Inter-domain Routing(BGP) Security [IP Prefix Hijacking] Akmal Khan

Similar documents
Evaluation of BGP Anomaly Detection and Robustness Algorithms

AS-CRED: Reputation Service for Trustworthy Inter-domain Routing

The Implementation of BGP Monitoring, Alarming, and Protecting System by a BGP-UPDATE-Based Method using ECOMMUNITY in Real Time

Towards A Practical and Effective BGP Defense System

The Transition to BGP Security Is the Juice Worth the Squeeze?

A Configuration based Approach to Mitigating Man-inthe-Middle Attacks in Enterprise Cloud IaaS Networks running BGP

BGP Security via Enhancements of Existing Practices

BGP Path Exploration Damping (PED)

CNT Computer and Network Security: BGP Security

BGP Anomaly Detection. Bahaa Al-Musawi PhD candidate Supervisors: Dr. Philip Branch and Prof. Grenville Armitage.

Detecting routing anomalies using RIPE Atlas

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

Introduction to IP Routing. Geoff Huston

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

A Survey of BGP Security Review

Identifying BGP Routing Table Transfer. !Machu Picchu!

32-bit ASNs. Greg Hankins Chris Malayter APRICOT 2009 APRICOT /02/25

Securing BGP Networks using Consistent Check Algorithm

Measuring and Analyzing on Effection of BGP Session Hijack Attack

PTT Fórum 6. John Kemp

Security in inter-domain routing

PART III. Implementing Inter-Network Relationships with BGP

Auto-Detecting Hijacked Prefixes?

Just give me a button!

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

StrobeLight: Lightweight Availability Mapping and Anomaly Detection. James Mickens, John Douceur, Bill Bolosky Brian Noble

Hands-On BGP Routing. Course Description. Students Will Learn. Target Audience. Prerequisites. Page: 1 of 5. BGP Routing

On the State of the Inter-domain and Intra-domain Routing Security

Introducción al RPKI (Resource Public Key Infrastructure)

Pretty Good BGP: Improving BGP by Cautiously Adopting Routes

the real-time Internet routing observatory

An Operational Perspective on BGP Security. Geoff Huston February 2005

Network Security: Routing security. Aapo Kalliola T Network security Aalto University, Nov-Dec 2012

Routing Security We can do better!

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

A Measurement Study of BGP Misconfiguration

Robust Inter-Domain Routing

CSE 461 Interdomain routing. David Wetherall

How Complete and Accurate is the Internet Routing Registry (IRR)?

Networking Review & Grand Challenges

Security Issues of BGP in Complex Peering and Transit Networks

Major Project Part II. Isolating Suspicious BGP Updates To Detect Prefix Hijacks

Jumpstarting BGP Security. Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira

MANRS Mutually Agreed Norms for Routing Security

Understanding Resiliency of Internet Topology Against Prefix Hijack Attacks

Investigating occurrence of duplicate updates in BGP announcements

TTM AS-level Traceroutes

4-Byte AS Numbers. The view from the Old BGP world. Geoff Huston February 2007 APNIC

MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž

Autonomous Security for Autonomous Systems

APT: A Practical Transit-Mapping Service Overview and Comparisons

Detecting Internet Traffic Interception based on Route Hijacking

Routing on the Internet. Routing on the Internet. Hierarchical Routing. Computer Networks. Lecture 17: Inter-domain Routing and BGP

Region-based BGP Announcement Filtering for Improved BGP Security

RAPTOR: Routing Attacks on Privacy in Tor. Yixin Sun. Princeton University. Acknowledgment for Slides. Joint work with


Securing the Internet at the Exchange Point Fernando M. V. Ramos

Detection of Invalid Routing Announcement in the Internet Λ

BGPMON.IO: THE MANY NEW FACES OF BGPMON

Internet Routing Protocols Lecture 03 Inter-domain Routing

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

Inter-domain routing security and the role of Internet Routing Registries. August 1, 2004 Larry Blunk, Merit Network, Inc.

