Performing BGP Experiments on a Semi-Realistic Internet Testbed Environment The 2nd International Workshop on Security in Distributed Computing Systems, 2005 Ke Zhang, Soon-Tee Teoh, Shih-Ming Tseng, Rattapon Limprasitipom, Kwan-Liu Ma, S. Felix Wu
Outline Introduction Testbed Topology MOAS Attack Experiment BGP Route Flap Damping(RFD) Attack Scenario in Routing Testbed Conclusion
Introduction BGP become a critical component For BGP wide deployment and significant role of connecting various networks. BGP may cause world-wide connectivity loss. In 1997, a small ISP incorrectly announced all prefixes as its own prefixes. many routers affected, crashed, and whole Internet unstable for hours Apply cryptography to improve BGP security S-BGP(Secure Border Gateway Protocol), SoBGP(Secure Origin BGP), Listen and Whisper(Security Mechanisms for BGP) AS BGP IGP
Introduction DETER / EMIST Evaluation Methods for Internet Security Technology (EMIST) DETER--A software system provides a time- and space-shared platform for experiment in distributed systems and networks. In BGP, the major obstacle is the lack of experimental infrastructure. DETER / EMIST group build a 72-node experimental network and emulated DDOS, worm and routing attacks. BGP simulator BGP++, NS-2, SSFNet EMIST Penn State UC Davis Purdue SRI ICSI Sparta NSF DHS Founded 72-node 5 commercial routers 12 zebra routers DETER / EMIST UC- Davis, CA IPsec / VPN connection
Testbed Topology 5-layer AS hierarchical structure Tier-1 ASes : The major ISPs formed the back-bone of the Internet. (Sprint, AT&T, UUNet etc.) Tier-2 ~ Tier-4 ASes : the regional ISPs or transit ASes to provide transit service for smaller or customer networks Tier-5 ASes: campus networks or company networks (stub ASes) Experiment (three-level hierarchical topology in DeterLab) 3 Tier-1 ASes: fully-connected Zebra routers (full mesh) 4 Tier-2 ASes: 2 AS(multi-home ASes), 2 ASes(single-home AS) Tier-3 AS: stub ASes. Tire-2 ~ Tire-4 AS Tire-1 AS Origin AS prefix Tire-5 AS Campus or company network
MOAS Attack Experiment Original AS A BGP prefix is announced by a single AS, called the original AS. Tire-2 AS Tire-1 AS Origin AS prefix AS Tire-1 AS Origin AS prefix AS Tire-1 AS Origin AS prefix Campus networks No mechanism to prevent the origin AS conflict
MOAS Attack Experiment An attacker originates the same prefix as the victim AS with shorter AS path. Since the shorter AS path is perfered in BGP route selection process, some Ases may choose the fake routes. An attacker originates the prefix that is the subnetwork of the victim AS network. For BGP always chooses the more specific route, the traffic destined to the subnetwork will go to the attacker. AS Attacker AS victim AS AS subnetwork attacker
BGP Route Flap Damping(RFD) A mechanism to reduce the amount of update messages in the Internet caused by instability. Crash restart
BGP Route Flap Damping(RFD) A mechanism to reduce the amout of update messates in the Internet caused by instability. Po: current penalty value H: half-life time Each router configures two thresholds: Suppression The penalty value is increased to be greater than the suppression threshold, the route is suppressed. Reuse if the route is stable, the penalty value decays exponentially with the configured half-life value. The penalty value under the reuse threshold The route is reused again.
Attack Scenario in Routing Testbed Figure 3. network topology in differential damping attack S: the prefix originator D: the router of the victim network M: an attacker The best path(D to S): D-A-M-S P(A, M): A’s damping penalty for the route heard from M. P(D, A): D’s damping penalty for the route heard from A
Attack Scenario in Routing Testbed Figure 3. network topology in differential damping attack 1. M sends withdraw message to A. ♣ using the path D-A-B-C-S ♣ P(A, M) = M waits until the previous P(A, M) decays to a small value. ♣ P(A, M) = small value 3.S sends the attribute change update; M does not propagate to A. ♣ the porpagate path = D-A-B-C-S, not D-A-M-S ♣ P(D, A) = 500, P(A, M) = small value 4.M sends the re-announcement to A. ♣ A informs D to change path from A-B-C-S to A-M-S. ♣ P(D, A) = = 1000
Attack Scenario in Routing Testbed Figure 3. network topology in differential damping attack 5.0 M sends the new path A-M-M-M-S to A. ♣ A informs D to change path from A-M-S to A-B-C-S. ♣ P(D, A) = = 1500, P(A, M) = M sends M-S to A. ♣ A informs D to change path from A-B-C-S to A-M-S. ♣ P(D, A) = = 2000, P(A, M) = = M sends the new path A-M-M-M-S to A. ♣ A informs D to change path from A-M-S to A-B-C-S. ♣ P(D, A) = = 2500, P(A, M) = =1500 ♣ M isolates D from S successfully. 6 M repeat 5.0 and 5.1 step every 400 seconds. ♣ P(D, A) above the reuse threshold and P(A, M) below the suppression threshold P(D, A) P(A, M) P(D, A)
Attack Scenario in Routing Testbed Figure 3. network topology in differential damping attack P(D, A) P(A, M) P(D, A) The attacker maintains the P(A, M) above reuse threshold, D will suppress the route forever.
Attack Scenario in Routing Testbed
Conclusion describe the design and implementation of a BGP routing testbed. implement the BGP data analysis engine and visualization engine to analyze and display BGP traffic. conduct two BGP attacks in the testbed – MOAS attack and the differential damping penalty attack discover the subtle implementation difference between zebra router and Cisco router, which yield different attack effects
BGP AS BGP IGP Real internet simulation Internet Testbed Environment 72-node 5 commercial routers 12 zebra routers DETER / EMIST Real routing data (background traffic) inject The testbed architecture includes four components: Routing topology, background traffic, data analysis and visualization This paper describes two specific BGP attacks: (a) Multiple Origin AS (b) route flap damping attacks ASes 100 BGP routers Large AS
BGP AS(Autonomous System) A set of routers with a single routing policy, running under a single technical administration. IGP (Interior Gateway Protocol a protocol for exchanging routing information between gateways (hosts with routers) within an autonomous network BGP(Border Gateway Protocol) discovery and maintenance of paths between distant ASes in the Internet AS BGP IGP
terminology UUNet: Short for UNIX to UNIX Network, the first commercial Internet service provider, headquartered in Fairfax, VA. The company was founded in 1987 by Rick Adams, one of the original developers of ARPAnet, the precursor to the Internet. In 1996, UUNET merged with MFS Communications, Inc., and later that year, WorldCom acquired both MFS and UUNET. UUNET is now a full-service provider.NetInternet service provider developersARPAnetthe InternetCommunications NSF(National Science Foundation) PHS(Department of Homeland Security): Governmental agency works to prevent terrorist attacks within the United States, reduce America’s vulnerability to terrorism, and minimize the damage from potential attacks and natural disastors.