CE Advanced Network Security Routing Security II

Similar documents
ELISHA: On Detection and Analysis of Anomalous Dynamics

Security in inter-domain routing

A Survey of BGP Security Review

On the State of the Inter-domain and Intra-domain Routing Security

Detecting inconsistencies in INRDB data

CS4450. Computer Networks: Architecture and Protocols. Lecture 15 BGP. Spring 2018 Rachit Agarwal

CNT Computer and Network Security: BGP Security

On Reverse Engineering the Management Actions from Observed BGP Data

Computer Science 461 Final Exam May 22, :30-3:30pm

Introduction to IP Routing. Geoff Huston

Listen and Whisper: Security Mechanisms for BGP

Lecture outline. Internet Routing Security Issues. Previous lecture: Effect of MinRouteAdver Timer. Recap of previous lecture

A Survey of BGP Security: Issues and Solutions

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

Protecting DNS from Routing Attacks -Two Alternative Anycast Implementations

Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Events

APT: A Practical Transit-Mapping Service Overview and Comparisons

RAPTOR: Routing Attacks on Privacy in Tor. Yixin Sun. Princeton University. Acknowledgment for Slides. Joint work with

Securing the Internet at the Exchange Point Fernando M. V. Ramos

CSCD 433/533 Network Programming Fall Lecture 14 Global Address Space Autonomous Systems, BGP Protocol Routing

Routing Security Security Solutions

Securing BGP Networks using Consistent Check Algorithm

CS4700/CS5700 Fundamentals of Computer Networks

Lecture 13: Routing in multihop wireless networks. Mythili Vutukuru CS 653 Spring 2014 March 3, Monday

Major Project Part II. Isolating Suspicious BGP Updates To Detect Prefix Hijacks

GLOBAL INTERNET ROUTING FORENSICS Validation of BGP Paths using ICMP Traceback

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

CS 43: Computer Networks. 24: Internet Routing November 19, 2018

COMP/ELEC 429 Introduction to Computer Networks

Some Thoughts on Integrity in Routing

Protecting BGP from Invalid Paths

Interdomain Routing Reading: Sections P&D 4.3.{3,4}

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

CS 204: BGP. Jiasi Chen Lectures: MWF 12:10-1pm Humanities and Social Sciences

Internet Routing Protocols Lecture 03 Inter-domain Routing

CSE/EE 461 Lecture 11. Inter-domain Routing. This Lecture. Structure of the Internet. Focus How do we make routing scale?

Overlay Networks. Behnam Momeni Computer Engineering Department Sharif University of Technology

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Lecture 4: Intradomain Routing. CS 598: Advanced Internetworking Matthew Caesar February 1, 2011

CS BGP v4. Fall 2014

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

BGP Origin Validation

Pretty Good BGP: Improving BGP by Cautiously Adopting Routes

Auto-Detecting Hijacked Prefixes?

Routing Security We can do better!

AS-CRED: Reputation Service for Trustworthy Inter-domain Routing

Computer Security: Principles and Practice

Raj Jain. Washington University in St. Louis

Detection of Invalid Routing Announcement in the Internet Λ

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

6.033 Spring 2015! Lecture #24. Combating network adversaries! DDoS attacks! Intrusion Detection

J. A. Drew Hamilton, Jr., Ph.D. Director, Information Assurance Laboratory and Associate Professor Computer Science & Software Engineering

CS 640: Introduction to Computer Networks. Intra-domain routing. Inter-domain Routing: Hierarchy. Aditya Akella

CS519: Computer Networks. Lecture 4, Part 5: Mar 1, 2004 Internet Routing:

BGP Security via Enhancements of Existing Practices

PART III. Implementing Inter-Network Relationships with BGP

APT Incremental Deployment

StrobeLight: Lightweight Availability Mapping and Anomaly Detection. James Mickens, John Douceur, Bill Bolosky Brian Noble

An Operational Perspective on BGP Security. Geoff Huston February 2005

Data Plane Protection. The googles they do nothing.

