Internet Kill Switches Demystified

Size: px

Start display at page:

Download "Internet Kill Switches Demystified"

Theodora Lane
5 years ago
Views:

1 Internet Kill Switches Demystified Benjamin Rothenberger, Daniele E. Asoni, David Barrera, Adrian Perrig EuroSec 17, Belgrade B.Rothenberger

2 B.Rothenberger

3 Internet Kill Switches Recent history: multiple incidents of Internet censorship State-run ISPs used to shut down local Internet Common techniques: BGP route withdrawal / redirection IP / keyword filtering DNS hijacking / injection DDoS à known as: Internet Kill Switch B.Rothenberger

4 Outline Goal: motivate research about Internet KS Evaluation & Metrics Examples: KS in BGP KS in BGPsec Comparison of KS in BGP and BGPsec Similarities to DNSSEC B.Rothenberger

5 Evaluation of Kill Switches Comparison of Kill Switches is challenging! Ideal: quantitative metric How about: financial cost? 1. Impact Intuitively: amount of damage based on network disruption i.e., percentage of Internet communications that are blocked by KS 2. Visibility Should be measured relatively to detection mechanisms High visibility ensures consistent public view of systems (e.g. Certificate Transparency in DNSSEC) B.Rothenberger

6 Evaluation of Kill Switches 3. Recoverability How easily / quickly network can recover: time to recover Partial recovery can be sufficient in short term (e.g., 90% recovery) 4. Precision and Effectiveness Specify degree of control that adversary has over KS High precision à low collateral damage High effectiveness à low number of hosts in target area remain online Precision: ratio of impact in target area over overall impact Effectiveness: ratio of actual impact over maximum possible impact B.Rothenberger

7 KS using BGP: Subprefix Hijacking B.Rothenberger

8 Deployment of Secure Protocols How does the effectiveness of Internet Kill Switches change when secure protocols such as BGPsec / DNSSEC are deployed? What about adversarial misuse of centralized key architectures? Discussion typically dismissed à safeguard technologies & procedures sufficiently secure Attack would be highly visible Concern: adversarial KS are feasible! B.Rothenberger

9 RPKI / BGPsec: Resource Authorization B.Rothenberger

10 RPKI Hierarchy B.Rothenberger

11 RPKI Hierarchy B.Rothenberger

12 KS using BGPsec: Certificate Revocation Misbehaving authorities can make targeted manipulations of RPKI 1 Certificate Revocation Authority can revoke any child certificate Creates new mechanism to unilaterally reclaim IP address space No recourse for holder of reclaimed space Causes other networks to reject routing updates from targeted AS à invalidates entire subtree & makes prefix invisible 1 Related Work by Cooper et. al.,: On the Risk of Misbehaving RPKI Authorities B.Rothenberger

13 KS in BGP vs. KS in BGPsec Prefix Hijacking Key compromise Impact Visibility Recoverability < 1h < 48h Precision Effectiveness = good for adversary = bad for adversary B.Rothenberger

14 DNSSEC Trust Chain B.Rothenberger

15 Kill Switches in DNSSEC DNS: 13 different root servers vs. DNSSEC: single root of trust Control over private key is essential for manipulations Allows control over entire sub-domain! Powerful adversaries can compel network operators In both cases: regional registries offer hosted RPKI / DNSSEC à further centralization, valuable target B.Rothenberger

16 Who should have control? B.Rothenberger

Internet KS of the US Government Declaration of National Cyber Emergency Take over any communication network, including the Internet Conditions: Disruption causes

17 Internet KS of the US Government Declaration of National Cyber Emergency Take over any communication network, including the Internet Conditions: Disruption causes severe economic consequences Component of national information infrastructure Systems which operations rely on national information infrastructure B.Rothenberger

18 Conclusion Centralized key-infrastructures provide Internet-scale kill switches Few roots of trust Unilateral control over delegated resources Unilateral control makes KS worse! More precise, effective & easier to select target Remote Internet KS are feasible! à must be considered in the design of secure Internet protocols B.Rothenberger

19 Related Work On the Risk of Misbehaving RPKI Authorities Cooper et. al., HotNets 13 Analysis of Country-wide Internet Outages Caused by Censorship Dainotti et. al., SigComm 11 The Crossfire Attack Kang et. al., Security & Privacy 13 Why Is It Taking So Long to Secure Internet Routing? S. Goldberg ACM Queue 14 B.Rothenberger

20 Thanks for your attention!

21 DNSSEC Trust Chain B.Rothenberger

22 Deployment Status of BGPsec & DNSSEC BGPsec: ~7% of advertised IPv4 prefixes have an ROA (valid and invalid) DNSSEC: ~88% of all TLDs have DS entry in the root zone ~0.5% of.com are signed ~13% of all DNS queries are validated B.Rothenberger

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

APNIC s role in stability and security Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013 Overview Introducing APNIC Working with LEAs The APNIC Whois Database