How Secure are. BGP Security Protocols? Sharon Goldberg Microsoft Research & Boston University. Michael Schapira. Pete Hummon AT&T Research

Size: px

Start display at page:

Download "How Secure are. BGP Security Protocols? Sharon Goldberg Microsoft Research & Boston University. Michael Schapira. Pete Hummon AT&T Research"

Dora Tucker
5 years ago
Views:

1 How Secure are NANOG 49, San Francisco Tuesday June BGP Security Protocols? Sharon Goldberg Microsoft Research & Boston University Michael Schapira Princeton University Yale & Berkeley Pete Huon AT&T Research Jennifer Rexford Princeton

2 Overview (1) BGP traffic attraction attacks can cause ajor probles Prefix hijacks causing blackholes, loss of connectivity e.g., Pakistan Teleco / YouTube incident BGP Man-In-The-Middle attacks e.g., Pilosov & Kapela traffic interception deo If we had BGP security these probles go away. right? Different protocols have different properties. Which one is ost effective at stopping attacks? Can we quantify this? Can we copare the?

Assue a BGP security protocol is fully deployed. How uch traffic can an attacker attract?

3 Overview (2) We quantify & copare how well the ajor BGP Security protocols prevent traffic attraction attacks origin authentication (ROA/RPKI) sobgp defensive filtering (prefix lists) Secure BGP Our approach: Evaluate via siulation on AS topology data. Assue a BGP security protocol is fully deployed. How uch traffic can an attacker attract? To deterine this, we use a odel of BGP routing policies based on the business relationships & AS-path length And run siulations on [CAIDA] & [UCLA Cyclops] data (aps of the AS-level Internet w business relationship)

A odel for BGP Routing Policies (1) In order to

an attack, we need to know how each AS chooses

custoer paths over peer paths over provider

4 A odel for BGP Routing Policies (1) In order to figure out how traffic would flow as result of an attack, we need to know how each AS chooses paths in BGP BUT, we don t know exactly how you do this. So we use a odel. peer p1 peer v p3 custoer provider Prefer custoer paths over peer paths over provider paths A odel of routing policies: p p Prefer cheaper paths. Then, prefer shorter paths.

BGP. v, Prefix v, Prefix p1 v p3 p1, v, Prefix, p3, v, Prefix p3, v, Prefix

5 A odel for BGP Routing Policies (2) In order to figure out how traffic would flow as result of an attack, we need to know how each AS chooses paths in BGP. v, Prefix v, Prefix p1 v p3 p1, v, Prefix, p3, v, Prefix p3, v, Prefix A odel of routing decisions: Prefer cheaper paths. Then, prefer shorter paths.

A odel for BGP Routing Policies (3) In order to figure out how traffic would flow as result of an attack, we need to know how each AS chooses paths in BGP.

6 A odel for BGP Routing Policies (3) In order to figure out how traffic would flow as result of an attack, we need to know how each AS chooses paths in BGP. p1 v p3 Losing, p1, v, Prefix A odel of routing decisions: Prefer cheaper paths. Then, prefer shorter paths. Only transit traffic if it earns you oney, ie. for custoers.

Leaks with Secure BGP Interlude: Finding the Optial Attack Filtering attacks by

7 This talk Part 1: A odel of BGP Routing Policies Part 2: Secure Routing Protocols and Attacks Prefix hijacks on BGP Attacks on Origin Authentication (RPKI) Route Leaks with Secure BGP Interlude: Finding the Optial Attack Filtering attacks by stubs via prefix lists Part 3: Graphs of Siulation Results Part 4: Conclusions and Iplications

8 I ll start with a single anonyized exaple fro CADIA s 11/20/2009 AS relationship data. I ll Ill use this exaple to present possible attacks on each BGP security protocol For now, I ll have have one attacker and one victi Later I ll consider ultiple (attacker, victi) pairs

9 Traffic Attraction Attacks Attacker wants ax nuber of ASes to route thru its network. (For eavesdropping, dropping, tapering, ) v, Prefix p1 v p3?, Prefix A odel of routing decisions: Prefer cheaper paths. Then, prefer shorter paths. Only transit traffic if it earns you oney, ie. for custoers.

10 Traffic Attraction Attacks Attacker wants ax nuber of ASes to route thru its network. (For eavesdropping, dropping, tapering, ) v, Prefix p1 v p3?, Prefix A odel of routing decisions: Prefer cheaper paths. Then, prefer shorter paths. Only transit traffic if it earns you oney, ie. for custoers.

11 Traffic Attraction Attacks Attacker wants ax nuber of ASes to route thru its network. (For eavesdropping, dropping, tapering, ) v, Prefix v, Prefix p1 v p3,, Prefix, Prefix, Prefix A odel of routing decisions: Prefer cheaper paths. Then, prefer shorter paths. Only transit traffic if it earns you oney, ie. for custoers.

