How Secure are Secure Interdomain Routing Protocols?

Transcription

1 How Secure are Secure Interdoain Routing Protocols? Full ersion fro June 2, 2 Sharon Goldberg Microsoft Research Michael Schapira Yale & UC Berkeley Peter Huon AT&T Labs Jennifer Rexford Princeton ABSTRACT In response to high-profile Internet outages, BGP security ariants hae been proposed to preent the propagation of bogus routing inforation. To infor discussions of which ariant should be deployed in the Internet, we quantify the ability of the ain protocols (origin authentication, sobgp, S-BGP, and data-plane erification) to blunt traffic-attraction attacks; i.e., an attacker that deliberately attracts traffic to drop, taper, or eaesdrop on packets. Intuition suggests that an attacker can axiize the traffic he attracts by widely announcing a short path that is not flagged as bogus by the secure protocol. Through siulations on an epirically-deterined AS-leel topology, we show that this strategy is surprisingly effectie, een when the network uses an adanced security solution like S-BGP or data-plane erification. Worse yet, we show that these results underestiate the seerity of attacks. We proe that finding the ost daaging strategy is NP-hard, and show how counterintuitie strategies, like announcing longer paths, announcing to fewer neighbors, or triggering BGP loop-detection, can be used to attract een ore traffic than the strategy aboe. These counterintuitie exaples are not erely hypothetical; we searched the epirical AS topology to identify specific ASes that can launch the. Finally, we find that a cleer export policy can often attract alost as uch traffic as a bogus path announceent. Thus, our work iplies that echaniss that police export policies (e.g., defensie filtering) are crucial, een if S-BGP is fully deployed. Categories and Subject Descriptors. C.2.2 Coputer Counication Networks: Network Protocols. General Ters. Security.. INTRODUCTION The Internet is notoriously ulnerable to traffic attraction attacks, where Autonoous Systes (ASes) anipulate BGP to attract traffic to, or through, their networks. Attracting extra traffic enables the AS to increase reenue c ACM, 2. This is the authors full ersion of the work whose definitie conference ersion [] was published in SIGCOMM, August 3 Septeber 3, 2, New Delhi, India. This full ersion is aailable as Microsoft Research Technical Report MSR-TR-2-8. This technical report first appeared on February 23, 2. This is the latest ersion fro June 2, 2. fro custoers, or drop, taper, or snoop on the packets [2 4]. While the proposed extensions to BGP preent any attacks (see [5] for a surey), een these secure protocols are susceptible to a strategic anipulator who deliberately exploits their weaknesses to attract traffic to its network. Gien the difficulty of upgrading the Internet to a new secure routing protocol, it is crucial to understand how well these protocols blunt the ipact of traffic attraction attacks.. Quantifying the ipact of attacks. We ealuate the four ajor extensions to BGP, ordered fro weakest to strongest: origin authentication [6,7], sobgp [8], S-BGP [9], and data-plane erification [5, ]. While the stronger protocols preent a strictly larger set of attacks than the weaker ones, these security gains often coe with significant ipleentation and deployent costs. To infor discussions about which of these secure protocols should be deployed, we would like to quantitatiely copare their ability to liit traffic attraction attacks. Thus, we siulate attacks on each protocol on an epirically-easured AS-leel topology [ 3], and deterine the percentage of ASes that forward traffic to the anipulator. Perforing a quantitatie coparison requires soe care. It does not suffice to say that one protocol, say S-BGP, is four ties as effectie as another protocol, say origin authentication, at preenting a specific type of attack strategy; there ay be other attack strategies for which the quantitatie gap between the two protocols is significantly saller. Since these ore cleer attack strategies can just as easily occur in the wild, our coparison ust be in ters of the worst possible attack that the anipulator could launch on each protocol. To do this, we put ourseles in the ind of the anipulator, and look for the optial strategy he can use to attract traffic fro as any ASes as possible. Howeer, before we can een begin thinking about optial strategies for traffic attraction, we first need a odel for the way traffic flows in the Internet. In practice, this depends on local routing policies used by each AS, which are not publicly known. Howeer, the BGP decision process breaks ties by selecting shorter routes oer longer ones, and it is widely belieed [4] that policies depend heaily on econoic considerations. Thus, conentional wisdo and prior work [4 6] suggests basing routing policies on business relationships and AS-path lengths. While this odel (used in any other studies, e.g., [2, 7]) does not capture all the intricacies of interdoain routing, it is still ery useful for gaining insight into traffic attraction attacks. All of our results are attained within this odel.

