detecting selective dropping attacks in bgp mooi chuah kun huang {chuah,kuh205}@cse.lehigh.edu...
TRANSCRIPT
Detecting Selective Dropping Attacks in BGP
Mooi ChuahKun Huang
{chuah,kuh205}@cse.lehigh.edu
November 2006
Outline
BGP Security Issues Selective Dropping Attack Detecting Selective Dropping Attack Evaluation of IANP on DETER Conclusion
BGP Security Issues
BGP4 (RFC1771) Inter-domain routing, Autonomous System Path vector protocol, shortest path Policy based routing [Gao’s]
E.g. customer will not export routes learned from one provider to another
Messages of interests: (BGP updates) ANNOUNCE: AS_PATH, PREFIX WITHDRAW: PREFIX
BGP Security Issues
Vulnerabilities No encryption: eavesdropping No timestamp: replaying No signature: masquerading MOAS -- multiple origin AS Selective dropping
Proposed Solutions S-BGP, So-BGP, Pretty Good BGP
Selective Dropping Attack
AS3 use path 3-2-1 for prefix 1 Link 1-2 break AS2 filters WITHDRAW
PREFIX1 to AS3 AS3 still use stale path 3-2-1
for prefix 1 AS2 has full control of traffic
from AS3 for prefix 1
AS1Prefix 1
AS2Prefix 2 AS3
Prefix 3
AS4Prefix 4
W: 1
Detecting Selective Dropping Attack
Instability Analysis with Neighbor Probing Identify key events by BGP message volume at particular
monitor node Use locating instability alg. [Mao’s] to locate an instability
e.g. a link break Check instability against a monitor’s routing table to detect
poisoned routes, correct it if found e.g. a route using the broken link
Issue warning msg to neighbors when suspecting a selective dropping attack (msg. includes instability info.)
Issue probing msg to neighbors when locating alg. fails to find the source of instability (msg. includes burst period)
Detecting Selective Dropping Attack
Instability Analysis •1-2 link breaks
•At AS4, we know
Routes not changed:
to prefix 1 via AS1, 4-1
to prefix 5 via AS1, 4-1-5
…
{1-4,1-5, …} candidate stable set
Routes changed:
to prefix 2 via AS1, 4-1-2 4-1-5-2
{1-2} candidate instable set for prefix 2
So, ∩candidate instable per prefix – U candidate stable per prefix = {1-2} is instable, flood warnings
AS1Prefix 1
AS2Prefix 2 AS3
Prefix 3
AS4Prefix 4
W: 1
AS5Prefix 5
Detecting Selective Dropping Attack
Compute instable
Classify
events
Compute instable
Compute instablefinal instable
Detecting Selective Dropping Attack
Detecting Malicious Routes
•AS4 finds 1-2 link break, warning msg. reaches AS3, AS3 routing table has 3-2-1
•Disable 3-2-1 route
•Use 3-4-1 route
AS1Prefix 1
AS2Prefix 2 AS3
Prefix 3
AS4Prefix 4
W: 1
AS5Prefix 5
Detecting Selective Dropping Attack
probing
Possible warning
Detecting Selective Dropping Attack
Warning and probing If can’t locate the source of instability, probe
neighbors within Q hops (e.g. Q=1) If suspects an attack, warn neighbors within K
hops (e.g. K=2) Router scoring
Score BGP router reputation by counting warning messages
Evaluation of IANP on DETER
Setup 3 30-node topologies generated by BRITE Emulation on DETER using Quagga package 10 experiments per topology
In each exp., one link is broken and one node launches a selective dropping attack against a neighbor node
Post processing BGP messages and routing table using IANP module Warning neighbors within 2 hops
Metric Damage Cost = # of poisoned best routes / # of total best routes # of total best routes= 30*29
Evaluation of IANP on DETER
Test 1: 14 drops messages to 15
Evaluation of IANP on DETER
Test 1:W1= unable to locate instability, DC = damage cost
Evaluation of IANP on DETER
Test 2: 16 drops messages to 23
Evaluation of IANP on DETER
Test 2:W1= unable to locate instability, DC = damage cost
Evaluation of IANP on DETER
Test 3: 15 drops messages to 23
Evaluation of IANP on DETER
Test 3:W1= unable to locate instability, DC = damage cost
Evaluation of IANP on DETER
Overall performance Without IANP
0-30% ASes can’t find broken link Damage is range from 0-22.7%
With IANP no warning Failure of finding broken link decrease by 0-23% Damage cost is very low, max=4.8%, mostly < 2.0%
With IANP and warning Everyone can find the broken link Damage cost decreases to 0
Conclusion Encryption and authentication do not mitigate selective dropping
attack Instability analysis is useful information in selective dropping
attack IANP standalone version reduces damage cost IANP warning version reduces damage cost to 0 IANP is promising, and worth further research
Impact of warning scope damage cost message overhead
Deployment of IANP based on internet topology hierarchy Large scale simulation on internet scale