12 Traffic Attraction Attacks Attacker wants ax nuber of ASes to route thru its network. (For eavesdropping, dropping, tapering, ) v, Prefix v, Prefix p1 v p3,, Prefix, Prefix, Prefix A odel of routing decisions: Prefer cheaper paths. Then, prefer shorter paths. Only transit traffic if it earns you oney, ie. for custoers.

13 Traffic Attraction Attacks Attacker wants ax nuber of ASes to route thru its network. (For eavesdropping, dropping, tapering, ) p1 v p3 Siulations show he attracts 62% of ASes! A odel of routing decisions: Prefer cheaper paths. Then, prefer shorter paths. Only transit traffic if it earns you oney, ie. for custoers.

14 The attack we just saw could have been prevented with origin authentication (ROA/RPKI). Now, suppose we had ROA/RKPI. Can the attacker still launch an attack? (Yes)

15 Security Mechanis: Origin Authentication RPKI/ROA A secure database that t aps es to owner ASes. p1 v p3 Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors!

16 Security Mechanis: Origin Authentication RPKI/ROA A secure database that t aps es to owner ASes. v, Prefix p1 v p3?, v, Prefix Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors!

17 Security Mechanis: Origin Authentication RPKI/ROA A secure database that t aps es to owner ASes. v, Prefix v, Prefix p1 v p3,, v, Prefix, v, Prefix, v, Prefix Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors!

18 Security Mechanis: Origin Authentication RPKI/ROA A secure database that t aps es to owner ASes. v, Prefix v, Prefix p1 v p3,, v, Prefix, v, Prefix, v, Prefix Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors!

19 Security Mechanis: Origin Authentication RPKI/ROA A secure database that t aps es to owner ASes. p1 v p3 Siulations show he attracts 58% of ASes! Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors!

20 The attack we just saw could have been prevented with sobgp or Secure BGP. Now, suppose we had Secure BGP. Can the attacker still launch an attack? (Yes, using route leaks)

21 Security Mechanis: Secure BGP [KLS98] Secure BGP: Origin Authentication + Cannot announce a path that was not announced to you. p1 v p3 Public Key Signature: Anyone who knows v s public key can authenticate that the essage was sent by v.

Public (p1, v, Prefix) Key Signature: Anyone

22 Security Mechanis: Secure BGP [KLS98] Secure BGP: Origin Authentication + Cannot announce a path that was not announced to you. p1: (v, Prefix) p1 v p3 p1: (v, Prefix) : Public (p1, v, Prefix) Key Signature: Anyone who knows v s public key can authenticate that the essage was sent by v.

Prefix) : (p3, v, Pref p1: (v, Prefix) p3: (v,

p3, v, Prefix) Public Key Signature: Anyone who

23 Security Mechanis: Secure BGP [KLS98] Secure BGP: Origin Authentication + Cannot announce a path that was not announced to you. p1: (v, Prefix) p3: (v, Prefix) p1 v p3 p3: (v Prefix) : (p3, v, Pref p1: (v, Prefix) p3: (v, Prefix) : (p1, v, Prefix) : (p3, v, Prefix) : (, p3, v, Prefix) Public Key Signature: Anyone who knows v s public key can authenticate that the essage was sent by v.

24 Are attacks still possible with Secure BGP? (1) Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors! p1 v p3 p1: (v, Prefix) : (p1, v, Prefix) p3: (v, Prefix) : (p3, v, Prefix) : (, p3, v, Prefix)

25 Are attacks still possible with Secure BGP? (2) Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors! p1 v p3 p1: (v, Prefix) : (p1, v, Prefix) p1: (v, Prefix) : (p1, v, Prefix) : (, p1, v, Prefix)

26 Are attacks still possible with Secure BGP? (2) Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors! p1 v p3? p3: (v Prefix) : (p3, v, Pref p1: (v, Prefix) : (p1, v, Prefix) p1: (v, Prefix) : (p1, v, Prefix) : (, p1, v, Prefix)

27 Are attacks still possible with Secure BGP? (2) Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors! p1 v p3 p3: (v Prefix) : (p3, v, Pref p1: (v, Prefix) : (p1, v, Prefix) p1: (v, Prefix) : (p1, v, Prefix) : (, p1, v, Prefix)

28 Are attacks still possible with Secure BGP? (3) Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors! p3: (v, Prefix) p1 v p3? p1: (v, Prefix) : (, v, Prefix : (, p1, v, Pr Later we ll discuss why why this is an attack p3: (,, p1, v

29 Are attacks still possible with Secure BGP? (3) Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors! p3: (v, Prefix) p1 v p3 p1: (v, Prefix) : (, v, Prefix : (, p1, v, Pr Later we ll discuss why why this is an attack p3: (,, p1, v

