3 China Hijack: Sequence of Events On April 8, 2010, China advertised about 50,000 blocks of IP addresses from 170 different countries60,000 prefixes from the USEvent lasted for 20 minutesWhy did most people not notice?How might more traffic have been intercepted?
4 Other “Famous” Hijack Events February 24, 2008: Pakistan advertises a small part of YouTube’s AS 36561Likely as a botched attempt to block YouTube in Pakistan, following a government orderJanuary 22, 2006: Con Edison (AS 27605) mistakenly advertises lot of networks (Level 3, UUNet, Panix ISP, …)April 25, 1995: AS 7007 incident“Ultimately, though, the problem remains on of transitive trust. A provider can and should limit the advertisements it will accept from a customer.”
5 Today’s Lecture Internet Routing Security Two Problems Intradomain routingPrimary focus: Interdomain routingTwo ProblemsControl Plane Security (Authentication): Determining the veracity of routing advertisementsSession authentication: protecting the point-to-point communicationPath authentication: protecting the AS path (sometimes other attributes)Origin authentication: protectingLeading proposals and alternatives: S-BGP, soBGPData Plane Security: Determining whether data is traveling to the intended locationsFilteringOpen problem: guaranteeing “route validity”
6 Attacks on Routing How these attacks can happen Compromised routers Unscrupulous ISPsConfiguration errorProblemsBogus origination of routesBogus modification of routes
7 Attacks against BGP Tampering with routing software Tampering with update data en routeRouter compromise and “misconfiguration”Tampering with router management software
8 Intradomain Routing Security Shared secrets guard against new machines being plugged in, but not against an authorized party being dishonest.Solution: digitally sign each LSA (expensive!). List authorizations in certificate.Note: everyone sees the whole map; monitoring station can note discrepancies from reality.
9 Who Needs Origin Authentication? Prefix hijackingRoute leaks (cf. AS 7007 incident from L6)Redirection (e.g., for phishing)Blackholing trafficSpammingDe-aggregation attacks (or misconfiguration)Can be lethal when combined with hijacking
10 Why Origin Auth Matters: Phishing BGP Route to authoritative DNS serverBGP Route to Web serverHijacking DNS (cache poisoning)Hijacking web serverIn theory, SSL should protect, but…Question: Why does path authentication matter?
11 Data Plane SecurityNo guarantees about the path that packets will actually traverseS-BGP, soBGP do not protect against internal routing snafusAS 2AS Path = 1 2 …AS 1AS 3Misconfiguration can cause packet deflections.
12 What This MeansRootkits + 0day rogue announcements Man-in-middle attacks, with our clues appliedNo need for three-way-handshake when you’re in-lineNearly invisible exploitation potential, globallyEndpoint enumeration - direct discovery of who and what your network talks toCan be accomplished globally, any-to-anyHow would you know if this isn’t happening right now to your traffic at DEFCON?
13 BGP MITM Hijack Concept We originate the route like we always didWin through usual means (prefix length, shorter as-path w/ several origin points, etc)“Win” is some definition of “most of the internet chooses your route”We return the packets somehowCoordinating delivery was non-trivialVpn/tunnel involve untenable coordination at targetThen it clicked – use the Internet itself as reply path, but how?
