findings 1,460/1,888 (77%) 6.45 successful cases of poisoning avg. new ASes discovered 2.03 for 6.45 2.25 avg. poisons needed/avg. new ASes avg. new paths discovered

  37. Security Implications • Real-world evidence supports poisoning-enabled systems • Security systems need to account for poisoning • Success in simulation does not guarantee success in the real-world

  38. Are alternate routes slower?

  40. Security Implications • Common logic suggests Internet paths not used by default would be less favorable • Impacts the likelihood of operators deploying systems like Nyx

  41. Are long paths filtered? Baseline: 2 collectors saw path 3450

  42. Are long paths filtered? Long Path: 1/2 collectors saw path (50%) Too long, dropping path! 3450, 3450, 3450, 3450, 3450 …

  44. Security Implications • Maximum AS path length of 255 needs to be accounted for in poisoning-enabled systems • Network operator groups also claim they filter anomalous paths

  45. Does the size of the poisoned AS affect filtering? 6 2 AS of Degree x x

  47. Security Implications • Common logic suggests operators may filter weird behavior • Filtering poisoned ASes that run the Internet à seems intuitive • Not filtering poisoned ASes that you do not often see in advertisements à also seems intuitive

  48. Diverging Claims Nyx mitigate DDoS by relying on BGP poisoning to re-route inbound traffic Waterfall of Liberty explicitly assumes inbound traffic is challenging to re-route

  49. Diverging Claims Nyx mitigate DDoS by relying on BGP poisoning to re-route inbound traffic Yet, Nyx and Waterfall of Liberty can both work in practice . Waterfall of Liberty explicitly assumes inbound traffic is challenging to re-route

  50. We should publish and disseminate our work after we have tested our assumptions in the same environment where we intend to deploy our work.

  51. Conclusion BGP poisoning works in most cases • • Systems which assume the opposite can still deploy in areas where poisoning is harder • Common logic of Internet behavior is Jared M. Smith not always accurate Twitter: jaredthecoder All Internet security research should be • actively tested on the Internet if Email: jms@vols.utk.edu the research targets the Internet for Web: volsec.org deployment

  52. BACKUP

  53. RPKI During Poisoning

  55. Infrastructure Numbers Infrastructure Source 5 BGP routers PEERING and UT 8 IP prefixes PEERING and UT 5,000+ distinct vantage points RIPE ATLAS 3 countries US, Amsterdam, Brazil 32 BGP collectors CAIDA BGPStream* *Collects BGP Updates from RouteViews and RIPE RIS

  56. How feasible is re-routing with BGP poisoning? In practice, possible to re- route onto ~2.5 new alternate paths on average

  59. Graph-Theoretic Analysis of Return Paths • Low min. cut means • Tier 1 ASes with inf. weight à • Avg. Betweenness of 0.667 bottlenecks that Nyx/RAD bottlenecks not result of single • Paths are not completely identical cannot avoid unavoidable provider • There is some diversity, but • For 90% of links, a bottleneck • Within unweighted min cut à bottlenecks exist of at most 2 links occurs widely differing barriers to cut based on bandwidth

  60. How well can we predict success with FRRP?

  61. What link and AS properties are important for FRRP?

  62. A Deeper Look at the Most Important Feature Poisoning AS Next-Hop AS Rank High Rank Matters

  63. How long can (poisoned) paths be? Propagation to 99% of the Internet at 250 AS- path length

  64. How much do large ASes filter poisoned paths? Large window

  65. How much do small ASes filter poisoned paths? Small window

  66. Do the Policy Leaders “ Walk the Walk ”? “Mutually Agreed Norms for Routing Security” Selected Participants (total=146): CenturyLink • • Charter Cogent • • Google • Indiana U. … •

  67. Does AS-Degree of the Poisoned AS affect Filtering? Origin AS HighDegree AS Origin AS …(in increments of 5)… Origin AS SmallDegree AS Origin AS

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

9/7/2017 Behind the Curtain of an IME Behind the Curtain of an IME Dan Gerstenblitt, MD-MPH

9/7/2017 Behind the Curtain of an IME Behind the Curtain of an IME Dan Gerstenblitt, MD-MPH

9/7/2017 Behind the Curtain of an IME Behind the Curtain of an IME Dan Gerstenblitt, MD-MPH Occupational Medicine Internal Medicine 9/14/17 ACOEM Position Statement--6/2017 60 to 80% of lost work days attributed to medical conditions in

553 views • 13 slides
Withholding and Withdrawing Treatment Presentation by Diane Coleman Disability Rights