CS 268: Computer Networking

A PKI For IDR Public Key Infrastructure and Number Resource Certification

REMINDER course evaluations are online

CS 5114 Network Programming Languages Control Plane. Nate Foster Cornell University Spring 2013

Interdomain Routing Reading: Sections K&R EE122: Intro to Communication Networks Fall 2007 (WF 4:00-5:30 in Cory 277)

A Measurement Study of BGP Misconfiguration

Link State Routing & Inter-Domain Routing

Security Issues of BGP in Complex Peering and Transit Networks

Network Security - ISA 656 Routing Security

Routing Between Autonomous Systems (Example: BGP4) RFC 1771

Accurate Real-time Identification of IP Hijacking

TDC 375 Network Protocols TDC 563 P&T for Data Networks

Carnegie Mellon Computer Science Department Spring 2015 Midterm Exam

Securing BGP. Geoff Huston November 2007

MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Network Security (and related topics)

Distributed Denial of Service (DDoS)

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

Next Week. Network Security (and related topics) Project 3 Q/A. Agenda. My definition of network security. Network Security.

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 14, 2013

Network Security - ISA 656 Routing Security

NETWORK THREATS DEMAN

BGP. Autonomous system (AS) BGP version 4. Definition (AS Autonomous System)

IP Addressing & Interdomain Routing. Next Topic

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 16, 2017

MANRS. Mutually Agreed Norms for Routing Security. Aftab Siddiqui

Detecting Behavior Propagation in BGP Trace Data Brian J. Premore Michael Liljenstam David Nicol

Routing. Jens A Andersson Communication Systems

CS244a: An Introduction to Computer Networks

A Configuration based Approach to Mitigating Man-inthe-Middle Attacks in Enterprise Cloud IaaS Networks running BGP

Enhancing the Trust of Internet Routing with Lightweight Route Attestation

Basic Concepts in Intrusion Detection

Internet Infrastructure

Experience with SPM in IPv6

CE Advanced Network Security

BGP Configuration for a Transit ISP

Flooding Attacks by Exploiting Persistent Forwarding Loops

CSC 4900 Computer Networks: Routing Protocols

Transcription:

CE 817 - Advanced Network Security Routing Security II Lecture 21 Mehdi Kharrazi Department of Computer Engineering Sharif University of Technology Acknowledgments: Some of the slides are fully or partially obtained from other sources. Reference is noted on the bottom of each slide, when the content is fully obtained from another source. Otherwise a full list of references is provided on the last slide.

Autonomous Systems (ASes) UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: 169.237/16 513!11537!11423! 6192 Fall 1393 Ce 837 -Lecture 21 [Wu07] 2

BGP Advertisement Given AS only advertises routes it considers good enough for itself If there are multiple routes to the destination, it would choose the best one based on local policy No obligation to advertise routes it does not like This is how an AS implements a no transit policy Fall 1393 Ce 837 -Lecture 21 [Peterson07] 3

BGP AS Path

Bogus AS Paths Remove ASes from the AS path E.g., turn 701 -> 3715 -> 88 into 701 -> 88 Motivations Make the AS path look shorter than it is Attract sources that normally try to avoid AS 3715 Help AS 88 look like it is closer to the Internet s core Who can tell that this AS path is a lie? Maybe AS 88 *does* connect to AS 701 directly 701 3715? 88 Fall 1393 Ce 837 -Lecture 21 [Rex05] 5

Bogus AS Paths Add ASes to the path E.g., turn 701 88 into 701 3715 88 Motivations Trigger loop detection in AS 3715 Denial-of-service attack on AS 3715 Or, blocking unwanted traffic coming from AS 3715! Make your AS look like it has richer connectivity Who can tell the AS path is a lie? AS 3715 could, if it verifying the path AS 88 could, but would it really care as long as it received data traffic meant for it? 701 88 Fall 1393 Ce 837 -Lecture 21 [Rex05] 6