14 BGP MITM Setup Traceroute & plan reply path to target Note the ASN’s seen towards target from traceroute & bgp table on your routerApply as-path prepends naming each of the ASN’s intended for reply pathNail up static routes towards the next-hop of the first AS in reply pathDone
15 BGP MITM – First Observe ASN 200 originates /22, sends announcements to AS20 and AS30View of Forwarding Information Base (FIB) for /22 after convergingInternet is converged towards valid routeRandom User ASN 100AS10AS40AS60AS20AS30Target ASN 200AS50
16 BGP MITM – Plan reply path ASN 100’s FIB shows route for /22 via AS10Attacker ASN 100We then build our as-path prepend list to include AS 10, 20, and 200AS10AS40AS60AS20AS30Target ASN 200AS50
17 BGP MITM – Setup Routes 10.10.220.0/24 is announced with a route-map: Then, install static route in AS100 for /24 to AS10’s linkip routeAttacker ASN 100Target ASN 200AS20AS10AS30AS60AS40AS50
18 Anonymzing The Hijacker We adjust TTL of packets in transitEffectively ‘hides’ the IP devices handling the hijacked inbound traffic (ttl additive)Also hides the ‘outbound’ networks towards the target (ttl additive)Result: presence of the hijacker isn’t revealed
22 Control Plane Security: Authentication Session Authentication/IntegrityWho’s on the other end of that BGP session?Are the routing messages correct?Path AuthenticationIs the AS path correct?Origin AuthenticationDoes the prefix of the route correspond to the AS that actually owns that prefix
23 Session Authentication: TCP MD5 Authenticate packets received from a peer using TCP MD5.Key distribution: manual.Key rollover: vendor-dependent
24 Session Authentication: TTL Hack Insight: Most eBGP sessions are only a single hop; attackers typically are remoteRemote packet injection can’t have a TTL >= 254Transmits allpackets with aTTL of 255Doesn’t acceptpackets with a TTLlower than 254eBGP
25 Proposals for Control Plane Security S-BGP: Secure BGPPKI-basedSignatures on every element of the pathsoBGP: “Secure Origin” BGPUse PKI only for origin authenticationTopology database for path authentication
26 S-BGP Address-based PKI: validate signatures Authentication ofownership for IP address blocks,AS number,an AS's identity, anda BGP router's identityUse existing infrastructure (Internet registries etc.)Routing origination is digitally signedBGP updates are digitally signedRoute attestations: A new, optional, BGP transitive path attributecarries digital signatures covering the routing information in updates
27 Attestations: Update Format BGP Hdr: Withdrawn NLRI, Path Attributes, Dest. NLRIIssuer, Cert ID, Validity, Subject, Path, NLRI, SIGRoute AttestationsIssuer, Cert ID, Validity, Subject, Path, NLRI, SIGIssuer, Cert ID, Validity, Subject, Path, NLRI, SIGOwning Org, NLRI, first Hop AS, SIGAddress AttestationAddress attestation is usually omittedQuestion: Why are there multiple route attestations?
28 Attestation Format: More Details Issuer: an ASCertificate ID: for joining with certificate information received from third partyAS PathValidity: how long is this routing update good?
29 Reducing Message Overhead Problem: How to distribute certificates, revocation lists, address attestations?Note: This data is quite redundant across updatesSolution: use servers for these data itemsreplicate for redundancy & scalabilitylocate at NAPs for direct (non-routed) accessdownload options:whole certificate/AA/CRL databasesqueries for specific certificates/AAs/CRLs
30 S-BGP Optimizations Handling peak loads (e.g., BGP session reset) Extra CPUsDeferred verificationBackground verification of alternate routesObservation: Most updates caused by “flapping”Cache previously validated routes
31 Practical Problems with S-BGP Requires Public-Key InfrastructureLots of digital signatures to calculate and verify.Message overheadCPU overheadCalculation expense is greatest when topology is changingCaching can helpRoute aggregation is problematic (maybe that’s OK)Secure route withdrawals when link or node fails?Address ownership data out of dateDeployment
32 Public Key Infrastructure (PKI) Problem: Key distributionHow do you find out someone’s public key?How do you know it isn’t someone else’s key?Root of PKI: Certificate Authority (CA)Bob takes public key and identifies himself to CACA signs Bob’s public key with digital signature to create a certificateAlice can get Bob’s key (doesn’t matter how) and verify the certificate with the CAPKIs are typically organized into hierarchies
34 Reducing Message Overhead Problem: How to distribute certificates, revocation lists, address attestations?Note: This data is quite redundant across updatesSolution: use servers for these data itemsreplicate for redundancy & scalabilitylocate at NAPs for direct (non-routed) accessdownload options:whole certificate/AA/CRL databasesqueries for specific certificates/AAs/CRLs
35 Attack: Path Shortening Attack AS 2AS 3AS Path = 2 4AS 4AS 1AS 6Adversary AS shortens AS path to divert traffic.
36 Preventing Shortening in S-BGP AS 2AS 3AS Path = 2 4AS 4AS 1Must be able to generate signature for AS Path “2 4”Why is this not possible in S-BGP?
