Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Dan Massey
Christos Papadopoulos
I. I NTRODUCTION
A large body of work regarding BGP security has been
published over the past several years that dene and scope the
problem, propose detection techniques, defensive mitigation,
preventive solutions, protocol changes, etc. BGP Security
technologies have been developed that address origin hijack
detection and prevention, as well as full BGP path protection.
These technologies include S*BGP, RPKI, ROVER, and ARGUS, to name a few. Yet regardless of all this work, one stark
reality remains: despite sixteen years of ongoing IP hijacks,
the problem still hasnt really been solved.
IP hijacks continue to occur, either maliciously, or by
accident (witness the popular press articles about a small
ISP temporarily hijacking Google [21]). Malicious attacks can
be used to blackhole address space, send anonymous spam,
impersonate or eavesdrop on organizations or be employed in
cyber-terrorism and warfare. Consequences of IP hijacks have
been exposed in both academic and trade press articles; for
example, an article in the December 2013 issue of WIRED
[30] describes the work conducted by Renesys to expose the
recent use of BGP hijacking for spying purposes. The risk to
critical national infrastructure has prompted action from the
US Federal Communication Commission to raise IP hijacking
as one of its top three concerns, and spawn CSRIC committees
to make recommendations [19].
1063-6927/14 $31.00 2014 IEEE
DOI 10.1109/ICDCS.2014.74
670
671
672
Fig. 1: Polar graphs showing a sequence of BGP announcements propagating over time during an origin attack from aggressive
AS 4 against a very vulnerable AS 55857. Generation 1 (upper left) shows the initial announcements from AS4 to its immediate
neighbors. Generation 2 (upper right) shows the announcements from these rst neighbors to their subsequent neighbors. Red
lines indicate that the bogus announcement is accepted, polluting the AS. Green lines indicates an announcement that is
rejected because the AS already has a preferred path. The remaining graphs show further propagation for generations 3 and
6. Propagation stopped after 7 generations. This attack results in 40,950 polluted ASes in which 96% of the internet address
space can no longer teach the target. The polar graphs are constructed such that an ASs longitude is plotted along the graph
perimeter, and the AS depth is plotted along the radius. This results in 7 concentric circles, 1 for each value of depth with highest
depth in the center of the graph. (Note the communication between neighboring bands depending on provider/peer/customer
relationship). The size of an AS circle indicates the amount of address space an AS owns. AS degree is shown by scattering
within a concentric circle. Higher degree ASes are towards the center. These visualizations are useful for gaining insights on
attack propagation, especially when comparing before & after scenarios to see the effect of prex lters and where attacks are
still getting through.
673
Fig. 3: A comparison of attack vulnerability for ASes connected to tier-2 ASes. There is similar behavior as before with
respect to depth, and in fact there is a direct correspondence
with the curves in gure 2 when the two graphs are overlaid
with each other.
674
Random Deployment: This experiment was run to simulate the real-world situation where various random ASes
are motivated to deploy BGP security on their own. Over
time, more and more ASes will be added to the mix.
Although acting independently is commendable, this is
not a very good strategy in general. As can be seen from
the two charts, deploying bogus route blocking with 100
(1.6% ) or even 500 (8%) of the transit ASes barely
moves away from the baseline case where there are no
protections. It is much more effective and certainly less
costly to simply deploy to the 17 tier-1 ASes.
lter 17 tier-1 ASes: This scenario was run under the
assumption that the tier-1 ASes can act on their own,
to everyones benet. As it turns out, ltering at the
tier-1 ASes does improve the situation somewhat, but
Name
Abilene-Internet2
RHTEC backbone
GEANT
AMPATH Florida U
Cooperacin
Pollution
1025
895
839
763
761
Degree
87
94
61
61
22
Depth
1
1
1
1
2
ASN
237
46595
18592
40498
3912
675
Name
Merit
PVTN
U Desarrollo
NM LambdaRail
NMSU
Pollution
1822
1819
1785
1779
1760
Degree
37
4
21
13
6
Depth
1
2
1
1
1
676
Pollution Count
20306
18115
17879
17130
16908
Target
7314
17228
50993
14307
7066
Target
4758
9614
335336
24228
132045
Pollution Count
12542
11891
11724
11106
10769
Target
34243
26210
12895
198704
56247
Pollution Count
2804
2478
2286
1886
1792
677
R EFERENCES
[1] T. Bates, R. Bush, T. Li, and Y. Rhekter.
DNS-based
NLRI origin AS verication in BGP.
draft, IETF, July 1998.
http://tools.ietf.org/html/draft-bates-bgp4-nlri-orig-verif-00.
[2] K. Butler, T. Farley, P. McDaniel, and J. Rexford. A survey of bgp
security issues and solutions. In Proceedings of the IEEE, volume 98,
pages 100122, January 2010.
[3] CAIDA.
AS Relationships.
http://www.caida.org/data/active/asrelationships/index.xml.
[4] CAIDA.
Visualizing
IPv4
and
IPv6
Internet
Topology
at
a
Macroscopic
Scale
in
2011.
http://www.caida.org/research/topology/as core network/.
[5] H. Chan, D. Dash, A Perrig, and H Zhang. Modeling Adoptability of
Secure BGP Protocols. In SIGCOMM 06: Proceedings of the 2006
conference on Applications, technologies, architectures, and protocols
for computer communications, October 2006.
[6] J. Gersch and D. Massey. Characterizing Vulnerability to IP Hijack
Attempts. In IEEE-HST 13: IEEE International Conference on Technologies for Homeland Security, November 2013.
[7] J. Gersch and D. Massey. ROVER: Route Origin Verication Using
DNS. In ICCCN 2013: International Conference on Computer Communications and Networks, July 2013.
[8] J. Gersch, D. Massey, M. Glenn, and C. Garner. ROVER: BGP route
origin vericaton via DNS. In NANOG 55, June 2012.
[9] J. Gersch, D. Massey, C. Olschanowsky, and L. Zhang. DNS Resource Records for BGP Routing Data. draft, IETF, February 2012.
http://tools.ietf.org/html/draft-gersch-grow-revdns-bgp-01.
[10] J. Gersch, D. Massey, and E Osterweil. Reverse DNS Naming
Convention for CIDR Address Blocks. draft, IETF, February 2012.
http://tools.ietf.org/html/draft-gersch-dnsop-revdns-cidr-03.
[11] P. Gill, M. Schapira, and S. Goldberg and. Let the market drive
deployment: a strategy for transitioning to BGP security. In Proceedings
of the ACM SIGCOMM 2011 conference, 2011.
[12] S. Goldberg, M. Schapira, P. Hummon, and J. Rexford. How Secure are
Secure Interdomain Routing Protocols? In SIGCOMM 10: Proceedings
of the ACM SIGCOMM 2010 Conference on Data Communication, June
2010.
[13] X. Hu and Z. M. Mao. Accurate real-time identication of ip prex
hijacking. In Proceedings of IEEE Symp. Security and Privacy, May
2007.
[14] G Huston and R Bush. Securing BGP with BGPsec. The ISP Column,
July 2011.
[15] G. Huston, M. Rossi, and G. Armitage. Securing BGP - a literature
survey. IEEE Communications Surveys and Tutorials, 2011.
[16] J Karlin, S Forrest, and J Rexford. Pretty good BGP: improving BGP
by cautiously adopting routes. In Proceedings of IEEE Intl Conf on
Network Protocols (ICNP), 2006.
[17] M. Lad, D. Massey, D. Pei, Y. Wu, and B. Zhang. PHAS: a prex hijack
alert system. In Proceedings of 15th USENIX Security Symposium,
August 2006.
[18] R. Lychev, S. Goldberg, and M. Schapira. BGP Security in Partial
Deployment, Is the Juice Worth the Squeeze? In Proceedings of the
ACM SIGCOMM 2013 Conference, August 2013.
678
679