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

PHAS: A Prefix Hijack Alert System

Internet Protocols Fall Lectures Inter-domain routing, mobility support, multicast routing Andreas Terzis

CS 204: BGP. Jiasi Chen Lectures: MWF 12:10-1pm Humanities and Social Sciences

MANRS. Mutually Agreed Norms for Routing Security. Aftab Siddiqui

Balanced Peer Lists: Towards a Collusion-Resistant BGP

On the Characteristics of BGP Multiple Origin AS Conflicts

Evaluation of Prefix Hijacking Impact Based on Hinge-Transmit Property of BGP Routing System

Deploying RPKI An Intro to the RPKI Infrastructure

bgpand - Architecting a modular BGP4 Attack & Anomalies Detection Platform

A FRAMEWORK FOR DEFENDING AGAINST PREFIX HIJACK ATTACKS. A Thesis KRISHNA CHAITANYA TADI

Accurate Real-time Identification of IP Hijacking. Presented by Jacky Mak

Secure Routing with RPKI. APNIC44 Security Workshop

The BGP Visibility Scanner

BGP ANOMALY DETECTION USING DATA MINING TECHNIQUES. Iñigo Ortiz de Urbina

Accurate Real-time Identification of IP Hijacking

Module: Routing Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Networking Review & Grand Challenges

Resource Public Key Infrastructure

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Dynamics of Hot-Potato Routing in IP Networks

CSCD 433/533 Network Programming Fall Lecture 14 Global Address Space Autonomous Systems, BGP Protocol Routing

Implementation of RPKI and IRR filtering on the AMS-IX platform. Stavros Konstantaras NOC Engineer

SENSS: Software-defined Security Service

32-bit ASNs. Philip Smith. AfNOG rd April 1st May Abuja, Nigeria

MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together!

The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discovery

Misdirection / Hijacking Incidents

IPv6 Routing Table Anomalies

3/10/2011. Copyright Link Technologies, Inc.

Multi-Lateral Peering Agreement

the real-time Internet routing observatory Luca Sani

How Secure are. BGP Security Protocols? Sharon Goldberg Microsoft Research & Boston University. Michael Schapira. Pete Hummon AT&T Research

Internet Routing Protocols Lecture 01 & 02

Routing Security. Daniel Karrenberg RIPE NCC.

This article appeared in a journal published by Elsevier. The attached copy is furnished to the author for internal non-commercial research and

Measuring Adoption of RPKI Route Origin Validation and Filtering

the real-time Internet routing observatory Alessandro Improta

Transcription:

Inter-domain Routing(BGP) Security [IP Hijacking] Akmal Khan [raoakhan@mmlab.snu.ac.kr] 4-15-2010

2 Outline Introduction Types of IP Hijacking Internet Routing Data Sources Tools of the Trade Past Research on BGP Sec Conclusion

3 Internet Abstractions Collection of Hosts, Routers, Point of Presence(PoP s) or Autonomous System(AS) An AS is a connected group of one or more IP prefixes run by one or more network operators which has a SINGLE and CLEARLY DEFINED routing policy(rfc 1930)

4 Internet Number Resources IPv4/IPv6addresses Autonomous System Numbers(ASn) 16 bit SNU has AS9488 32 bit Asx.y

5

6 Border Gateway Protocol (BGP) Inter-domain routing protocol(inter AS) Critical Communications and Business Infrastructure! Vulnerable to different threats Configuration/Human Errors Patches applied as threats are exploded E2E solutions require collaboration 1.2.0.0/16 p (AS_PATH, prefix) {1}, p {2, 1}, p 1 2 3 {3, 2, 1}, p 4 5

7 Outline Introduction Types of IP Hijacking Internet Routing Data Sources Tools of the Trade Past Research on BGP Sec Conclusion

