Presentation on theme: "1 Threats & lessons learned from todays control/management planes (Panel on routing) Z. Morley Mao University of Michigan NSF FIND PI meeting, June 27."— Presentation transcript:
1 Threats & lessons learned from todays control/management planes (Panel on routing) Z. Morley Mao University of Michigan NSF FIND PI meeting, June 27 2007
2 Is todays Internet routing at risk? I would stress that all of these things, particularly prefix hijacking and backbone router 'ownage', are real threats, happening today, happening with alarming frequency. Folks need to realize that the underground is abusing this stuff today, and has been for quite some time. -- Rob Thomas quoted by David Meyer at NANOG28, June 2003.
3 Worldwide Infrastructure Security Report (Arbor Networks) Bots is becoming a serious threat for infrastructure security Source: Arbor Networks, Inc. 55 participants responded to surveys.
4 Desired routing security properties Availability of the communication channel –sufficiently good performance –reachability to intended destination networks Data integrity –payload is not altered intentionally Data confidentiality and privacy –but deep packet inspection must examine payload Route integrity –advertised route matches the data path Anything else? (more later)
5 BGPs threat overview Threat model –access to compromised routers to manipulate data and routing logic via password guessing, exploiting OS vulnerabilities, etc. –possibly collude across networks –motivated by greed and malice Greed results in insider attacks Attack types: 1.data-plane attacks: impact data traffic. 2.control-plane attacks: alter control behavior. Just like compromised hosts, there will always be compromised or misconfigured routers!
6 Data-plane attacks due to insecure routing Resource exhaustion attacks: –remote BGP session reset via DoS attacks Filtering: deny availability Snooping: compromise confidentiality Tampering: compromise integrity Degrading: harm availability –e.g., degrading Skype traffic Deflecting: for further analysis –e.g., spoofing of intended destination, etc. All these can be done selectively to discriminate against certain traffic to evade detection.
7 Control-plane attacks due to insecure routing Route hijacking or route spoofing to –attract traffic or disrupt reachability Falsified routes to –cause denial service Resource overload –e.g., excessive prefixes by deaggregation Routing instability (create continuous oscillation) –trigger route flap damping Empirical evidence of various misconfiguration events.
8 Attackers motivation for conducting routing-based attacks Denial of service –disrupt network communications of attack targets –greed to make another ISP appear bad Enabler for other data-plane attacks –e.g., hijack a prefix for sending spam or DoS traffic, to spoof legitimate services (Web). –e.g., reroute traffic to compromise confidentiality Are routing attacks easy to detect?
9 Limitations of todays routing architecture Lack of accountability –difficulty to troubleshoot routing misbehavior –no visibility into other networks Lack of incentives for deploying security mechanisms –bogon filters, ingress/egress filters, reverse path forwarding, prioritizing routing traffic. Lack of resource visibility –e.g., knowledge of shared risk link groups Limited routing choices –routing policies vs. routing politics Lack of clearly defined expected routing behavior –e.g., no robustness guarantees –mostly reacting to (performance impacting) events instead of proactively preventing/eliminating routing misbehavior. How about devising mechanisms to punish misbehaving networks?
10 A possible wish-list from network operators Better security demands better tools to manage networks, tools to prevent, detect, and respond to attacks. –cost-effective ways to deploy and manage security capabilities Network management automation Ease of creating and deploying new network services safely –basic transport is no longer profitable
11 Assumptions of the future Internet (affecting routing design) Multiple distinct commercial entities Existence of misbehaving network elements and end-hosts Increasingly complex protocol interaction –rarely take out old services and protocols Heterogeneity in protocol deployment and implementations
12 What role should routing play in achieving security? To ensure future Internet is secure, routing itself must be secure. –S*BGP vs. incrementally deployable partial solutions –prevent source IP spoofing Routing should effectively support the defense against data-plane attacks. –self protection via robust routing configurations: resistant to misconfigs and attacks. –collusion and attack resistant routing via light-weight data-plane checks –support built-in accountability to detect performance degradation and misbehavior
13 Routing is used to defend against attacks Destination-based ACLs and destination- based BGP blackhole routing are primary mitigation techniques. Challenges: –inability to verify authenticity of source IPs –lack of support for a large number of packet filters –complex to divert traffic for scrubbers –dest-based filtering finished off the attack! Source: Worldwide infrastructure security report 2006. (Arbor Networks, Inc.) based on survey of 55 network operators of diverse networks.
14 Directions on new routing architectures Protocols to enable cooperation amongst networks –troubleshooting, reliable packet delivery, defend against distributed attacks and security threats Protocols to expose visibility of network behavior to ISPs and end-users –to facilitate accountability, SLA verification, and competition among ISPs New routing services –routing as an enabler for new network-based security services, e.g., new capabilities to defend against botnet activities by selective filtering.
15 Q & A Questions to consider –What role should routing play to mitigate against data-plane attacks? –How should data plane filtering be better integrated with control plane filtering (packet filters with route filters)? –What is the role of management plane for routing and data-plane? –How do we enforce networks to practice good network configurations?
16 Is Internet routing sufficiently robust to failures? An example circuitous route after Taiwan Earthquake 2006 Composing two paths results in lower latencies, merely overlay routing?
17 Lessons from the past Routing-based response to mitigate attacks on the data plane often help finish off the DoS attack! –better defense techniques needed Attacks against the routing infrastructure is a means to achieve more sophisticated attacks on the data plane. –joint management needed Unlike attacks against end-hosts or edge networks, attacks against infrastructure are difficult to detect! –better detection schemes needed