30 Are attacks still possible with Secure BGP? (3) Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors! p1 v p3 Siulations show he attracts 16% of ASes! Later we ll discuss why this is an attack

31 This talk Part 1: A odel of BGP Routing Policies Part 2: Secure Routing Protocols and Attacks Prefix hijacks on BGP Attacks on Origin Authentication (RPKI) Route Leaks with Secure BGP Interlude: Finding the Optial Attack Filtering attacks by stubs via prefix lists Part 3: Graphs of Siulation Results Part 4: Conclusions and Iplications

32 Wait! Is this the best attack strategy?!? I can t lie about y business relationship with AS, so I ight as well announce the shortest path I can. Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors!

announce the shortest path I can. But Not Optial!

33 Wait! Is this the best attack strategy?!? I can t lie about y business relationship with AS, so I ight as well announce the shortest path I can. But Not Optial! Sart Attack Strategy: Announce the shortest path ^ I can get away with to all y neighbors! Soeties Soeties announcing to longer paths fewer neighbors is better! are better! Btw, it s also NP hard to find the optial attack strategy. Sart Attack Strategy underestiates daage.

34 Longer paths are better?!? Here s an exaple that shows why

35 Soeties longer paths are better! (1) p1 v p3 p3: (v, Prefix) : (p3, v, Prefix) p3: (v, Prefix) : (, p3, v, Prefix) : (p3, v, Prefix) p1: (,, p3, v, Prefix) : (, p3, v, Prefix)

36 Soeties longer paths are better! (2) Siulations show he attracts 56% of Internet! With the shorter path, he attracts only 16% of Internet! This is alost as uch as attack on insecure BGP: 62%! p1 v p3 517 neighbors Why does this happen? p1 is bigger than. 4 neighbors Key Observation: Who you announce to is as iportant as what you announce.

37 Security Heuristic: Filtering Stubs on Prefix Lists (1) Providers that filter stubs on prefix lists: keep lists of the prefixes owned by each stub custoer filter if stub custoer announces any path to a prefix not on list p1 v p3 Stub : IP1 IP2 A stub should not transit traffic. A stub is an AS with no custoers.

Security Heuristic: Filtering Stubs on Prefix Lists (2)

prefixes owned by each stub custoer filter if stub custoer

p1 v p3 Stub : IP1 IP2 My stub doesn t own this prefix!

38 Security Heuristic: Filtering Stubs on Prefix Lists (2) Providers that filter stubs on prefix lists: keep lists the prefixes owned by each stub custoer filter if stub custoer announces any path to a prefix not on list p1: (v, Prefix) p1 v p3 Stub : IP1 IP2 My stub doesn t own this prefix! p3: (v, Prefix) : (p3, v, Prefix) : (, p3, v, Prefix) p1: (,, p3, v, Prefix)

39 Security Heuristic: Filtering Stubs on Prefix Lists (2) Providers that filter stubs on prefix lists: keep lists the prefixes owned by each stub custoer filter if stub custoer announces any path to a prefix not on list p1: (v, Prefix) p1 v p3 Stub : IP1 IP2 My stub doesn t own this prefix! p3: (v, Prefix) : (p3, v, Prefix) : (, p3, v, Prefix) p1: (,, p3, v, Prefix) Defensive filtering thwarts all attacks by stubs! In the data, 85% of ASes are stubs.

40 This talk Part 1: A odel of BGP Routing Policies Part 2: Secure Routing Protocols and Attacks Prefix hijacks on BGP Attacks on Origin Authentication (RPKI) Route Leaks with Secure BGP Interlude: Finding the Optial Attack Filtering attacks by stubs via prefix lists Part 3: Graphs of Siulation Results Part 4: Conclusions and Iplications

41 Probability* Sart Attack attracts 10% of Internet *Probability y is taken over rando choice of attacker and victi. No Defensive Filtering Defensive Filtering 15% of Ases are not stubs! BGP OrAuth sobgp Secure BGP Recall that the Greedy Attack Strategy underestiates daage.

42 We see that if every provider filters announceents fro stubs based on prefix lists, is about as effective as having everyone ipleent Secure BGP! Secure BGP is not a replaceent for filtering, we need both in cobination. (S*-BGP is vulnerable to route leaks)

43 Now, graphs that show how well the results fro [CAIDA] and [Cyclops] agree. These two datasets are produced by independent researchers (not us) using different business-relationship inference algoriths. But for our study, the trends we see across the datasets are rearkably consistent.