8 Types of hijacking(ph) [Type1] hijacking /Duplicate PH AS1 owns 1.2.0.0/16 but advertised by AS2 [Type2]Sub prefix hijacking AS2 advertises 1.2.3.0/24 [Type3]AS Spoofing AS5 announce [5 1] without having peering with AS1 [Type4]Independent PH AS2 use Bogons (unused address space) [Type5]Man in the middle (MITM) Attacks

announcements 1.2.0.0/16 4, 2, 1 1.2.0.0/16 : 4, 2, 1 AS 4 1.2.0.0/16 2, 1 1.2.0.0/16 : 3, 2, 1 AS 5 1.2.0.0/16 : 2, 1 AS 3 1.2.0.0/16 2, 1 Advertise 1.2.0.0/16 AS 1 AS 2 1.2.0.0/16 1 9

Type 1: Hijack a prefix Advertise 1.2.0.0/16 1.2.0.0/16 path: 5 AS 4 1.2.0.0/16 2, 51 AS 5 MOAS (Multiple Origin AS) 1.2.0.0/16 path: 4, 5 AS 3 1.2.0.0/16 2, 4, 15 Advertise 1.2.0.0/16 AS 1 AS 2 1.2.0.0/16 1 10

Type 2: Hijack a prefix and its AS number Advertise a path to 1.2.0.0/16 AS 4 1.2.0.0/16 2, 5, 1 AS 5 AS 3 NO MOAS! 1.2.0.0/16 2, 1 Advertise 1.2.0.0/16 AS 1 AS 2 1.2.0.0/16 1 11

Type 3: Hijack a subnet of a prefix Advertise 1.2.3.0/24 AS 4 1.2.3.0/24 5 1.2.0.0/16 1.2.0.0/16 2, 2, 1 AS 5 Advertise 1.2.0.0/16 No SubMOAS! AS 1 AS 2 AS 3 1.2.0.0/16 1.2.3.0/24 2, 4,51 1.2.0.0/16 2,1 1.2.0.0/16 1.2.3.0/24 14,5 1.2.0.0/16 1 12

Longest prefix matching Attacker is able to attract all traffic Advertise 1.2.3.0/24 AS 4 Pefix 1.2.3.0/24 5 1.2.0.0/16 2, 1 AS 5 AS 3 Send packet to 1.2.3.4 in AS 1 1.2.0.0/16 1.2.3.0/24 2, 4,5 1 Advertise 1.2.0.0/16 AS 1 AS 2 1.2.3.0/24 4,5 1.2.0.0/16 1 1.2.0.0/16 2, 1 Longest Matching 13

Type 4: Hijack a subnet of a prefix and AS number Advertise a path to 1.2.3.0/24 AS 4 1.2.3.0/24 5,1 1.2.0.0/16 2, 1 AS 5 AS 3 Neither MOAS Nor SubMOAS! 1.2.0.0/16 1.2.3.0/24 2, 4,5,1 1 1.2.0.0/16 2, 1 Advertise 1.2.0.0/16 Longest AS 1 AS 2 1.2.0.0/16 1.2.3.0/24 14,5,1 1.2.0.0/16 1 Matching 14

BGP hijacking Incidents Did AS13214 really hijack the Internet? http://bgpmon.net/blog/?p=80 Cyclops detects global routing leak by AS13214 Don t be afraid of AS3130..April 2009 http://cyclops.cs.ucla.edu/ WorldofWarcraft.com and WoWarmory.com sub-prefix hijacked (July 2008) YouTube s prefix hijacked by Pakistan Telecom February 2008 Search NANOG/NSP-Sec mailing archives for more 15

16 Outline Introduction Types of IP Hijacking Internet Routing Data Sources Tools of the Trade Past Research on BGP Sec Conclusion

Data Sources RIR/Internet Route Registry(IRR) Registration information/policy Information RADB,RIPE,ARIN,APNIC BGP Data Collectors RouteViews, RIPE-RIS No. of BGP collector deployed around the world Trace route Datasets[Skitter/Ark,DIMES] P2P Ono, multicast data(mrinfo),router logs,acls Collect traces from Route Servers, Looking Glass servers etc. 17