37 What Attacks Does S-BGP Not Prevent? Message suppression: Failure to advertise route withdrawalReplay attacks: Premature re-advertisement of withdrawn routesData plane security: Erroneous traffic forwarding, bogus traffic generation, etc. (not really a BGP issue)
38 Secure Origin BGP (soBGP) Three GoalsAS is authorized to originate a prefixAdvertised prefix is reachable within the origin ASPeer that is advertising a prefix has at least one valid path to the destination
39 Limitations of soBGP BGP transport Connection Route attributes Handled by MD5 authenticationRoute attributesThe validity of the AS pathRelies on consistency checks
40 soBGP Design Constraints No central authorityIncremental deployabilityDeployment flexibility (on/off box cryptography, etc.)Flexible signaling mechanismShould not rely on routing to secure routing (No external database connection on system initialization).Minimize impact to current BGPv4 implementations
41 Step 1: AS Identity (EntityCert) Signatures by trusted third partyASSigPuKASASSigSigPuKPuKASASSigSigPuKPuKEach AS creates a public/private key pair (signed by third party)The key and AS can be validated using the signer’s public key
42 Step 2: Origin Authentication (AuthCert) AS65500AS65500SigEntityCertSigAS65503/24/8Public KeyAS65501Public KeySigAS65504/24AS65502Sig/16DelegationAS65501Sig/16Signed certificate authorizes another AS to advertise a prefix
43 Step 3: Policy Authentication (PolicyCert) Each AS builds a certificate which contains policy information (e.g., maximum prefix length).AS 65500AS65501AS 65501AS 65502The longest prefix in /16 will be a /20.
44 Step 4: Path Authentication (PolicyCert) Signed PolicyCert contains a signed list of peers PolicyCerts are flooded throughout the networkI’m attached to AS 4AS 1AS 2AS 3AS 4Question: How to prevent lying about false edges in PolcyCert?
45 Preventing Shortening in soBGP If AS 3 attempts to make its path to AS 5 shorter by cutting AS 4 out of the path, AS 1 might be able to detect the alteration in the AS Path.Problems:No protection against replayNo protection, depending on topologyAS 1I’m attached to 1, 4, & 5AS 2AS 3AS 4Now What? Must update PolicyCert?!AS 5I’m attached to 2 & 4
46 Preventing False Edges in soBGP AS 1Two-way policy check will fail.AS 2AS 3AS 4 is behind me.Possible denial-of-service attacks based on this mechanism?AS 4AS 4 is behind me.I’m connected to AS 2
47 Preventing False Edges in S-BGP AS Path = 1 3 4AS 1AS 3 must be able to generate a signed route attestation for the path 3 4 (and whatever prefix that involves).AS 2AS 3AS 4
48 Certificate Distribution in soBGP Transport agnostic (distributed out of band)Possible problem: setting routes to distribute policy certs?One mode of transport is provided in the soBGP drafts themselves:New BGP SECURITY messageNegotiated at session startupCertificates may be exchanged before routingRouting may be exchanged before certificatesCertificates only may be exchanged
49 Problems with soBGPIntegrity problems: Cannot validate that the update actually traversed the path (!)Collusion: Colluding ASes can create false edgesPolicyCert/Topology map does not prevent against replay attacks (or advertising a path that has been recently withdrawn)No security for withdrawals
50 S-BGP vs. soBGP Path authentication Computational cost Message overhead (bandwidth)MemoryAdministrative delayWhat is the process by which a new prefix can be added to the infrastructureAccuracy of address ownership informationProblem with both schemes
51 S-BGP vs. soBGP: Requirements Does the AS Path exist?Maybe: PolicyCertsYesDid the received update travel along that path?NoYes: Route Attestation + ValidityWas the update authorized to traverse that path by the originator?Maybe: Depends on how PolicyCerts are written
54 Root level DNS attacks Feb. 6, 2007: Botnet attack on the 13 Internet DNS root serversLasted 2.5 hoursNone crashed, but two performed badly:g-root (DoD), l-root (ICANN)Most other root servers use anycastRoot servers specify where the TLDs are (.com, .net, …)f-root is supported by 42 different locations.Only one root server is sufficient to make the Internet work.
55 DNS Amplification Attack DNS Amplification attack: ( 40 amplification )DNS Query SrcIP: Dos Target(60 bytes)EDNS Reponse(3000 bytes)DNS ServerDoS SourceDoS TargetOther measurements: (MeasurementFactory):There are an estimated 7.5 million external DNS servers on the public Internet. Over 75% of domainname servers (of roughly 1.3 million sampled) allow recursive name service to arbitrary queriers.580,000 open resolvers on Internet (Kaminsky-Shiffman’06)Prevention: reject DNS queries from external addresses
56 DNS Amplification Attack root-serversstub-resolversfull-resolversCommand&ControlDNSDNSDNStld-serversIP spoofedDNS queriesDNSexample-serversbotnetvictim
57 Solutions disable prevent open amplifiers ip spoofing ip spoofed packetsopenamplifierattackerrepliesdisableopen amplifierspreventip spoofingvictim
58 Why DNSSEC DNSSEC protects against data spoofing and corruption DNSSEC also provides mechanisms to authenticate servers and requestsDNSSEC provides mechanisms to establish authenticity and integrity