2 .2 Thinking like a anipulator. If routing policies are based on AS path lengths, then intuition suggests that it is optial for the anipulator to announce the shortest path that the protocol does not reject as bogus, to as any neighbors as possible. Depending on the security protocol, this eans announcing a direct connection to the icti IP prefix, a fake edge to the legitiate destination AS, a short path that exists but was neer adertised, a short path that the anipulator learned but is not using, or een a legitiate path that deiates fro noral export policy. Indeed, we use siulations on a easured AS-leel topology to show that this sart attack strategy is quite effectie, een against adanced secure routing protocols like S-BGP and data-plane erification. Worse yet, we show that our siulations underestiate the aount of daage anipulator could cause. Through counterexaples, show that the sart attack is surprisingly not optial. In fact, the following bizarre strategies can soeties attract een ore traffic than the sart attack: announcing a longer path, exporting a route to fewer neighbors, or triggering BGP s loop-detection echanis. In fact, we show that prefix hijacking (i.e., originating a prefix you do not own) is not always the ost effectie attack against today s BGP! These counterexaples are not erely hypothetical we identify specific ASes in the easured AS-leel topology that could launch the. Moreoer, we proe that it is NP-hard to find the anipulator s optial attack, suggesting that a coprehensie coparison across protocols ust reain elusie..3 Our findings and recoendations. While we necessarily underestiate the aount of daage a anipulator could cause, we can ake a nuber of concrete stateents. Our ain finding is that secure routing protocols only deal with one half of the proble: while they do restrict the paths the anipulator can announce, they fail to restrict his export policies. Thus, our siulations show that, when copared to BGP and origin authentication, sobgp and S-BGP significantly liit the anipulator s ability to attract traffic by announcing bogus short paths to all its neighbors. Howeer, een in a network with S-BGP or data-plane erification, we found that a anipulator can still attract traffic by cleerly anipulating his export policies. Indeed, we found that announcing a short path is often less iportant than exporting that path to the right set of neighbors. Thus: Adanced security protocols like S-BGP and data-plane erification do not significantly outperfor sobgp for the sart attacks we ealuated. Defensie filtering of paths exported by stub ASes (i.e., ASes without custoers) proides a leel of protection that is at least coparable to that proided by sobgp, S-BGP and een data-plane erification. Tier 2 ASes are in the position to attract the largest olues of traffic, een in the presence of data-plane erification and defensie filtering (of stubs). Interception attacks [2,3] where the anipulator both attracts traffic and deliers it to the destination are easy for any ASes, especially large ones. We could quibble about whether or not anipulating export policies een constitutes an attack; after all, each AS has the right to decide where it announces paths. Howeer, our results indicate that a cleer export policy can attract alost as uch traffic as a bogus path announceent. Indeed, Section 6. presents an exaple where an AS in the easured topology gains alost as uch exporting a proider-learned path to another proider, as he would by a prefix hijack (announcing that he owns the IP prefix). Thus, our results suggest that addressing traffic attraction attacks requires both echaniss that preent bogus path announceents (e.g., sobgp or S-BGP) as well as echaniss that police export policies (e.g., defensie filtering)..4 Roadap. Section 2 presents the routing odel, threat odel, and our experiental setup. Section 3 describes the ulnerabilities of the secure routing protocols and presents an exaple of how a anipulator can attract traffic by exploiting the. Section 4 describes and ealuates the sart attraction attacks, and Section 5 uses both theory and siulation to analyze interception attacks. Section 6 presents counterexaples, found in real network data, that proe that the sart attacks are not optial. Section 7 shows that finding the optial attack strategy is NP hard. Section 8 presents related work, Section 9 discusses soe practical challenges relating to the ipleentation of routing security protocols, and Section discusses the effect of our odeling assuptions on our results and proides further recoendations. This full ersion also contains a ariety of suppleentary inforation in the appendix. Appendix A has our treatent of sibling relationships, and Appendix B has the details of our siulation ethodology. Appendix D presents a counterexaple fro Section 6 in ore detail, and Appendix E presents a suppleentary exaple that shows how an interception attack can fail, and corrects an error in [2]. Proofs of our theores are in Appendices F-G. Finally, Appendix H presents ersions of all the graphs in the body of this paper, coputed fro a different AS topology dataset [2, 3] than the graphs presented in the body of this paper []. 2. MODEL AND METHODOLOGY We first present a odel of interdoain routing and routing policies, based on the standard odels in [8] and the Gao-Rexford conditions [5], followed by our threat odel for traffic attraction, and finally our experiental setup. 2. Modeling interdoain routing. The AS graph. The interdoain-routing syste is odeled with a labeled graph called an AS graph, as in Figure. Each AS is odeled as a single node and denoted by its AS nuber. Edges represent direct physical counication links between ASes. Adjacent ASes are called neighbors. Since changes in topology typically occur on a uch longer tiescale than the execution of the protocol, we follow [8] and assue the AS-graph topology is static. BGP coputes paths to each destination IP prefix separately, so we assue that there is a unique destination IP prefix to which all other nodes attept to establish a path. As shown in Figure, there is a single AS that rightfully owns the destination IP prefix under consideration. Establishing paths. In BGP, an AS first chooses an