Bogus AS Paths Adds AS hop(s) at the end of the path E.g., turns 701 88 into 701 88 3 Motivations Evade detection for a bogus route E.g., by adding the legitimate AS to the end Hard to tell that the AS path is bogus Even if other ASes filter based on prefix ownership 701 18.0.0.0/8 88 3 18.0.0.0/8 Fall 1393 Ce 837 -Lecture 21 [Rex05] 7

Invalid Paths AS exports a route it shouldn t AS path is a valid sequence, but violated policy Example: customer misconfiguration Exports routes from one provider to another interacts with provider policy Provider prefers customer routes so picks these as the best route leading the dire consequences data Directing all Internet traffic through customer Main defense Filtering routes based on prefixes and AS path BGP Fall 1393 Ce 837 -Lecture 21 [Rex05] 8

Missing/Inconsistent Routes Peers require consistent export Prefix advertised at all peering points Prefix advertised with same AS path length Reasons for violating the policy Trick neighbor into cold potato Configuration mistake Main defense Analyzing BGP updates or data traffic for signs of inconsistency dest BGP Bad AS data src Fall 1393 Ce 837 -Lecture 21 [Rex05] 9

BGP Security Today Applying best common practices (BCPs) Securing the session (authentication, encryption) Filtering routes by prefix and AS path Packet filters to block unexpected control traffic This is not good enough Depends on vigilant application of BCPs and not making configuration mistakes! Doesn t address fundamental problems Can t tell who owns the IP address block Can t tell if the AS path is bogus or invalid Can t be sure the data packets follow the chosen route Fall 1393 Ce 837 -Lecture 21 [Rex05] 10

Proposed Enhancements to BGP

S-BGP Secure Version of BGP Address attestations Claim the right to originate a prefix Signed and distributed out-of-band Checked through delegation chain from ICANN Route attestations Distributed as an attribute in BGP update message Signed by each AS as route traverses the network Signature signs previously attached signatures S-BGP can validate AS path indicates the order ASes were traversed No intermediate ASes were added or removed Fall 1393 Ce 837 -Lecture 21 [Rex05] 12

S-BGP Deployment Challenges Complete, accurate registries E.g., of prefix ownership Public Key Infrastructure To know the public key for any given AS Cryptographic operations E.g., digital signatures on BGP messages Need to perform operations quickly To avoid delaying response to routing changes Difficulty of incremental deployment Hard to have a holiday to deploy S-BGP Fall 1393 Ce 837 -Lecture 21 [Rex05] 13

Incrementally Deployable Schemes Monitoring BGP update messages Use past history as an implicit registry E.g., AS that announces each address block E.g., AS-level edges and paths Out-of-band detection mechanism Generate reports and alerts Internet Alert Registry: http://iar.cs.unm.edu/ Prefix Hijack Alert System: http://phas.netsec.colostate.edu/ Soft response to suspicious routes Prefer routes that agree with the past Delay adoption of unfamiliar routes when possible Some (e.g., misconfiguration) will disappear on their own Fall 1393 Ce 837 -Lecture 21 [Rex05] 14

What About Packet Forwarding? 15

Control Plane Vs. Data Plane Control plane BGP is a routing protocol BGP security concerns validity of routing messages I.e., did the BGP message follow the sequence of ASes listed in the ASpath attribute Data plane Routers forward data packets Supposedly along the path chosen in the control plane But what ensures that this is true? Fall 1393 Ce 837 -Lecture 21 [Rex05] 16

Data-Plane Attacks, Part 1 Drop packets in the data plane While still sending the routing announcements Easier to evade detection Especially if you only drop some packets Like, oh, say, BitTorrent or Skype traffic Even easier if you just slow down some traffic How different are normal congestion and an attack? Especially if you let ping/traceroute packets through? Fall 1393 Ce 837 -Lecture 21 [Rex05] 17