Withholding and Withdrawing Treatment Presentation by Diane Coleman Disability Rights

Withholding and Withdrawing Treatment Presentation by Diane Coleman Disability Rights Leadership Institute on Bioethics April 25-26, 2014 Arlington, Virginia [Slide 1] Withholding and Withdrawing Treatment

541 views • 10 slides
CURTAIN WALL OPTIONS UNITIZED CURTAIN WALL Is a type of frame-supporting curtain wall consisting

CURTAIN WALL OPTIONS UNITIZED CURTAIN WALL Is a type of frame-supporting curtain wall consisting

CURTAIN WALL OPTIONS UNITIZED CURTAIN WALL Is a type of frame-supporting curtain wall consisting of framing components and panel materials. Such framing components and panel materials are assembled into a single curtain wall unit at the

671 views • 8 slides
CURTAIN WALL OPTIONS UNITIZED CURTAIN WALL Is a type of frame-supporting curtain wall consisting

CURTAIN WALL OPTIONS UNITIZED CURTAIN WALL Is a type of frame-supporting curtain wall consisting

CURTAIN WALL OPTIONS UNITIZED CURTAIN WALL Is a type of frame-supporting curtain wall consisting of framing components and panel materials. Such framing components and panel materials are assembled into a single curtain wall unit at the

413 views • 12 slides
Potential Costs of Withdrawing from NAFTA E. Anthony Wayne Career Ambassador (ret.) and Raquel

Potential Costs of Withdrawing from NAFTA E. Anthony Wayne Career Ambassador (ret.) and Raquel

Potential Costs of Withdrawing from NAFTA E. Anthony Wayne Career Ambassador (ret.) and Raquel Chuayffet Wilson Center wayneea@gmail.com @EAnthonyWayne 1/31/18 Potential Costs of Withdrawing from NAFTA: Net Job Losses STUDY IMPACT ON

84 views • 7 slides
Wheeling, WV Numbers } 157 babies born exposed or withdrawing 2013 } 270 babies born exposed or

Wheeling, WV Numbers } 157 babies born exposed or withdrawing 2013 } 270 babies born exposed or

Wheeling, WV Numbers } 157 babies born exposed or withdrawing 2013 } 270 babies born exposed or withdrawing 2014 } 280 babies born exposed or withdrawing 2015 so far 2013: Our Model 2014: Increasing Community Problem } Increasing

194 views • 16 slides
The Origins of the Cold War The Iron Curtain Winston Churchill gave the Map of the Iron Iron

The Origins of the Cold War The Iron Curtain Winston Churchill gave the Map of the Iron Iron

The Origins of the Cold War The Iron Curtain Winston Churchill gave the Map of the Iron Iron Curtain speech in 1946 Curtain The Truman Doctrine, 1947 President Truman outlined the Truman Doctrine to a joint session of Congress in March of

310 views • 6 slides
Behind the curtain: How technical analysis shapes and is shaped by the political process

Behind the curtain: How technical analysis shapes and is shaped by the political process

Behind the curtain: How technical analysis shapes and is shaped by the political process University of Toronto Transportation Research Institute Oct 11, 2019 Daniel Haufschild, Arup Charles Hwang, Arup Behind the curtain: How technical

214 views • 20 slides
4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has columns for the destination network (or hosts) with the corresponding cost and the next router address to reach a destination. Additional

1.08k views • 84 slides
Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing [Kleinberg04] J. Kleinberg, A. Slivkins, T. Wexler. Triangulation and Embedding using Small Sets of Beacons. Proc. 45th IEEE Symposium on Foundations of

450 views • 32 slides
Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing forwarding: to select an output port based on destination address and routing table routing: process by which routing table is built

543 views • 13 slides
1 Routing Table Routing Table Destination network Next router

1 Routing Table Routing Table Destination network Next router

Lecture 12. Lecture 12. Introduction to Introduction to IP Routing IP Routing Giuseppe Bianchi Why introduction? Why introduction? Routing: very complex issue need in-depth study entire books on routing our scope: give a

552 views • 19 slides
Fasting: Voluntarily withdrawing from food and/or drink, or other fleshly appetites, for a

Fasting: Voluntarily withdrawing from food and/or drink, or other fleshly appetites, for a

Fasting: Voluntarily withdrawing from food and/or drink, or other fleshly appetites, for a specified period of time. Fasting is refraining from food (or it could be certain pleasures or practices) for a spiritual purpose. Fasting is