3 p Figure : graph. Ta a a3 a2 Legend Peer Peer Custoer Proider Traffic Manipulator Victi Anonyized subgraph of CAIDA s AS outgoing edge on which it forwards traffic based on a local ranking on outgoing paths, and then announces this path to soe subset of its neighbors. To odel this, we assue that each node n has a set of routing policies, consisting of (a) a ranking on outgoing paths fro n to the destination d, and (b) a set of export policies, a apping of each path P to the set of neighbors to which n is willing to announce the path P. We say that node n has an aailable path ap d if n s neighbor a announced the path ap d to n. If an aailable path ap d is ranked higher than the outgoing path that node n is currently using, then an noral node n will (a) forward traffic to node a, and (b) announce the path nap d to all his neighbors as specified by his export policies. Business relationships. We annotate the AS graph with the standard odel for business relationships in the Internet [5]; while ore coplicated business relationships exist in practice, the following is widely belieed to capture the ajority of the econoic relationships in the Internet. As shown in Figure, there are two kinds of edges: custoer-proider (where the custoer pays the proider for connectiity, represented with an arrow fro custoer to proider), and peer-to-peer (where two ASes owned by different organizations agree to transit each other s traffic at no cost, represented with an undirected edge). Because soe of our results are based on CAIDA s AS graph [], we also consider sibling-to-sibling edges. Details about our treatent of siblings is in Appendix A. Finally, our theoretical results soeties use [5] s assuption that an AS cannot be its own indirect custoer: GR The AS graph contains no custoer-proider cycles. 2.2 Modeling routing policies. In practice, the local routing policies used by each AS in the Internet are arbitrary and not publicly known. Howeer, because we want to understand how false routing inforation propagates through the Internet, we need to concretely odel routing policies. Since it is widely belieed that business relationships play a large role in deterining the routing policies of a gien AS [4, 5], and we hae reasonably accurate epirical aps of the business relationships between ASes [ 3], we base our odel on these relationships. Rankings. BGP is first and foreost designed to preent loops. Thus, we assue that node a rejects an announceent fro its neighbor b if it contains a loop, i.e., if node a appears on the path that node b announces. Beyond that, we can think of the process ASes use to select routes as follows; first applying local preferences, then choosing shortest AS paths, and finally applying a tie break. Since the local preferences of each AS are unknown, and are widely belieed to be based (ostly) on business relationships, we odel the three step process as follows: LP SP TB Local Preference. Prefer outgoing paths where the next hop is a custoer oer outgoing paths where the next hop is a peer oer paths where the next hop is a proider. Shortest Paths. Aong the paths with the highest local preference, chose the shortest ones. Tie Break. If there are ultiple such paths, choose the one whose next hop has the lowest AS nuber. Our odel of local preferences is based on on Gao-Rexford condition GR3, and captures the idea that an AS has an econoic incentie to prefer forwarding traffic ia custoer (that pays hi) oer a peer (where no oney is exchanged) oer a proider (that he ust pay). Notice that this iplies that an AS can soeties prefer a longer path! (e.g., in Figure, AS prefers the fie-hop custoer path through a3 oer the four-hop proider path through Tier T.) Export Policies. Our odel of export policies is based on the Gao-Rexford condition GR2: GR2 AS b will only announce a path ia AS c to AS a if at least one of a and c are custoers of b. GR2 captures the idea that an AS should only be willing to load his own network with transit traffic if he gets paid to do so. Howeer, because GR2 does not fully specify the export policies of eery AS (for instance, an AS could decide to export paths to only a subset of his custoers), it does not suffice for our purposes. Thus, we odel noral export policies as follows: NE An AS will announce all paths to all neighbors except when GR2 forbids hi to do so. 2.3 Threat odel. One strategic anipulator. We assue that all ASes in the AS graph behae norally, i.e., according to the policies in Section , except for a single anipulator (e.g., AS in Figure ). We leae odels dealing with colluding ASes for future work. Noral ASes and noral paths. We assue that eery noral AS uses the routing policies in Section 2.2; thus, the noral path is the path an AS (een the anipulator) would choose if he used the noral rankings of Section 2.2, and noral export is defined analogously. (e.g., In Figure, the anipulator s noral path is through his custoer AS a3.) We shall assue that eery noral AS knows its business relationship with his neighbors, and also knows the next hop it chooses for forwarding traffic to a gien destination. In order to ealuate the effectieness of each secure routing protocol, we assue that ASes beliee eerything they hear, except when the secure routing protocol tells the otherwise. As such, we do not assue that ASes use auxiliary inforation to detect attacks, including knowledge of the network topology or business relationships We need a consistent way to break ties. In practice, this is done using the intradoain distance between routers and router IDs. Since our odel does not incorporate geographic distance or indiidual routers, we use AS nuber instead.

4 between distant ASes, etc., unless the secure routing protocol specifically proides this inforation. Attraction.s. Interception attacks. In an attraction attack, the anipulator s goal is to attract traffic, i.e., to conince the axiu nuber of ASes in the graph to forward traffic that is destined to the icti IP prefix ia the anipulator s own network. To odel the idea that a anipulator ay want to eaesdrop or taper with traffic before forwarding it on to the legitiate destination, we also consider interception attacks. In an interception attack, the anipulator has the additional goal of ensuring that he has an aailable path to the icti. This is in contrast to an attraction attack, where the anipulator is allowed, but not required, to create a blackhole where he has no working path to the icti IP prefix (e.g., Figure ). The fraction of ASes attracted. In this paper, we easure the success of an attack strategy by counting the fraction of ASes in the internetwork fro which that anipulator attracts traffic; this aounts to assuing that eery AS in the internetwork is of equal iportance to the anipulator. 2 Howeer, it is well known that the distribution of traffic in the Internet is not unifor across the ASes; to address this, we also report the fraction of ASes of arious sizes fro which the anipulator attracts traffic, where we easure size by the nuber of direct custoers the AS has. We leae easuring the olue of traffic a anipulator attracts to future work; one (rough) way to do this would be to correlate the olue of traffic that an AS receies to the size of the IP address space owned by that AS. Attack strategies. To capture the idea that the anipulator is strategic, we allow hi to be ore cleer than the noral ASes; specifically, we allow hi to use knowledge of the global AS graph and its business relationships in order to launch his attacks. (Howeer, ost of the strategies we considered require only knowledge that is locally aailable at each AS.) An attack strategy is a set of routing announceents and forwarding choices that deiates fro the noral routing policies specified in Section 2.2. An attack strategy ay include, but is not liited to: Announcing an unaailable or non-existent path. Announcing different paths to different neighbors. Announcing a legitiate aailable path that is different fro the noral path. Exporting a path (een the legitiate noral path) to a neighbor to which no path should be announced to according to the noral export policies. Indeed, one ight argue that soe of these strategies do not constitute dishonest behaior. Howeer, it is iportant to consider these strategies in our study, since we shall find that they can soeties be used to attract as uch traffic as the traditional dishonest strategies (e.g., announcing nonexistent paths). Scope of this paper. This paper focuses on traffic attraction attacks; we do not consider other routing security issues, for instance, isatches between the controland data-plane [4, ], or traffic deflection attacks, where 2 We acknowledge that a anipulator ay want to attract traffic fro a specific subset of ASes. We aoid analyzing this, because we lack epirical data to quantify that subset of ASes that a gien anipulator ay want to attract. a anipulator wants to diert traffic fro hiself or soe distant, innocent AS [5]. 2.4 Experients on epirical AS graphs. All the results and exaples we present are based on epirically-obtained snapshots of the Internet s AS graph annotated with business relationships between ASes. Algorithic siulations. At the core of our experients is our routing tree algorith (presented in Appendix B.) that deterines the paths that each AS uses to reach the destination prefix under the assuption that each AS norally uses the routing policies of Section 2.2. Because we run a large nuber of experients oer the full ( 3K node) AS graph, we aoid the heay essage-passing approach used by standard BGP siulators; instead, we use lightweight algorithic approach based on breadth-first search. The routing tree algorith is also used to siulate the result of a anipulator s attack strategy. In Appendix B., we discuss how we siulate a bogus path announceent by seeding the routing tree algorith with the bogus path, and siulate strategic export policies by reoing certain links between the anipulator and his neighbors. Aerage case analysis. Since the influence of an attack strategy depends heaily on the locations of the anipulator and the icti in the AS graph, we run siulations across any (anipulator, icti) pairs. Rather than reporting aerage results, we plot the distribution of the fraction of ASes that direct traffic to the anipulator. We by no eans beliee that a anipulator would select its icti at rando; howeer, reporting distributions allows us to easure the extent to which a secure protocol can blunt the power of the anipulator, deterine the fraction of ictis that a anipulator could effectiely target, and identify positions in the network that are effectie launching points for attacks. Ideally, to deterine how daaging a gien attack strategy can be, we would hae liked to run siulations oer eery (anipulator,icti) pair in the AS graph. Howeer, this would require (3K) 2 siulations per dataset, which would be prohibitie. Instead, we run experients on randoly-chosen (anipulator, icti) pairs. We found that 6K experients of each type were sufficient for our results to stabilize. Multiple datasets. Because the actual AS-leel topology of the Internet reains unknown, and inferring AS relationships is still an actie area of research, we run siulations on a nuber of different datasets: ultiple years of CAIDA data [], and Cyclops data [2] augented with 2, peer-to-peer edges fro [3] s IXP dataset. Een though these datasets use different relationship-inference algoriths, the trends we obsered across datasets were rearkably consistent. Thus, all the results we present are fro CAIDA s Noeber 2, 29 dataset (with slight odifications to the sibling relationships, see Appendix A.2); counterparts of these graphs, coputed fro Cyclops and IXP data [2, 3] are in Appendix H. Realistic exaples. Rather than proiding contried counterexaples, we gie eidence that the attack strategies we discuss could succeed in wild by ensuring that eery exaple we present coes fro real data. To find these exaples, we (algorithically) searched the epirically-easured AS graph for specific subgraphs that could induce specific counterexaples, and then siulated the attack strategy.

5 All the exaples we present here were found in CAIDA s Noeber 2, 29 dataset [], and then anonyized by replacing AS nubers with sybols (e.g., in Figure, for anipulator, for icti, T for a Tier AS, etc.). We do this in order to aoid iplicating innocent ASes with our exaple attacks, as well as to aoid reporting potentially erroneous AS-relationship inferences ade in the CAIDA dataset (see Section 6.4 for further discussion). 3. FOOLING BGP SECURITY PROTOCOLS This section oeriews the security protocols we consider, and presents the set of (possibly) bogus paths that a anipulator can announce to each neighbor without getting caught. We use the anonyized subgraph of CADIA s AS graph in Figure to deonstrate the fraction of traffic a anipulator could attract by announcing one of these (possibly) bogus paths to all its neighbors. Our focus is on protocols with well-defined security guarantees. Thus, we consider the fie ajor BGP security ariants, ordered fro weakest to strongest security, as follows: (unodified) BGP, Origin Authentication, sobgp, S-BGP, and data-plane erification. Because we focus on security guarantees and not protocol ipleentation, we use these as an ubrella for any other proposals (see [5] for a surey) that proide siilar guarantees using alternate, often lower-cost, ipleentations. Furtherore, our ordering of protocols is strict: an attack that succeeds against a strong security protocol, will also succeed against the weaker security protocol. We also consider defensie filtering as an orthogonal security echanis. BGP. BGP does not include echaniss for alidating inforation in routing announceents. Thus, the anipulator can get away with announcing any path he wants, including (falsely) claiing that he is the owner of the icti s IP prefix. Indeed, when the anipulator in Figure (an anonyized Canadian Tier 2 ISP) launches this attack on the s IP prefix (an anonyized Austrian AS), our siulations show that he attracts traffic fro 75% of the ASes in the internetwork. 3 Origin Authentication. Origin authentication [6] uses a trusted database to guarantee that an AS cannot falsely clai to be the rightful owner for an IP prefix. Howeer, the anipulator can still get away with announcing any path that ends at the AS that rightfully owns the icti IP prefix. For instance, in Figure, the anipulator can attract traffic fro 25% of the ASes in the internetwork by announcing the path (,, ), een though no such path physically exists. sobgp. Secure Origin BGP (sobgp) [8] proides origin authentication as well as a trusted database that guarantees that any announced path physically exists in the AS-leel topology of the internetwork. Howeer, a anipulator can still get away with announcing a path that exists but is not actually aailable. In Figure, the anipulator can attract traffic fro % of the ASes in the internetwork by 3 In fact, another strategy, called a subprefix hijack, is aailable to anipulator; by announcing a longer, ore specific subprefix of the icti s IP prefix, he can attract traffic fro % of the ASes in the internetwork. This work does not consider subprefix hijacks, ostly because these attacks are well understood, but also because they can be preented by the filtering practices discussed in [5]. announcing the path (, p,, ). Notice that this path is unaailable; GR2 forbids the Swiss Tier 2 ISP p to announce a peer path to another peer. Of course, finding paths that exist in the AS graph requires the anipulator to hae knowledge of the global topology of the network. Howeer, obtaining this inforation is not especially difficult; an industrious anipulator ight een obtain this inforation fro the AS graph datasets [ 3] that we used in this paper, or een (ironically) fro the sobgp database itself! S-BGP. In addition to origin authentication, Secure BGP [9] also uses cryptographically-signed routing announceents to proides a property called path erification. Path erification guarantees that eery AS a can only announce a path abp to its neighbors if it has a neighbor b that announced the path bp to a. Thus, it effectiely liits a single anipulator to announcing aailable paths. For instance, in Figure, the anipulator s noral path (see Section 2.3) is the fiehop custoer path (, a3, a2, a,, ); announcing that path allows hi to attract traffic fro.9% of the ASes in the internetwork. Howeer, with S-BGP the anipulator could instead announce the shorter four-hop proider path (, T, a,, ), thus doubling attracted traffic to.7%. Indeed, S-BGP does not preent the anipulator fro announcing the shorter, ore expensie, proider path, while actually forwarding traffic on the cheaper, longer custoer path. Data-plane erification. Data-plane erification [5, ] preents an AS fro announcing one path, while forwarding on another. Thus, if the anipulator in Figure wants to axiize his attracted traffic, he ust also forward traffic on the proider path. Defensie Filtering. Defensie filtering polices the BGP announceents ade by stubs. A stub is an AS with no custoers, and in our odel, GR2 iplies that a stub should neer announce a path to a prefix it does not own. Thus, our odel of defensie filtering has each proider keep a prefix list of the IP prefixes owned by its direct custoers that are stubs. If a stub announces a path to any IP prefix that it does not own, the proider drops/ignores the announceent, thus enforcing GR2. In ost of our analysis, we assue that eery proider in the internetwork correctly ipleents defensie filtering (see also the discussion in Section 9). As such, we assue that defensie filtering copletely eliinates all attacks by stubs. Anoaly Detection. Anoaly detection echaniss are outside our scope. Firstly, any of these proide functionalities that approxiate the security guarantees described aboe, so their effectieness is upperbounded by the schees we ealuate. Secondly, the reaining protocols usually do not hae well-defined guarantees; e.g., [7,9] flag suspicious routes as potential export policy iolations, but do not guarantee the detection of eery export policy iolation. 4. SMART ATTRACTION ATTACKS We siulate attraction attacks on easured graphs of the Internet s AS-leel topology [ 3] to deterine how uch traffic a anipulator can attract in the aerage case. This section first presents the attack strategies we siulated, and then reports our results.

6 No Defensie Filtering Defensie Filtering Announce All Attacks fro dataset caida29 anipany Nuber of saples: 6 BGP OrAuth.8 sobgp SBGP Honest.6 BGP + DF.4 BGP OrAuth sobgp SBGP Figure 2: Lower bounds on the probability of attracting at least % of ASes in the internetwork. 4. A sart-but-suboptial attack strategy. We assued that ASes ake routing decisions based on business relationships and path length, and that a anipulator cannot lie to his neighbor a about their business relationship (i.e., between and a). Thus, intuition suggests that the anipulator s best strategy is to widely announce the shortest possible path: Shortest-Path Export-All attack strategy. Announce to eery neighbor, the shortest possible path that is not flagged as bogus by the secure routing protocol. Eery Shortest-Path Export-All attack strategy on S-BGP is also an attack on data-plane erification. The Shortest-Path Export-All attack strategy on S-BGP has the anipulator announce his shortest legitiate aailable path to the icti, instead of his noral path (see Sections 2.3 and 3). Notice that if the anipulator actually decides to forward his traffic oer the announced path, he has a successful attack on data-plane erification as well! Thus, the Shortest-Path Export-All attack strategy on data-plane erification is identical to the attack on S-BGP. (To reduce clutter, the following ostly refers to the attack on S-BGP.) We underestiate daage. Section 6 shows that the Shortest-Path Export-All attack strategy is not actually optial for the anipulator, and Section 7 shows that finding the optial attack strategy is NP-hard. Thus, we gie up on finding the optial attack strategy, and run siulations assuing that the anipulator uses this sart-butsuboptial attack. This eans that the results reported in this section underestiate the aount of daage a anipulator could cause, and we usually cannot use these results to directly copare different secure routing protocols. In spite of this, our siulations do proide both (a) useful lower bounds on the aount of daage a anipulator could cause, and (b) a nuber of surprising insights on the strategies a anipulator can use to attract traffic to his network. 