Data-Plane Attacks, Part 2 Send packets in a different direction Disagreeing with the routing announcements Direct packets to a different destination E.g., one the adversary controls What to do at that bogus destination? Impersonate the legitimate destination (e.g., to perform identity theft, or promulgate false information) Snoop on the traffic and forward along to real destination How to detect? Traceroute? Longer than usual delays? End-to-end checks, like site certificate or encryption? Fall 1393 Ce 837 -Lecture 21 [Rex05] 18

Fortunately, Data-Plane Attacks are Harder Adversary must control a router along the path So that the traffic flows through him How to get control a router Buy access to a compromised router online Guess the password Exploit known router vulnerabilities Insider attack (disgruntled network operator) Malice vs. greed Malice: gain control of someone else s router Greed: Verizon DSL blocks Skype to gently encourage me to pick up my landline phone to use Verizon long distance $ervice Fall 1393 Ce 837 -Lecture 21 [Rex05] 19

Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Events, Soon-Tee Teoh, Kwan-Liu Ma, S. Felix Wu, Dan Massey, Xiao-Liang Zhao, Dan Pei, Lan Wang, Lixia Zhang, Randy Bush, DSOM 2003.

Elisha: the long-term goal Monitoring and management of a large-scale complex system that we do not fully understand its behavior. Integration of human and machine intelligence to adaptively develop the domain knowledge for the target system. Knowledge Acquisition via Visualization cognitive pattern matching event correlation and explanation Elisha: open source available http://www.cs.ucdavis.edu/~wu/elisha/ Linux/Windows Fall 1393 Ce 837 -Lecture 21 [Teoh03] 21

Autonomous Systems (ASes) UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: 169.237/16 513!11537!11423! 6192 Fall 1393 Ce 837 -Lecture 21 [Wu07] 22

Origin AS in an AS Path UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS AS Path: 513-> 11537 -> 11423 -> 6192 12654 13129 6461 3356 11423 6192 12654 9177 3320 209 11423 6192 12654 4608 1221 4637 11423 6192 12654 777 2497 209 11423 6192 12654 3257 3356 11423 6192 12654 1103 11537 11423 6192 12654 3333 3356 11423 6192 12654 7018 209 11423 6192 12654 2914 209 11423 6192 12654 3549 209 11423 6192 Fall 1393 Ce 837 -Lecture 21 [Wu07] 23

Origin AS Changes (OASC) Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS Current AS Path: 2914 -> 209 -> 11423 -> 6192 for prefix: 169.237/16 New AS Path: 2914 -> 3011 -> 273 -> 81 for prefix: 169.237.6/24 Punching a hole on the address space Which route path to use? Legitimate or not?? 3011 273 81 169.237.6/24 12654 2914 209 11423 6192 169.237/16 Fall 1393 Ce 837 -Lecture 21 [Wu07] 24

BGP OASC Events Max: 10226 (9177 from a single AS) Fall 1393 Ce 837 -Lecture 21 [Wu07] 25

Data Oregon Route Views data Peering with 54 BGP routers and 43 different ASes Overall 38225 OASC events observed Over 1279 days Fall 1393 Ce 837 -Lecture 21 26

Visual-based Anomaly Detection Visual Anomalies Something catches your eyes Mental/Cognitive long-term profile or normal behavior We build the long-term profile in your mind. Human experts can incorporate domain knowledge about the target system/protocol. Fall 1393 Ce 837 -Lecture 21 [Teoh03] 27

Visual-based Anomaly Detection Information Visualization Toolkit update decay clean raw events cognitive profile cognitively identify the deviation alarm identification Fall 1393 Ce 837 -Lecture 21 [Teoh03] 28

ELISHA/OASC Events: Low level events: BGP Route Updates High level events: OASC Still 1000+ per day and max 10226 per day for the whole Internet Information to represent visually: IP address blocks Origin AS in BGP Update Messages Different Types of OASC Events Fall 1393 Ce 837 -Lecture 21 [Teoh03] 29

