How secure are secure interdomain routing protocols?

Sharon Goldberg*, Michael Schapira, Pete Hummon, Jennifer Rexford

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

12 Scopus citations

Abstract

In response to high-profile Internet outages, BGP security variants have been proposed to prevent the propagation of bogus routing information. The objective of this paper is to inform discussions of which variant should be deployed in the Internet. To do this, we quantify the ability of the key protocols (origin authentication, soBGP, S-BGP, and data-plane verification) to limit the impact of traffic-attraction attacks; i.e., when an attacker deliberately draws traffic to its own network, in order to drop, tamper, or eavesdrop on packets. Our results and contributions are as follows:One might expect that an attacker could maximize the volume of traffic it attracts by using the following intuitive strategy: the attacker should announce, to as many of its neighbors as possible, the shortest path that is not flagged as bogus by the secure protocol. Through simulations on an empirically-determined AS-level topology, we show that this strategy is surprisingly effective, even when an advanced security solution like S-BGP or data-plane verification is fully deployed.Next, we show that these results underestimate the severity of attacks. In fact, counterintuitive strategies, like announcing longer paths, announcing to fewer neighbors, or triggering BGP loop-detection, can be used to attract even more traffic than the strategy above. We illustrate this using counterintuitive examples. We also demonstrate that these attacks are not merely hypothetical, by searching the empirical AS-level topology and identifying specific ASes that can launch these attacks.We prove that it is NP hard to find a traffic-attraction attack strategy that attracts the maximum volume of traffic.Our results suggest that a clever export policy (i.e., where the attacker announces a legitimate path to a carefully chosen set of neighbors) an often attract almost as much traffic as a bogus path announcement. Thus, our work implies that mechanisms that police export policies (e.g., prefix filtering) are crucial, even if more advanced cryptographic solutions like S-BGP are fully deployed.

Original languageEnglish
Pages (from-to)260-287
Number of pages28
JournalComputer Networks
Volume70
DOIs
StatePublished - 9 Sep 2014

Keywords

  • BGP
  • Interdomain routing
  • Security

Fingerprint

Dive into the research topics of 'How secure are secure interdomain routing protocols?'. Together they form a unique fingerprint.

Cite this