4.2 Defensie filtering is crucial. Our first obseration is that defensie filtering is a crucial part of any Internet security solution: Figure 2: We show the probability that, for a randoly chosen (anipulator,icti) pair, the anipulator can attract traffic destined for the icti fro at least % of the ASes in the internetwork. The anipulator uses the Shortest-Path Export-All attack strategy. The first four bars on the left assue that network does not use defensie filtering. We show the success of the anipulator s strategy on each of the four BGP security ariants, in a network Fraction of ASes routing thru Manipulator Figure 3: CCDF for the Shortest-Path Export-All attack strategy. with and without defensie filtering of stubs. The horizontal line in Figure 2 shows the fraction of attacks that are copletely eliinated by defensie filtering; since 85% of ASes in the CAIDA graph are stubs, properly-ipleented defensie filtering guarantees that only 5% of anipulators can successfully attack any gien icti. Despite the fact that we used sub-optial strategies for the anipulator, we hae two concrete obserations:. Een if we assue the anipulator runs the sub-optial Shortest-Path Export-All attack strategy on a network that has S-BGP but not defensie filtering, he can still attract % of the ASes in the internetwork with probability > %. Furtherore, ore cleer strategies for S-BGP (e.g., Figure 4 and 5) ight increase the anipulator s probability of success to the point where defensie filtering alone perfors een better than S-BGP alone. 2. Een if both S-BGP and defensie filtering are used, there is still a non-triial 2% probability that the anipulator can attract % of the ASes in the internetwork. Better attack strategies could increase this probability een further. This is particularly striking when we copare with the noral case, where the anipulator anages to attract % of the ASes in the internetwork with about 4 probability (not shown). 4.3 Attack strategy on different protocols. The reader ay wonder why we chose to focus specifically on the probability of attracting % of the ASes in the internetwork in Figure 2. In the interest of full disclosure, we now present the full picture: Figure 3: We show the coplientary cuulatie distribution function (CCDF) of the probability that at least a x-fraction of the ASes in the internetwork forward traffic to the anipulator when he uses the Shortest-Path Export- All attack strategy. Probability is taken oer the unifor rando choice of a icti and anipulator, and obsere that Figure 2 siply presents a crosssection of these results at the x-axis alue of x = %. Because this figure carries quite a lot of inforation, we walk through a few interesting points: BGP cure. Here, the anipulator originates, i.e., announces that he is directly connected to, the icti prefix. This cure looks alost like the CCDF of a unifor distribution, since the anipulator and the icti both announce

7 one-hop paths to the prefix, and are thus are about equally likely to attract traffic. Origin Authentication cure. This tie the anipulator announces that he has a direct link to the AS that legitiately owns the icti prefix. Because the anipulator s path is now two hops long, the aount of traffic he can attract on aerage is reduced. 4.4 S-BGP forces long path announceents. Figures 2 and 3 show that S-BGP is not uch ore effectie in preenting Shortest-Path Export-All attack strategies than the less-secure sobgp. To understand why, let s copare the lengths of the path that the anipulator can announce with sobgp and S-BGP: Figure 4: We show the probability that the anipulator can announce a path that is shorter than the noral path, i.e., the path he would hae chosen if had used the rankings in Section 2.2. Probability is taken oer a randoly-chosen icti, and a anipulator that is randoly chosen fro one of the following four classes: (a) Any AS in the graph, (b) Non-stubs, or ASes with at least one custoer (c) Mediusized ASes with at least 25 custoers, and (d) Large ASes with at least 25 custoers. If we focus on the results for S-BGP, it is clear that larger ASes are ore likely to find Announce All Attack. Pr[Manipulator finds a shorter path]caida29 Any AS.8 Non-Stub > 25 Custoers.6 > 25 Custoers sobgp and S-BGP cures. For the attack on sobgp, the anipulator announces the shortest path that exists in sobgp SBGP the AS graph. For the attack on S-BGP (and data-plane erification), the anipulator announces the shortest aailable path that he learned fro his neighbors. Oddly, the nnounce All Figure Attacks fro 4: Probability dataset data.caida29.anip25cust.cs of finding a shorter Nuber path. of saples: 6 Shortest aailable path. Export all. sobgp and S-BGP cures are alost identical, despite the.8 Noral path. Export All. fact that S-BGP proides stronger security guarantees than Noral path. Noral export. sobgp (see also Section 4.4). For now, howeer, notice that.6 both cures drop off sharply, with a knee around x = 2%, y = 5%. This eans that 85% of anipulations do not anage to attract ore than 2% of the ASes in the internetwork;.4.2 these nubers roughly correspond to the fact that 85% of ASes in the graph are stubs that fail to attract uch traffic with the Shortest-Path Export-All at- tack strategy on sobgp and S-BGP. Meanwhile, between x = 2% to x = 6%, both cures tend to flatten out, suggesting Fraction of ASes routing through Manipulator Figure 5: Aggressie export policies. that if a anipulator is able to attract at least 2% of the ASes in the internetwork, he is alost equality likely shorter paths through the network; this follows fro the fact to be able to attract 6%. We spend ore tie on this that these ASes are both ore richly connected (i.e., they obseration in Section 4.5. hae large degree), as well ore central (i.e., they are closer to ost destinations in the internetwork). Furtherore, we