Quad-Tree Representation of IP Address Prefixes 01 11 110001 110011 111001 111011 110000 110010 111000 111010 00110110 1001 00 10 169.237/16 10101001.11101101/16 Fall 1393 Ce 837 -Lecture 21 [Wu07] 30

AS# Representation AS-7777 01 11 110001 110011 111001 111011 AS# 00110110 110000 110010 111000 111010 1001 00 10 AS-1 Fall 1393 Ce 837 -Lecture 21 31 AS-15412 [Wu07]

AS81 punched a hole on 169.237/16 yesterday AS-6192 victim yesterday 169.237/16 today AS-81 offender Fall 1393 Ce 837 -Lecture 21 [Wu07] today 169.237/16 169.237.6/24 32

8 OASC Event Types Using different colors to represent types of OASC events H type : AS punches a hole on prefix addresses belonging to others B type: An AS announces a more specific prefix out of a larger block it already owns. O type: An AS announces a prefix previously not owned OS involving SOAS OM involving MOAS C type: An AS announces a prefix previously owned by another AS. CSS, CSM, CMS, CMM S=SOAS, M=MOAS Fall 1393 Ce 837 -Lecture 21 [Wu07] 33

August 14, 2000 A lot of blue lines (H type) : AS punches a hole on prefix addresses belonging to others Fall 1393 Ce 837 -Lecture 21 [Teoh03] 34

August 14, 2000 Looking at AS 11724 207.50.48.0/21 victim AS 7777 207.50.53.251/32 Punching a hole Yellow pixel: OASC occurred today Brown to Green pixel: Change occurred on previous days Fall 1393 Ce 837 -Lecture 21 [Teoh03] 35

August 14, 2000 Select OASC events related to AS 7777 What are the pink links? Fall 1393 Ce 837 -Lecture 21 [Teoh03] 36

August 14, 2000 O type: An AS announces a prefix previously not owned OS involving SOAS There seems to be a pattern Fall 1393 Ce 837 -Lecture 21 [Teoh03] 37

August 14, 2000 3D plot AS 7777 is advertising prefixes forming a grid in the unused address space. Announcing 65.0.0.0/8 to 126.0.0.0/8 + other addresses. Can you automate the pink grid detection? Fall 1393 Ce 837 -Lecture 21 [Teoh03] 38

April 6, 2001 Unusual amount of skyblue C type: An AS announces a prefix previously owned by another AS. CSM Prefix claimed by one AS before, now by multiple ASs Small amount is fine i.e. multi-homing Fall 1393 Ce 837 -Lecture 21 [Teoh03] 39

April 6, 2001 New AS 15412 Old AS 10132 Fall 1393 Ce 837 -Lecture 21 [Teoh03] 40

April 6, 2001 Looking at AS 15412 Fall 1393 Ce 837 -Lecture 21 [Teoh03] 41

April 7-12, 2001 Admin corrected the mistake Announcements were withdrawn C type: An AS announces a prefix previously owned by another AS. CMS Fall 1393 Ce 837 -Lecture 21 [Teoh03] 42

MonCube Fall 1393 Ce 837 -Lecture 21 43

MonCube Fall 1393 Ce 837 -Lecture 21 44

Acknowledgments/References [Wu07] ecs 236, Intrusion Detection, S. Felix Wu, UC Davis, Winter 2007. [Rex05] COS 461, Computer Networks, Jennifer Rex, Princeton University, Spring 2005. [Peterson07] Computer Networks: A Systems Approach (Fourth Edition), by Larry L. Peterson, Bruce S. Davie, March 2007. [Teoh03] Visual-based Anomaly Detection for BGP Origin AS Change (OASC), Soon-Tee Teoh, Kwan-Liu Ma, S. Felix Wu, Dan Massey, Xiao-Liang Zhao, Dan Pei, Lan Wang, Lixia Zhang, Randy Bush, Presentation at DSOM, Germany, 2003. Fall 1393 Ce 837 -Lecture 21 45

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback