withdrawing the bgp re routing curtain
play

Withdrawing the BGP Re-Routing Curtain Understanding the Security - PowerPoint PPT Presentation

May 06, 2023 •543 likes •1.25k views

Withdrawing the BGP Re-Routing Curtain Understanding the Security Impact of BGP Poisoning via Real-World Measurements Jared M . Smith , Kyle Birkeland, Tyler McDaniel, Max Schuchard University of Tennessee, Knoxville volsec.org Internet

  1. Withdrawing the BGP Re-Routing Curtain Understanding the Security Impact of BGP Poisoning via Real-World Measurements Jared M . Smith , Kyle Birkeland, Tyler McDaniel, Max Schuchard University of Tennessee, Knoxville volsec.org

  5. Internet Routing: Theory into Practice • Security systems assume how complex infrastructures like the Internet work Claim: “Protocol implies X works, so X must work in practice” • • Methodology: “Inference and passive measurement are enough” • Assumption: “Common logic suggests X does not work, so X must not work” • Our goal: To understand how real-world Internet routing behavior impacts published security literature Actively measure the ability conduct BGP poisoning • Re-evaluate systems measured only in simulation, passively, or with inferences • • Examine if common logic about the Internet holds

  6. The Internet

  7. Autonomous Systems (AS) L3 UTenn AT&T Georgia Tech Hurricane Electric

  8. BGP Advertisement: Border Dest: 1.2.3.0/17 Advertisement: Gateway Path: A Dest: 1.2.3.0/17 Protocol Path: C, A A C D B Advertisement: Advertisement: Dest: 1.2.3.0/17 Dest: 1.2.3.0/17 Path: D, C, A Path: B, A

  9. Inbound Path Manipulation • Mechanisms give hints for which inbound path to take • Example: Multi-Exit Discriminator (MED) • We can use side-effects of protocol-compliant behavior • Example: BGP Poisoning

  10. BGP Poisoning Prefer 2 over 4 AS 2 AS 3 AS 1 But, I’d rather get AS 4 my traffic via 4

  11. BGP Poisoning Prefer 2 over 4 AS 2 AS Path: 1, 2, 1 AS 3 AS 1 AS 4

  12. BGP Poisoning LOOP! *dropping* Prefer 2 over 4 AS 2 AS Path: 1, 2, 1 AS 3 AS 1 AS 4 AS Path: 4, 1, 2, 1

  13. BGP Poisoning LOOP! *dropping* Prefer 2 over 4 AS 2 AS Path: 1, 2, 1 AS 3 AS 1 AS 4 AS Path: 4, 1, 2, 1

  14. BGP Poisoning LOOP! *dropping* Now, I can only use 4 AS 2 AS Path: 1, 2, 1 AS 3 AS 1 AS 4 AS Path: 4, 1, 2, 1

  15. Nyx: Routing Around Congestion Distributed Botnet … DDoS Victim AS … Victim’s Critical AS Alternate path exists!

  16. Nyx: Routing Around Congestion Distributed Botnet … DDoS Victim AS … Victim’s Critical AS Critical AS now using alternate path

  17. Relevant Security Literature Nyx (DDoS Defense – S&P 2018) • RAD (Censorship Circ. – CCS 2012) • Waterfall of Liberty (Censorship Circ. – CCS 2017) • • On Feasibility of Re-Routing (Examination of Nyx - S&P 2019) • …

  18. Diverging Claims Nyx mitigate DDoS by relying on BGP poisoning to re-route inbound traffic Waterfall of Liberty explicitly assumes inbound traffic is challenging to re-route

  19. Diverging Claims Nyx mitigate DDoS by relying on BGP Nyx and Waterfall of Liberty are poisoning to re-route inbound traffic built on polar opposite assumptions , but not tested on the live Internet Waterfall of Liberty explicitly assumes inbound traffic is challenging to re-route

  20. All of this literature makes assumptions about how BGP poisoning works… In reality, problems may occur… • An AS might realize its not actually on the path • An AS might realize we’re lying about the path • An AS might think the path looks anomalous

  21. “Here be dragons”

  22. Internet Topology

  23. Sending BGP Advertisements API Call BGP Advertisement

  24. Collecting BGP Updates Real-Time BGP Updates RIPE RIS/RouteViews Collector BGP Advertisement API Call

  25. Sending Traceroutes API Call Original Traceroute

  26. Infrastructure Details Traceroutes BGP Updates BGP Advertisements 32 collectors 14 PoPs, 3 countries 5,000 vantage points Automated experiment software: https://github.com/volsec/active-bgp-measurement

  27. It’s free! You can use this infrastructure!

  28. Infrastructure Details Traceroutes BGP Updates BGP Advertisements free, application free free Open Source: https://github.com/volsec/active-bgp-measurement

  29. Experimental Ethics • Announced to and engaged with network operators • No production traffic affected • Minimal traffic sent along re-routed paths (< 1 Kbps) • Normal BGP announcements (no malformed) • Conformed to ISP filtering policies

  30. All Experiments 1. Ability to re-route across entire original AS-path 2. Performance of original versus new paths 3. Real-world comparison with prior simulations 4. Predicting who can re-route w/ BGP poisoning 5. Propagating long poisoned paths 6. Filtering of certain poisoned ASes 7. Filtering of long poisoned paths 8. Routing Working Groups behavior 9. Default route prevalence 10. Reachability of /25’s

  31. How well can an AS re-route with poisoning? API Call Poisoned AS Poisoned Advertisement

  32. How well can an AS re-route with poisoning? Success! New Path API Call Poisoned AS Original Traceroute

  33. How well can an AS re-route with poisoning? Failure

  34. How well can an AS re-route with poisoning? Failure

  35. High-Level Findings 1,460/1,888 (77%) 6.45 successful cases of poisoning avg. new ASes discovered 2.03 for 6.45 2.25 avg. poisons needed/avg. new ASes avg. new paths discovered

  37. Security Implications • Real-world evidence supports poisoning-enabled systems • Security systems need to account for poisoning • Success in simulation does not guarantee success in the real-world

  38. Are alternate routes slower?

  40. Security Implications • Common logic suggests Internet paths not used by default would be less favorable • Impacts the likelihood of operators deploying systems like Nyx

  41. Are long paths filtered? Baseline: 2 collectors saw path 3450

  42. Are long paths filtered? Long Path: 1/2 collectors saw path (50%) Too long, dropping path! 3450, 3450, 3450, 3450, 3450 …

  44. Security Implications • Maximum AS path length of 255 needs to be accounted for in poisoning-enabled systems • Network operator groups also claim they filter anomalous paths

  45. Does the size of the poisoned AS affect filtering? 6 2 AS of Degree x x

  47. Security Implications • Common logic suggests operators may filter weird behavior • Filtering poisoned ASes that run the Internet à seems intuitive • Not filtering poisoned ASes that you do not often see in advertisements à also seems intuitive

  48. Diverging Claims Nyx mitigate DDoS by relying on BGP poisoning to re-route inbound traffic Waterfall of Liberty explicitly assumes inbound traffic is challenging to re-route

  49. Diverging Claims Nyx mitigate DDoS by relying on BGP poisoning to re-route inbound traffic Yet, Nyx and Waterfall of Liberty can both work in practice . Waterfall of Liberty explicitly assumes inbound traffic is challenging to re-route

  50. We should publish and disseminate our work after we have tested our assumptions in the same environment where we intend to deploy our work.

  51. Conclusion BGP poisoning works in most cases • • Systems which assume the opposite can still deploy in areas where poisoning is harder • Common logic of Internet behavior is Jared M. Smith not always accurate Twitter: jaredthecoder All Internet security research should be • actively tested on the Internet if Email: jms@vols.utk.edu the research targets the Internet for Web: volsec.org deployment

  52. BACKUP

  53. RPKI During Poisoning

  55. Infrastructure Numbers Infrastructure Source 5 BGP routers PEERING and UT 8 IP prefixes PEERING and UT 5,000+ distinct vantage points RIPE ATLAS 3 countries US, Amsterdam, Brazil 32 BGP collectors CAIDA BGPStream* *Collects BGP Updates from RouteViews and RIPE RIS

  56. How feasible is re-routing with BGP poisoning? In practice, possible to re- route onto ~2.5 new alternate paths on average

  59. Graph-Theoretic Analysis of Return Paths • Low min. cut means • Tier 1 ASes with inf. weight à • Avg. Betweenness of 0.667 bottlenecks that Nyx/RAD bottlenecks not result of single • Paths are not completely identical cannot avoid unavoidable provider • There is some diversity, but • For 90% of links, a bottleneck • Within unweighted min cut à bottlenecks exist of at most 2 links occurs widely differing barriers to cut based on bandwidth

  60. How well can we predict success with FRRP?

  61. What link and AS properties are important for FRRP?

  62. A Deeper Look at the Most Important Feature Poisoning AS Next-Hop AS Rank High Rank Matters

  63. How long can (poisoned) paths be? Propagation to 99% of the Internet at 250 AS- path length

  64. How much do large ASes filter poisoned paths? Large window

  65. How much do small ASes filter poisoned paths? Small window

  66. Do the Policy Leaders “ Walk the Walk ”? “Mutually Agreed Norms for Routing Security” Selected Participants (total=146): CenturyLink • • Charter Cogent • • Google • Indiana U. … •

  67. Does AS-Degree of the Poisoned AS affect Filtering? Origin AS HighDegree AS Origin AS …(in increments of 5)… Origin AS SmallDegree AS Origin AS

Recommend

9/7/2017 Behind the Curtain of an IME Behind the Curtain of an IME Dan Gerstenblitt, MD-MPH

9/7/2017 Behind the Curtain of an IME Behind the Curtain of an IME Dan Gerstenblitt, MD-MPH

9/7/2017 Behind the Curtain of an IME Behind the Curtain of an IME Dan Gerstenblitt, MD-MPH Occupational Medicine Internal Medicine 9/14/17 ACOEM Position Statement--6/2017 60 to 80% of lost work days attributed to medical conditions in

553 views • 13 slides
Withholding and Withdrawing Treatment Presentation by Diane Coleman Disability Rights

Withholding and Withdrawing Treatment Presentation by Diane Coleman Disability Rights

Withholding and Withdrawing Treatment Presentation by Diane Coleman Disability Rights Leadership Institute on Bioethics April 25-26, 2014 Arlington, Virginia [Slide 1] Withholding and Withdrawing Treatment

541 views • 10 slides
CURTAIN WALL OPTIONS UNITIZED CURTAIN WALL Is a type of frame-supporting curtain wall consisting

CURTAIN WALL OPTIONS UNITIZED CURTAIN WALL Is a type of frame-supporting curtain wall consisting

CURTAIN WALL OPTIONS UNITIZED CURTAIN WALL Is a type of frame-supporting curtain wall consisting of framing components and panel materials. Such framing components and panel materials are assembled into a single curtain wall unit at the

671 views • 8 slides
CURTAIN WALL OPTIONS UNITIZED CURTAIN WALL Is a type of frame-supporting curtain wall consisting

CURTAIN WALL OPTIONS UNITIZED CURTAIN WALL Is a type of frame-supporting curtain wall consisting

CURTAIN WALL OPTIONS UNITIZED CURTAIN WALL Is a type of frame-supporting curtain wall consisting of framing components and panel materials. Such framing components and panel materials are assembled into a single curtain wall unit at the

413 views • 12 slides
Potential Costs of Withdrawing from NAFTA E. Anthony Wayne Career Ambassador (ret.) and Raquel

Potential Costs of Withdrawing from NAFTA E. Anthony Wayne Career Ambassador (ret.) and Raquel

Potential Costs of Withdrawing from NAFTA E. Anthony Wayne Career Ambassador (ret.) and Raquel Chuayffet Wilson Center wayneea@gmail.com @EAnthonyWayne 1/31/18 Potential Costs of Withdrawing from NAFTA: Net Job Losses STUDY IMPACT ON

84 views • 7 slides
Wheeling, WV Numbers } 157 babies born exposed or withdrawing 2013 } 270 babies born exposed or

Wheeling, WV Numbers } 157 babies born exposed or withdrawing 2013 } 270 babies born exposed or

Wheeling, WV Numbers } 157 babies born exposed or withdrawing 2013 } 270 babies born exposed or withdrawing 2014 } 280 babies born exposed or withdrawing 2015 so far 2013: Our Model 2014: Increasing Community Problem } Increasing

194 views • 16 slides
The Origins of the Cold War The Iron Curtain Winston Churchill gave the Map of the Iron Iron

The Origins of the Cold War The Iron Curtain Winston Churchill gave the Map of the Iron Iron

The Origins of the Cold War The Iron Curtain Winston Churchill gave the Map of the Iron Iron Curtain speech in 1946 Curtain The Truman Doctrine, 1947 President Truman outlined the Truman Doctrine to a joint session of Congress in March of

310 views • 6 slides
Behind the curtain: How technical analysis shapes and is shaped by the political process

Behind the curtain: How technical analysis shapes and is shaped by the political process

Behind the curtain: How technical analysis shapes and is shaped by the political process University of Toronto Transportation Research Institute Oct 11, 2019 Daniel Haufschild, Arup Charles Hwang, Arup Behind the curtain: How technical

214 views • 20 slides
4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has columns for the destination network (or hosts) with the corresponding cost and the next router address to reach a destination. Additional

1.08k views • 84 slides
Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing [Kleinberg04] J. Kleinberg, A. Slivkins, T. Wexler. Triangulation and Embedding using Small Sets of Beacons. Proc. 45th IEEE Symposium on Foundations of

450 views • 32 slides
Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing forwarding: to select an output port based on destination address and routing table routing: process by which routing table is built

543 views • 13 slides
1 Routing Table Routing Table Destination network Next router

1 Routing Table Routing Table Destination network Next router

Lecture 12. Lecture 12. Introduction to Introduction to IP Routing IP Routing Giuseppe Bianchi Why introduction? Why introduction? Routing: very complex issue need in-depth study entire books on routing our scope: give a

552 views • 19 slides
Fasting: Voluntarily withdrawing from food and/or drink, or other fleshly appetites, for a

Fasting: Voluntarily withdrawing from food and/or drink, or other fleshly appetites, for a

Fasting: Voluntarily withdrawing from food and/or drink, or other fleshly appetites, for a specified period of time. Fasting is refraining from food (or it could be certain pleasures or practices) for a spiritual purpose. Fasting is

514 views • 35 slides
Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local

Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local

Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local forwarding table header value output link in the Internet 0100 3 0101 2 0111 2 1001 1 value in arriving packets header 1 0111 2 3

403 views • 8 slides
Ad Hoc Wireless Routing CS 218- Fall 2003 Wireless multihop routing challenges Review of

Ad Hoc Wireless Routing CS 218- Fall 2003 Wireless multihop routing challenges Review of

Ad Hoc Wireless Routing CS 218- Fall 2003 Wireless multihop routing challenges Review of conventional routing schemes Proactive wireless routing Hierarchical routing Reactive (on demand) wireless routing Geographic routing

893 views • 60 slides
Routing Algebras What are routing algebras? Created to study properties of routing protocols

Routing Algebras What are routing algebras? Created to study properties of routing protocols

Routing Algebras What are routing algebras? Created to study properties of routing protocols Does the routing protocol converge? Does the routing protocol compute optimal paths? Separates the routing data &amp; algorithm Data

326 views • 11 slides
CS 557 ARPANet Routing Algorithms An Overview of the New Routing Algorithm for the ARPANET J.

CS 557 ARPANet Routing Algorithms An Overview of the New Routing Algorithm for the ARPANET J.

CS 557 ARPANet Routing Algorithms An Overview of the New Routing Algorithm for the ARPANET J. McQuillan, I. Richer, and E. Rosen, 1979 The Revised ARPANET Routing Metric Atul Khanna and John Zinky, 1989 Spring 2013 Routing Algorithm Basics

894 views • 29 slides
Requisition Routing In depth look into the structure of Requisition Routing Goals for this

Requisition Routing In depth look into the structure of Requisition Routing Goals for this

Requisition Routing In depth look into the structure of Requisition Routing Goals for this Presentation 1. Recreating manual routing and approval processes in QCC 2. Understanding the relationship between the various routing master files 3.

552 views • 33 slides
CS 557 Landmark Routing The Landmark Hierarchy: A New Hierarchy For Routing in Very Large

CS 557 Landmark Routing The Landmark Hierarchy: A New Hierarchy For Routing in Very Large

CS 557 Landmark Routing The Landmark Hierarchy: A New Hierarchy For Routing in Very Large Networks Paul Tsuchiya, 1988 Spring 2013 Landmark Routing Objective: Reduce the routing table size without increasing path length by a large

458 views • 15 slides
Internet routing is based on routing protocols that collect the input data No off-line route

Internet routing is based on routing protocols that collect the input data No off-line route

Introduction to Routing in Internet Internet basics IPv4 and ICMP Internet Addressing ARP - Address Resolution Protocol Routing Information (Distance Vector ) Protocol Principles 3-1 S-38.121 S-02 Rka, NB Internet routing is based on

214 views • 18 slides
NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security Required: authenticity and integrity of routing information o Link state routing: LSAs are originated by the routing process authorized to do so

345 views • 10 slides
What is the difference between routing and forwarding? Routing protocols: Implemented

What is the difference between routing and forwarding? Routing protocols: Implemented

Routing What is the difference between routing and forwarding? Routing protocols: Implemented distributed algorithms (scalability) Routers should have mutually consistent view of the network. Can be classified into: Intradomain

510 views • 5 slides
Routing In Ad Hoc Networks 1. Introduction to Ad-hoc networks 2. Routing in Ad-hoc networks 3.

Routing In Ad Hoc Networks 1. Introduction to Ad-hoc networks 2. Routing in Ad-hoc networks 3.

Routing In Ad Hoc Networks 1. Introduction to Ad-hoc networks 2. Routing in Ad-hoc networks 3. Proactive routing protocols DSDV 4. Reactive routing protocols DSR, AODV 5. Non-uniform routing protocols ZRP, CEDAR 6. Other

392 views • 22 slides
Preparing For Technology Partnerships Know Who and What's Behind The Curtain Steve Ogden

Preparing For Technology Partnerships Know Who and What's Behind The Curtain Steve Ogden

6/6/19 Preparing For Technology Partnerships Know Who and What's Behind The Curtain Steve Ogden Certified Information Professional (CIP) I AM A YOUTUBE VIDEO 1 6/6/19 What is an Agency Management System (AMS)? A SaaS (software as a

412 views • 18 slides

More recommend