Honest cure. Here the anipulator behaes norally, can also see that ASes (especially sall ASes) are ore likely i.e., using the ranking and export policies of Section 2.2. to find short paths with sobgp than they are with S-BGP. This cure looks alost like a delta-function at x =. That Fro Figure 4, we can conclude that S-BGP is doing exactly what it is designed to do: it is liiting the set of paths is, a randoly-chosen AS is likely to attract only a negligible fraction of the ASes in the internetwork by behaing the attacker can announce, thus forcing hi to announce norally. longer paths. Howeer, in light of the results in Figures 2-3, BGP+Defensie Filtering cure. Defensie filtering we ust ask ourseles why forcing the anipulator to announce eliinates all Shortest-Path Export-All attack strategies on BGP by stubs, i.e., by 85% of ASes. Thus, this is approxiately BGP cure scaled down to 5%. longer paths does not see to significantly liit the aount of traffic he attracts. We could explain by arguing that path lengths in the Internet are fairly short, (aeraging Different-sized ASes are equally affected. This paper about 5 hops in our siulations, see Appendix C); so the consistently easures the anipulator s success by counting the nuber of ASes that route through hi as a result of his attack strategy. We also produced ersions of Figure 3 that count the fraction of ASes of a gien size that route through the anipulator: (a) All ASes, (b) ASes with at least 25 custoers, and (c) ASes with 25 custoers. We paths that the anipulator can get away with announcing in sobgp are only a few hops shorter than the paths he can announce with S-BGP. Indeed, as we show in the next section, the fact that AS paths are norally so short eans that the length of the anipulator s path often plays less of a role than the set of neighbors that he exports to. oit these graph as they were alost identical Export policy atters as uch as length... We now show that the attacker s export policy is as iportant as the length of the path he announces: Figure 5: We show another CCDF of the probability that at least a x-fraction of the ASes in the internetwork forward traffic to the anipulator; probability is taken oer a randoly-chosen icti, and a anipulator chosen randoly fro the class of ASes that hae at least 25 custoers. We consider three different strategies: (a) Announce the shortest aailable path to all neighbors (equialent to the Shortest-Path Export-All attack strategy on S-BGP), (b) Announce the noral path to all neighbors, and (c) Announce the noral path using the noral (GR2 and NE) export policy. This figure shows that, on aerage, announcing a shorter path is uch less iportant than announcing a path to ore neighbors (i.e., the cures for (a) and (b) are ery close,

8 ing on the Honest Path is Proider Path. Dataset data.caida29.anip25cust. cs NuSa.8.6 Shortest aailable path. Export all. Noral path. Export all. Noral path. Noral export..8.6 Announce to All Attack on BGP Fraction of ASes routing through Manipulator Figure 6: Aggressie export policies when the noral path is through a proider. while the cures for (b) and (c) are quite far apart). Indeed, when we considered saller anipulators (not shown), the cures for (a) and (b) are een closer together. One way to explain the sall gap between (a) and (b) is to note that the anipulator s noral path is ery often also his shortest path (this holds for 64% of (anipulator, icti) pairs fro this class); and een when it is not, his noral path tend to be quite short. To understand the large gap between (b) and (c), we note that by iolating the noral export policy, the anipulator can announce paths to his proiders, een when his noral path is not through a custoer. His proiders are ore likely to choose the custoer path through the anipulator, oer soe possibly shorter, non-custoer path especially when using proider paths! The effectieness of the export-all strategy is particularly pronounced when we zoo in on the cases where the noral path is a proider path (which happens for about 34% of (anipulator,icti) pairs conditioning on the anipulator haing at least 25 custoers). Figure 6: This is Figure 5 conditioned on the fact the anipulator s noral path is through a proider. In this case, the anipulator s noral path is always his shortest aailable path, 4 so we show only two strategies instead of three (cf., Figure 5): (b) Announce the noral path to all neighbors (c) Announce the noral path using the noral (GR2 and NE) export policy. The figure shows that exporting to all neighbors draatically increases the aount of traffic attracted by the anipulator. This follows fro the fact that the noral (GR2 and NE) export policy requires the anipulator to export proider paths to custoers only (cure (c)); when the anipulator iolates this export policy by exporting to proiders (and peers) as well (cure (b)), his proiders will prefer the custoer path through the anipulator, and significantly increase the aount of traffic the anipulator attracts. This effect is particularly pronounced here because we considered anipulators with at least 25 custoers in this figure (roughly odeling Tier 2 ASes), that stand to gain by attracting traffic fro their proiders, the Tier s. Thus, Figure 5-6 teach us that, as well as creating short paths, it is crucial for the anipulator to create custoer paths. 4 By LP, if the noral path is a proider path, then all paths aailable to the anipulator ust be proider paths, and by SP, he chooses the shortest one..4 Non-Stub.2 > 25 Custoers > 25 Custoers Fraction of ASes routing thru Manipulator Figure 7: Shortest-Path Export-All attack strategy on BGP by different anipulators. 