internet control plane security
play

Internet Control Plane Security Yongdae Kim KAIST Two Planes Data - PowerPoint PPT Presentation

Internet Control Plane Security Yongdae Kim KAIST Two Planes Data Plane: Actual data delivery Control Plane To support data delivery (efficiently, reliably, and etc.) Routing information exchange In some sense, every protocol


  1. Internet Control Plane Security Yongdae Kim KAIST

  2. Two Planes  Data Plane: Actual data delivery  Control Plane ▹ To support data delivery (efficiently, reliably, and etc.) ▹ Routing information exchange ▹ In some sense, every protocol except data delivery is considered to be control plane protocols  Example network ▹ Peer-to- peer network, Cellular network, Internet, … 2

  3. Historical List of Botnet Cr Creat ation Na Name # of of Bot Bots Spam am Cont Control 2004 Bagle 230K 5.7 B/day Centralized 2007 Storm > 1,000K 3 B/day P2P 2008 Mariposa 12,000K ? Centralized 2008 Waledac 80K ? Centralized 2008 Conficker >10,000K 10 B/day Ctrlzd/P2P 2009? Mega-D 4,500K 10 B/day Centralized 2009? Zeus >3,600K ? 2009 BredoLab 30,000K 3.6 B/day Centralized 2010 TDL4 4,500K ? P2P

  4. Misconfigurations and Redirection  1997: AS7007  2008: Pakistan Youtube ▹ Claimed shortest path to the whole ▹ decided to block Youtube Internet ▹ One ISP advertised a small part of ▹ Causing Internet Black hole YouTube's (AS 36561) network  2004: TTNet (AS9121)  2010: China ▹ Claimed shortest path to the whole ▹ 15% of whole Internet traffic was routed Internet through China for 18 minutes ▹ Lasted for several hours ▹ including .mil and .gov domain  2006: AS27056  2011: China ▹ "stole" several important prefixes on ▹ All traffic from US iPhone to Facebook the Internet ▹ routed through China and Korea ▹ From Martha Stewart Living to The New York Daily News

  5. 3ooGbps DDoS  300 Gbps DDoS against Spamhous from Stophous  Mitigation by CloudFlare using anycast  Stophous turn targets to IX (Internet Exchange)  Korea – World IX Bandwidth ▹ KT: 560 Gbps, SKB: 235 Gbps, LGU+: 145 Gbps, SKT: 100 Gbps ▹ Total: 1 Tbps 5

  6. How to Crash (or Save) the Internet? Max Schuchard, Eugene Vasserman, Abedelaziz Mohaisen, Denis Foo Kune, Nicholas Hopper, Yongdae Kim

  7. Losing Control l of the In Internet Ho How to to cras rash the the Inte nternet et – ZD ZDNe Net - Usin ing the Data Pla lane His thes Hi thesis: : How How to to cra rash the the Inte nternet – St Star ar Tri Tribune to Attack the Control l Pla lane – The cyb The yberweapo pon that that could ld take take dow own the the inte nternet et – New New Sc Scien entis ist Boff offin ins devi evise 'cy cyberweapo pon' ' to to take take dow own int nternet – The The Reg egis ister Net etwork and d Di Dist stributed Sy Syst stem Se Securit ity (N (NDSS) ) 2011 011 Pro Prof. Say Says New New Cyb Cyberweapo pon Coul uld d Take Take Down the the Inte ternet – CBS

  8. Shutting Down the Internet  Fast propagating worm ▹ CodeRed, Slammer Worm  Router misconfiguration ▹ AS7007  2011 ▹ Egypt, Libya: Internet Kill Switch ▹ US government discussing Internet Kill Switch Bill in emergency situation

  9. Other Internet Control Plane News  April 2008: Whole youtube traffic directed to Pakistan  April 2010: 15% of whole Internet traffic was routed through China for 18 minutes (including .mil and .gov domain)  March 2011: All traffic from US iPhone to Facebook was routed through China and Korea

  10. Losing Control  Attack on the Internet's control plane  Overwhelm routers with BGP updates  Launched using only a botnet  Defenses are non trivial  Different from DDoS on web servers

  11. Attack Model  No router compromise or misconfiguration ▹ BGPSEC or similar technologies  Our attack model: Unprivileged adversary ▹ can generate only data plane events ▹ does not control any BGP speakers ▹ botnet of a reasonable size » 50, 100, 250, 500k nodes 11

  12. Can we shut down the Internet only using data plane events? How much control plane events can be generated by data plane events caused by coordinated set of compromised computers?

  13. AS, BGP and the Internet  AS (Autonomous System) ▹ Core AS: High degree of connectivity ▹ Fringe AS: very low degrees of connectivity, sitting at the outskirts of the Internet ▹ Transit AS: core ASes, which agree to forward traffic to and from other Ases  BGP (Border Gateway Protocol) ▹ the de facto standard routing protocol spoken by routers connecting different ASes. ▹ BGP is a path vector routing algorithm, allowing routers to maintain a table of AS paths to every destination. ▹ uses policies to preferentially use certain AS paths in favor.

  14. 1.0.0.0/8 A DST: 1.0.0.0/8 Path: A DST: 1.0.0.0/8 DST: 1.0.0.0/8 Path: B, A C Path: C, A B DST: 1.0.0.0/8 DST: 1.0.0.0/8 Path: D, B, A Path: E, C, A D E

  15. 1.0.0.0/8 A DST: 1.0.0.0/8 DST: 1.0.0.0/8 DST: 1.0.0.0/8 Path: B, A C Path: C, A Path: B, C, A B DST: 1.0.0.0/8 DST: 1.0.0.0/8 DST: 1.0.0.0/8 DST: 1.0.0.0/8 Path: D, B, A Path: D, C, A Path: E, B, A Path: E, C, A D E

  16. 1.0.0.0/8 A DST: 1.0.0.0/8 DST: 1.0.0.0/8 DST: 1.0.0.0/8 Path: B, A C Path: C, A Path: B, C, A B DST: 1.0.0.0/8 DST: 1.0.0.0/8 DST: 1.0.0.0/8 DST: 1.0.0.0/8 Path: D, B, A Path: E, B, A Path: D, C, A Path: E, C, A D E

  17. How does the attacker pick links? How does the attacker direct traffic? UPD PDATE! UPD PDATE! C B E D UPD PDATE! UPD PDATE!

  18. {AB, AC, ABE, ABD} s st ( e ) å å C B ( e ) = C B ( e ) = path st ( e ) A s st s ¹ t Î V s ¹ t Î V 4 8 {CA, CB, CD, CE} CB {BA, BC, BD, BE} BC 2 C B 7 1 7 1 D E {DB, DBA, DBAC, DBE} {EB, EBA, EBAC, EBD}

  19. {AB, AC, ABE, ABD} A 4 8 {CA, CB, CD, CE} {BA, BC, BD, BE} 2 C B 7 1 7 1 D E {DB, DBA, DBAC, DBE} {EB, EBA, EBAC, EBD}

  20. A Sp Spread attack flow lows! s! B C E D

  21. A C B

  22. One e Targe get per er Attack Flow low! A C B

  23. Simulation Overview  Simulator to model network dynamics ▹ Topology generated from the Internet  Routers fully functional BGP speakers  Bot distribution from Waledac  Bandwidth model worst case for attacker

  24. Targeted link: Any link selected for disruption Last mile links: un-targeted links that connect fringe ASes to the rest of the network Transit link: Any link that does not fit the other two 100 90 Percent of failed links 80 70 60 50 40 30 20 10 0 Last mile Targeted Critical

  25. Factors of Normal Load 1.0 0.9 0.8 0.7 0.6 CDF 0.5 0.4 64k Nodes 0.3 125k Nodes 0.2 250k Nodes 0.1 500k Nodes 0.0 0 500 1000 1500 2000 2500 3000 Factors of normal load

  26. 90 th percentile of of message loads experienced by routers under attack 1.0 0.9 0.8 0.7 0.6 CDF 0.5 0.4 64k Nodes 0.3 125k Nodes 0.2 250k Nodes 0.1 500k Nodes 0.0 0 200 400 600 800 1000 1200 1000’s of messages per 5-seconds

  27. Core Routers Update Time 200.0 Average Time to Process 64k bots 180.0 BGP Updates (mins) 125k bots 160.0 250k bots 140.0 500k bots 120.0 100.0 80.0 60.0 40.0 20.0 0.0 0 200 400 600 800 1000 1200 Simulated Time (secs)

  28. Possible Defenses  Short Term Hold ld Tim ime e = Max axIn Int  Long Term Pe Perfect QOS

  29. HoldTime = MaxInt 1.0 0.9 0.8 0.7 0.6 CDF 0.5 0.4 0% 0.3 10% 0.2 25% 0.1 50% 0.0 0 500 1000 1500 2000 Factors of normal load

  30. HoldTime = MaxInt 120.0 Average Time to Process 0% BGP Updates (mins) 100.0 10% 80.0 60.0 40.0 20.0 0.0 0 200 400 600 800 1000 1200 Simulated Time (secs)

  31. Perfect QoS  Needs to guarantee control packets must be sent ▹ Does not guarantee they will be processed due to oversubscription  Recommendation ▹ (Virtually) Separating control and data plane ▹ Sender sides QoS ▹ Receiving nodes must process packets in line speed

  32. Conclusion  Adversarial route flapping on an Internet scale  Implemented using only a modest botnet  Defenses are non-trivial, but incrementally deployable

  33. Future Work (in progress)  Cascaded failure ▹ Router failure modeling  Attacks using remote compromised routers ▹ Targeted Attack: Internet Kill Switch  Router Design for the Future Internet ▹ Software router? 33

  34. BGP Stress Test  Routers placed in certain states fail to provide the functionality they should.  Unexpected but perfectly legal BGP messages can place routers into those states  Any assumptions about the likelyhood of encountering these messages do not apply under adversarial conditions. Peer Pressure: Exerting Malicious Influence on Routers at a Distance, Max Schuchard, Christopher Thompson, Nicholas Hopper and Yongdae Kim, ICDCS 2013

  35. Attacking Neighborhood (Memory)  How many BGP updates needed to consume 1GB memory? About 2,000,000 BGP updates is needed to succeed this attack

  36. Attacking Neighborhood (Memory)  Distinct/long length AS paths and community attribute 300,000 BGP updates is enough for this attack

  37. Attacking Neighborhood (CPU)  Hash collision makes router spend more processing time

  38. Back Pressure

  39. Questions?  Yongdae Kim ▹ email: yongdaek@kaist.ac.kr ▹ Home: http://syssec.kaist.ac.kr/~yongdaek ▹ Facebook: https://www.facebook.com/y0ngdaek ▹ Twitter: https://twitter.com/yongdaek ▹ Google “Yongdae Kim” 39

Recommend


More recommend