44 Probability* Sart Attack attracts >x% of Internet (1) *Probability y is taken over rando choice of attacker and victi. 1 BGP OrAuth 0.8 sobgp 0.6 SBGP Honest BGP + DF CAIDA Nov 20, % of Ases are not stubs! Fraction of ASes routing thru Manipulator Recall that the Sart Attack Strategy underestiates daage.

45 Probability* Sart Attack attracts >x% of Internet (2) *Probability y is taken over rando choice of attacker and victi. 1 BGP OrAuth 0.8 sobgp 0.6 SBGP Honest BGP + DF UCLA Cyclops Nov 20, % of Ases are not stubs! Fraction of ASes routing thru Manipulator Recall that the Sart Attack Strategy underestiates daage.

46 Filtering stubs on prefix lists does not prevent attacks by Tier 1s and Tier 2s. In fact, the next graph shows that Tier 2s ake the ost effective attackers. Thus: Filtering is not a replaceent for Secure BGP, we need both in cobination.

47 Tier 2 s are the ost effective attackers Probability* of Attracting >x% of the Internet Attack on BGP (i.e. Originate victi prefix to all neighbors) Tier 2 s attract ore traffic than anyone else Attacker type: Non-Stub 0.2 > 25 Custoers Tier 2 > 250 CustoersTier Fraction of ASes routing thru Manipulator *Probability is over rando victi and attacker fro different classes

48 This talk Part 1: A odel of BGP Routing Policies Part 2: Secure Routing Protocols and Attacks Prefix hijacks on BGP Attacks on Origin Authentication (RPKI) Route Leaks with Secure BGP Interlude: Finding the Optial Attack Filtering attacks by stubs via prefix lists Part 3: Graphs of Siulation Results Part 4: Conclusions and Iplications

49 Take away points 1) Who you tell is as iportant as what you say. Secure BGP constrains the paths announced but not export policies. 2) Defensive filtering is crucial even with S* -BGP S*-BGP prevents path shortening attacks,.but is still vulnerable to route leaks Defensive filtering prevents attacks by stubs but is still vulnerable to attacks by Tier 1s and 2s... which are the ost effective Need a cobination of filtering on prefix lists and S*BGP

Relies on altruis Also, other ASes have to trust that each provider has properly ipleented prefix lists.

50 Ipleenting Filtering on Prefix Lists Today: The provider locally aintains its prefix list. Ipleentation is iperfect. Stub : IP1 IP2 a1 Why? Relies on altruis Also, other ASes have to trust that each provider has properly ipleented prefix lists. My stub doesn t own this IP prefix! Maintaining prefix lists is annoying and hard. Why not use RPKI/ROA derive prefix lists? RPKI / ROA: A secure database that aps es to their owner ASes.

51 What if only large ASes ipleent prefix lists? (1) CAIDA Nov 20, Stubs, size of sallest provider < 5 Custoers 0.14 (5,10] Custoers (10,25] Custoers (25,100] Custoers (100,500] Custoers > 500 Custoers If ISPs with > 10 custoers filter, 56% of attacks stopped.

52 What if only large ASes ipleent prefix lists? (2) UCLA Cyclops Nov 20, Stubs, size of sallest provider < 5 Custoers 0.14 (5,10] Custoers (10,25] Custoers (25,100] Custoers (100,500] Custoers > 500 Custoers If ISPs with > 10 custoers filter, 55% of attacks stopped.

53 Thanks! This work will also appear at SIGCOMM 10 Full report available at:

the attacker announce to the rest of the

54 sobgp is Weaker than S-BGP for Targeted Attacks p X T1 Now, which path should the attacker announce to the rest of the Internet?, T1, a, v, Prefix 4 hops available Attract 2% of ASes v a, p, v, Prefix 3 hops not available Attract 10% of ASes With S-BGP, he couldn t announce an unavailable path that exists in the AS graph.

55 Attract More by Exporting Less (1)! The Teir 1 s announce T1a T1b 4 hop paths.?? a2?? p a1 CAIDA Nov 20, 2009 v Siulations show he attracts 40% of ASes

56 Attract More by Exporting Less (2)! Why? The Teir 1 s T1a T1b use 3 hop paths!?? a2 p X? a1 CAIDA Nov 20, 2009 v Siulations show he attracts 40% of ASes.

57 How Secure is Routing on the Internet Today? (1) February 2008 : Pakistan Teleco hijacks Youtube The Internet YouTube I YouTube: IP / 24 Pakistan Teleco Telnor Pakistan Aga Khan University Multinet Pakistan

How Secure are Secure Interdomain Routing Protocols?

How Secure are Secure Interdomain Routing Protocols? How Secure are Secure Interdoain Routing Protocols? Full ersion fro June 2, 2 Sharon Goldberg Microsoft Research Michael Schapira Yale & UC Berkeley Peter Huon AT&T Labs Jennifer Rexford Princeton ABSTRACT