TY - JOUR
T1 - How secure are secure interdomain routing protocols?
AU - Goldberg, Sharon
AU - Schapira, Michael
AU - Hummon, Pete
AU - Rexford, Jennifer
PY - 2014/9/9
Y1 - 2014/9/9
N2 - In response to high-profile Internet outages, BGP security variants have been proposed to prevent the propagation of bogus routing information. The objective of this paper is to inform discussions of which variant should be deployed in the Internet. To do this, we quantify the ability of the key protocols (origin authentication, soBGP, S-BGP, and data-plane verification) to limit the impact of traffic-attraction attacks; i.e., when an attacker deliberately draws traffic to its own network, in order to drop, tamper, or eavesdrop on packets. Our results and contributions are as follows:One might expect that an attacker could maximize the volume of traffic it attracts by using the following intuitive strategy: the attacker should announce, to as many of its neighbors as possible, the shortest path that is not flagged as bogus by the secure protocol. Through simulations on an empirically-determined AS-level topology, we show that this strategy is surprisingly effective, even when an advanced security solution like S-BGP or data-plane verification is fully deployed.Next, we show that these results underestimate the severity of attacks. In fact, counterintuitive strategies, like announcing longer paths, announcing to fewer neighbors, or triggering BGP loop-detection, can be used to attract even more traffic than the strategy above. We illustrate this using counterintuitive examples. We also demonstrate that these attacks are not merely hypothetical, by searching the empirical AS-level topology and identifying specific ASes that can launch these attacks.We prove that it is NP hard to find a traffic-attraction attack strategy that attracts the maximum volume of traffic.Our results suggest that a clever export policy (i.e., where the attacker announces a legitimate path to a carefully chosen set of neighbors) an often attract almost as much traffic as a bogus path announcement. Thus, our work implies that mechanisms that police export policies (e.g., prefix filtering) are crucial, even if more advanced cryptographic solutions like S-BGP are fully deployed.
AB - In response to high-profile Internet outages, BGP security variants have been proposed to prevent the propagation of bogus routing information. The objective of this paper is to inform discussions of which variant should be deployed in the Internet. To do this, we quantify the ability of the key protocols (origin authentication, soBGP, S-BGP, and data-plane verification) to limit the impact of traffic-attraction attacks; i.e., when an attacker deliberately draws traffic to its own network, in order to drop, tamper, or eavesdrop on packets. Our results and contributions are as follows:One might expect that an attacker could maximize the volume of traffic it attracts by using the following intuitive strategy: the attacker should announce, to as many of its neighbors as possible, the shortest path that is not flagged as bogus by the secure protocol. Through simulations on an empirically-determined AS-level topology, we show that this strategy is surprisingly effective, even when an advanced security solution like S-BGP or data-plane verification is fully deployed.Next, we show that these results underestimate the severity of attacks. In fact, counterintuitive strategies, like announcing longer paths, announcing to fewer neighbors, or triggering BGP loop-detection, can be used to attract even more traffic than the strategy above. We illustrate this using counterintuitive examples. We also demonstrate that these attacks are not merely hypothetical, by searching the empirical AS-level topology and identifying specific ASes that can launch these attacks.We prove that it is NP hard to find a traffic-attraction attack strategy that attracts the maximum volume of traffic.Our results suggest that a clever export policy (i.e., where the attacker announces a legitimate path to a carefully chosen set of neighbors) an often attract almost as much traffic as a bogus path announcement. Thus, our work implies that mechanisms that police export policies (e.g., prefix filtering) are crucial, even if more advanced cryptographic solutions like S-BGP are fully deployed.
KW - BGP
KW - Interdomain routing
KW - Security
UR - http://www.scopus.com/inward/record.url?scp=84903834027&partnerID=8YFLogxK
U2 - 10.1016/j.comnet.2014.05.007
DO - 10.1016/j.comnet.2014.05.007
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:84903834027
SN - 1389-1286
VL - 70
SP - 260
EP - 287
JO - Computer Networks
JF - Computer Networks
ER -