514 views • 35 slides
Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local

Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local

Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local forwarding table header value output link in the Internet 0100 3 0101 2 0111 2 1001 1 value in arriving packets header 1 0111 2 3

403 views • 8 slides
Ad Hoc Wireless Routing CS 218- Fall 2003 Wireless multihop routing challenges Review of

Ad Hoc Wireless Routing CS 218- Fall 2003 Wireless multihop routing challenges Review of

Ad Hoc Wireless Routing CS 218- Fall 2003 Wireless multihop routing challenges Review of conventional routing schemes Proactive wireless routing Hierarchical routing Reactive (on demand) wireless routing Geographic routing

893 views • 60 slides
Routing Algebras What are routing algebras? Created to study properties of routing protocols

Routing Algebras What are routing algebras? Created to study properties of routing protocols

Routing Algebras What are routing algebras? Created to study properties of routing protocols Does the routing protocol converge? Does the routing protocol compute optimal paths? Separates the routing data &amp; algorithm Data

326 views • 11 slides
Webinar Agenda Getting started: receiving funds and before-project planning Resources

Webinar Agenda Getting started: receiving funds and before-project planning Resources

Webinar Agenda Getting started: receiving funds and before-project planning Resources available and how to access them Tracking and reporting your projects impact Questions 2017 Healthy Eyes Healthy Children Grants 14 Awards

471 views • 24 slides
The Allocation of Talent and U.S. Economic Growth Chang-Tai Hsieh Erik Hurst Chad Jones Pete

The Allocation of Talent and U.S. Economic Growth Chang-Tai Hsieh Erik Hurst Chad Jones Pete

The Allocation of Talent and U.S. Economic Growth Chang-Tai Hsieh Erik Hurst Chad Jones Pete Klenow April 2014 Big changes in the occupational distribution White Men in 1960: 94% of Doctors, 96% of Lawyers, and 86% of Managers White Men in

583 views • 56 slides
Contact Lens Aftercare The Missed Opportunity Written by Gurraj Jabbal and Neil Retallic

Contact Lens Aftercare The Missed Opportunity Written by Gurraj Jabbal and Neil Retallic

Contact Lens Aftercare The Missed Opportunity Written by Gurraj Jabbal and Neil Retallic Learning objectives Understands the importance of record keeping in contact lens wear and understands the minimum data set that should be recorded in

576 views • 38 slides
GGOB Basics // Critical Number Heather Reinkemeyer Darin Bridges Crew &amp; Community Relations

GGOB Basics // Critical Number Heather Reinkemeyer Darin Bridges Crew &amp; Community Relations

GGOB Basics // Critical Number Heather Reinkemeyer Darin Bridges Crew &amp; Community Relations Manager Vice President GGOB Internal Coach The Great Game of Business Vital Farms Springfield, MO Springfield, MO Agenda Introductions

827 views • 44 slides
Health Department and Health Center Collaborations to Im Improve Tuberculosis Screening, g,

Health Department and Health Center Collaborations to Im Improve Tuberculosis Screening, g,

Health Department and Health Center Collaborations to Im Improve Tuberculosis Screening, g, Testing, g, Treatment, , and Care August 26, , 2019 The webinar will begin at 2:00 PM ET. Logistics This webinar is being recorded and the

342 views • 20 slides
COVID-19 Update Executive Vice President, UC Health July 31, 2020 UC Health by the Numbers 19

COVID-19 Update Executive Vice President, UC Health July 31, 2020 UC Health by the Numbers 19

UC Health COVID-19 Response and Recovery Carrie L. Byington, MD COVID-19 Update Executive Vice President, UC Health July 31, 2020 UC Health by the Numbers 19 health professional schools (6 med schools, 2 dentistry, 4 nursing, 1 optometry, 2

439 views • 40 slides
EMS for Children: Improving the lives of all Children Elizabeth A. Edgerton, MD, MPH, FAAP

EMS for Children: Improving the lives of all Children Elizabeth A. Edgerton, MD, MPH, FAAP

EMS for Children: Improving the lives of all Children Elizabeth A. Edgerton, MD, MPH, FAAP Director, Division of Child, Adolescent and Family Health Maternal Child Health Bureau Health Resources and Services Administration Department of

452 views • 29 slides
Quality Payment Program Year 4: Final Rule Highlights The information contained in this

Quality Payment Program Year 4: Final Rule Highlights The information contained in this

Quality Payment Program Year 4: Final Rule Highlights The information contained in this presentation is for general information purposes only. The information is provided by UK HealthCares Kentucky Regional Extension Center and while we

616 views • 33 slides

More recommend