4.7 Tier 2s usually cause the ost daage. Next, we would like to deterine which ASes in the Internet are likely to be the ost successful anipulators. We consider non-stub anipulators fro three different classes: (a) Non-stubs (ASes with at least custoer), (b) ASes with at least 25 custoers, (roughly odeling Tier 2 ASes ), and (c) Large ASes with at least 25 custoers ( Tier ASes ): Figure 7: We once again show a CCDF of the probability that at least a x-fraction of the ASes in the internetwork forward traffic to the anipulator, when the anipulator launches the Shortest-Path Export-All attack strategy on BGP. Despite the fact that the Tier anipulators are ore central than the Tier 2s, we ake the surprising obseration that Tier 2s anage to attract ore traffic than than Tier s. In fact, for certain regies, een saller non-stub ASes tend to attract ore traffic than the Tier s! This bizarre obseration is actually easy to explain. In the Shortest-Path Export-All attack strategy on BGP, eery anipulator (regardless of its size or location in the network) announces a single-hop path to the icti prefix. Thus, announced path length does not play a role when we copare across classes of anipulators. On the other hand, despite their centrality, Tier ASes are ore expensie to route through than eery other AS in the internetwork; a Tier is always a proider or peer of its neighbors, so een if those neighbors learn a short path through the Tier, they will prefer to route oer a (potentially longer) path through one of their own custoers. Furtherore, Tier 2s are ore central and richly connected than saller ASes on the edge of the internetwork, and thus they tend to attract ore on aerage than the saller ASes ( Non-Stubs ). The reader ay be troubled by the fact that the (red triangle) cure for the anipulators with at least 25 custoers has a different shape than the other cures in Figure 7. We saw exactly this effect on all our experients across different datasets, and one ain reason it occurs is because the AS graph we used only has 34 ASes (out of a total of 33K ASes) that hae at least 25 custoers; this is consistent with the idea that are about 2 (or so) Tier ASes in the Internet. Because we had so few anipulators to choose fro, the effect of indiidual anipulators on the results becoe ore pronounced, and the cures becoe less sooth. 4.8 S-BGP is ulnerable to stubs. The picture for origin authentication looks about the sae as Figure 7. Howeer, the results change slightly when we look at sobgp and S-BGP/data-plane erification:

9 .8.6 Announce All Attack on SBGP Non-Stub > 25 Custoers > 25 Custoers.8.6 Announce All Attack on SBGP All ASes >25 custoers >25 custoers Fraction of ASes routing thru Manipulator Figure 8: Shortest-Path Export-All attack strategy on S-BGP/data-plane erification by different anipulators. Announce to All Attack on BGP All ASes >25 custoers >25 custoers Fraction of ASes routing thru Manipulator Figure 9: Shortest-Path Export-All attack strategy on BGP for different ictis. Figure 8: This is the CCDF for S-BGP/data-plane erification (cf., to Figure 7). Tier 2 anipulators usually coe out on top, except when we consider anipulations that attract % of the ASes in the internetwork or less. In this regie, the Tier ASes coe out on top, so that the S-BGP cure iics noral behaior (not shown). Tier s tend to attract ore traffic than others when eeryone is behaing norally, because they are likely to hae short custoer paths they can announce to all of their (any) neighbors. 4.9 Tier s are ore ulnerable to attacks?!? Next, we deterine which ASes in the internetwork are ost ulnerable to attack. This tie, we consider ictis fro three classes: (a) All ASes, (b) ASes with at least 25 custoers, and (c) Large ASes with at least 25 custoers: Figure 9: This is another CCDF of the probability that at least a x-fraction of the ASes in the internetwork forward traffic to the anipulator, when the anipulator launches the Shortest-Path Export-All attack strategy on BGP. Probability is taken oer a randoly chosen anipulator, and icti fro one of the three classes aboe. We ake the surprising obseration that the Tier 2 ASes ( > 25 Custoers ) tend to be less ulnerable than Tier ASes ( > 25 Custoers), despite the fact that the Tier ASes tend to be ore central and richly connected! To explain this, we once again obsere that despite their centrality, Tier ASes are always proiders or peers of their neighbors, so that their neighbors will prefer (potentially longer) custoer paths that lead to a anipulator at the edge of the internetwork, oer a shorter path to legitiate icti Tier ASes. On the other hand, Tier 2 ASes are the custoers of the Tier s; thus, when they are the ictis of an attack strategy, their Tier neighbors, and the custoers Fraction of ASes routing thru Manipulator Figure : Shortest-Path Export-All attack strategy on S-BGP for different ictis. of these Tier s, will tend to prefer the short custoer path to the icti (a Tier 2), oer the longer path to a anipulator (at the edge of the internetwork). We also note that saller ASes (represented by the cure corresponding to All ASes ) tend to be the ost ulnerable to the Shortest-Path Export-All attack strategy on BGP, since legitiate paths to these ASes tend to be slightly longer than the paths to the larger, ore central ASes. The results are een ore surprising when we look at sobgp and S-BGP/data-plane erification: Figure : This is the CCDF for S-BGP/data-plane erification (cf., to Figure 9). While the Tier 2 ASes reain the least ulnerable (for the reasons we discussed aboe), here we see that the Tier ASes are een ore ulnerable than the saller ASes at the edge of the internetwork! We explain this roughly as follows: For attacks on S-BGP, the anipulator is forced to announce only aailable paths that ay be quite long. Thus, the aount of traffic he attracts tends to decrease (as copared to the Shortest-Path Export-All attack strategy on BGP). Thus, anipulators on the edge of the internetwork tend to attract traffic ostly because (by LP) other ASes prefer (possibly long) custoer paths oer any non-custoer paths. Next, because Tier ASes hae no proiders, Tier ictis cannot rely on the fact that other ASes prefer custoer routes in order to attract traffic to their network; thus, their legitiate routes tend to be less preferable than the ones announced by anipulators at the edge of the internetwork. By contrast, saller ASes and Tier 2s do hae proiders, and these proiders will prefer shorter, legitiate custoer paths to the saller ASes and Tier 2s, rather than longer custoer routes to anipulators at the edge of the internetwork. Een when there is sobgp or S-BGP or data-plane erification (but no defensie filtering), the Tier ASes reain surprisingly ulnerable to attack by stub ASes. (See also Section 6. for a detailed exaple of this type of attack.) 4. Suary. In soe sense, the results of this section suggest that secure routing protocols like S-BGP and sobgp are only dealing with one half of the proble: while they do restrict the path the anipulator can choose to announce, they fail to restrict his export policies. Indeed, because defensie filtering restricts both the export policies and the paths announced by stubs, we find that it proides a leel of protection that is at least coparable to that proided by S-BGP, and een data-plane erification, alone. Een if we eliinate attacks by stubs ia defensie filter-