18 Route Views(SNU AS) RIPE-RIS (SNU AS) http://bgplay.routeviews.org/bgplay/ http://www.ris.ripe.net/bgplay/

19 Outline Introduction Types of IP Hijacking Data Sources to start research Tools of the Trade Past Research on BGP Sec Conclusion

Cyclops..AS-Centric Visualization tool Data sources BGP routing tables + updates: Route Views, RIPE, Abilene, CERNET BGP View Route Servers: Packet Clearing House, UCR, traceroute.org, Route Server Wiki Looking Glasses: traceroute.org, NANOG, Looking Glass Wiki Others Mapnet,Otter,HERMES,VAST,FixedOrbit http://cyclops.cs.ucla.edu/

Tools to get started Software based Router Quagga 0.99.14/vyata/GateD etc. RIR-Internet Routing Registry IRRd - 2.3.9 RIPE WHOIS 3.6 Irrtoolset 4.8.5 IrrPowerTools MRT dump file manipulation toolkit(mdfmt) version 0.2 BGP4MP TableDump V2 BGP trace Analyzers PCH- Sanity Checker RIPE-MyASN Service BGPPlay BGPmon.net StraighRV analyzer Pybgpdump LinkRank Beta 02

22 Outline Introduction Types of IP Hijacking Data Sources to start research Tools of the Trade Past Research on BGP Sec Conclusion

BGP Solutions Categories Prevention S-BGP,SO-BGP,SPV Mitigation Wang et.al,pg-bgp,zhang et al.anycast Routing Detect & Alert myasn,iar,phas->cyclops,bgpmon.net Detect & Recover Probabilistic IP Hijacking(PIPA)

Table 1 : Hijacking Solutions Detectio n System Alarm Type / Duplica te PH Subpref ix PH Super/ Independ ent PH Spoofing MITM PHAS [mohit et al] PG-BGP [J.Karlin et al] K.Sriram al. [ et H H Origin, Last Hop, Sub Allocation, Sub Y Y N limited N Y Y N Y limited H+R N Y Y N Y N Nemecis R N Y Y N N N Hu et al. H N Y Y N Y N Table 1 : Taxonomy of Hijacking Solutions (PH: Hijacking, Y: yes, N: No, H: History, R: Registry, Un: Unreachability, MITM: Man In The Middle) 24

Major Research Groups University of California Los Angeles(Lixia Zhang) Internet Research Lab(irl) CAIDA Colorodo State University (Dan Massey) Network Security Research Group University of Princeton(Jennifer Rexford) Incrementally Deployable Secure Interdomain Routing University of Michigan(Z.Morley Mao) RobustNet Group

Major Research Groups National Institute of Standards and Technology(Advanced Network Technologies Division) Trustworthy Networking BGP Security and Routing Robustness http://w3.antd.nist.gov/ University of Swinburne (Geoff Huston) CAIA UCL,Loouvain-la-Neuve,Belgium(Olivier Bonaventure) INL:IP Networking Lab

27 Conclusion None of the solution has been deployed? Why? Incentive to deployment,cost,politics, what not Quite difficult to differentiate between hijack or router misconfiguration Working on the full level implementation and experimental results of BGP security Solution for IP prefix Hijacking Probabilistic IP Hijacking

References [Ethan K. et al]studying Black holes in the Internet with Hubble http://hubble.cs.washington.edu [M. Lad et.al] PHAS: A Hijack Alert System, in USENIX Security Symposium 2006. [Hu et al.] Accurate Real-time Identification of IP Hijacking,I EEE Security and Privacy, Oakland, 2007 [J. Karlin, et al.] Pretty Good BGP: Improving BGP by Cautiously Adopting Routes,IEEE ICNP 2006, Santa Barbara, CA, USA, Nov. 2006 Internet Alert Registry[http://iar.cs.unm.edu] [G. Siganos et al.],a Blueprint for Improving the Robustness of Internet Routing,Security 06, 2006. 28

29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback