jennifer rexford fall 2014 (tth 3:00-4:20 in cs 105) cos 561: advanced computer networks bgp

Jennifer Rexford

Fall 2014 (TTh 3:00-4:20 in CS 105)

COS 561: Advanced Computer Networks

http://www.cs.princeton.edu/courses/archive/fall14/cos561/

BGP Security

Example “Prefix Hijacking” Attack

YouTube Outage of February 24, 2008

2

February 24, 2008, YouTube Outage• YouTube (AS 36561)–Web site www.youtube.com–Address block 208.65.152.0/22

• Pakistan Telecom (AS 17557)–Receives government order to block access to YouTube–Starts announcing 208.65.153.0/24 to PCCW (AS 3491)–All packets directed to YouTube get dropped on the floor

• Mistakes were made–AS 17557: announcing to everyone, not just customers–AS 3491: not filtering routes announced by AS 17557

• Lasted 100 minutes for some, 2 hours for others3

4

Timeline (UTC Time)

• 18:47:45– First evidence of hijacked /24 route propagating in Asia

• 18:48:00–Several big trans-Pacific providers carrying the route

• 18:49:30–Bogus route fully propagated

• 20:07:25–YouTube starts advertising the /24 to attract traffic back

• 20:08:30–Many (but not all) providers are using the valid route

http://research.dyn.com/2008/02/pakistan-hijacks-youtube-1/

5

Timeline (UTC Time)

• 20:18:43–YouTube starts announcing two more-specific /25 routes

• 20:19:37–Some more providers start using the /25 routes

• 20:50:59–AS 17557 starts prepending (“3491 17557 17557”)

• 20:59:39–AS 3491 disconnects AS 17557

• 21:00:00–All is well, videos of cats flushing toilets are available

6

Lessons From the Example

• BGP is incredibly vulnerable–Local actions have serious global consequences–Propagating misinformation is surprisingly easy

• Fixing the problem required vigilance–Monitoring to detect and diagnose the problem– Immediate action to (try to) attract the traffic back–Longer-term cooperation to block/disable the attack

• Preventing these problems is even harder–Require all ASes to perform defensive filtering?–Automatically detect and stop bogus route?–Require proof of ownership of the address block?

BGP Attacks

7

8

Prefix Hijacking

1

2

3

4

5

67

12.34.0.0/1612.34.0.0/16

• Originating someone else’s prefix–What fraction of the Internet believes it?

Sub-Prefix Hijacking

• Originating a more-specific prefix–Every AS picks the bogus route for that prefix–Traffic follows the longest matching prefix 9

1

2

3

4

5

67

12.34.0.0/1612.34.158.0/24

Interception Attack

10http://queue.acm.org/detail.cfm?id=2668966

11

Bogus AS Paths to Hide Hijacking• Adds AS hop(s) at the end of the path–E.g., turns “701 88” into “701 88 3”

• Motivations–Evade detection for a bogus route–E.g., by adding the legitimate AS to the end

• Hard to tell that the AS path is bogus…–Even if other ASes filter based on prefix ownership

701

883

18.0.0.0/818.0.0.0/8

12

Path-Shortening Attacks

• Remove ASes from the AS path–E.g., turn “701 3715 88” into “701 88”

• Motivations–Make the AS path look shorter than it is–Attract sources that normally try to avoid AS 3715–Help AS 88 look like it is closer to the Internet’s core

• Who can tell that this AS path is a lie?–Maybe AS 88 *does* connect to AS 701 directly

701 883715

?

13

Attacks that Add a Bogus AS Hop

• Add ASes to the path–E.g., turn “701 88” into “701 3715 88”

• Motivations–Trigger loop detection in AS 3715

Denial-of-service attack on AS 3715 Or, blocking unwanted traffic coming from AS 3715!

–Make your AS look like is has richer connectivity

• Who can tell the AS path is a lie?–AS 3715 could, if it could see the route–AS 88 could, but would it really care as long as it

received data traffic meant for it?

701

88

14

Violating “Consistent Export” to Peers• Peers require consistent export–Prefix advertised at all peering points–Prefix advertised with same AS path length

• Reasons for violating the policy–Trick neighbor into “cold potato”–Configuration mistake

• Main defense–Analyzing BGP updates–… or data traffic–… for signs of inconsistency src

dest

Bad AS

data

BGP

Other Attacks

• Attacks on BGP sessions–Confidentiality of BGP messages–Denial-of-service on BGP session– Inserting, deleting, modifying, or replaying messages

• Resource exhaustion attacks–Too many IP prefixes (e.g., BGP “512K Day”)–Too many BGP update messages

• Data-plane attacks–Announce one BGP routes, but use another

15

Improving BGP Security

16

Solution Techniques

• Protective filtering–Know your neighbors

• Anomaly detection–Suspect the unexpected

• Checking against registries–Establish ground truth for prefix origination

• Signing and verifying–Prevent bogus AS PATHs

• Data-plane verification–Ensure the path is actually followed

17

18

Public Key Infrastruc

ture

IBMAT&T

Comcast

LocalISP

Princeton

Comcast: (IBM)Comcast: (IBM)

Local: (Comcast, IBM)

Route Attestations in Secure BGP If AS a announced path abP then b announced bP to a

Public Key Signature: Anyone who knows IBM’s public key can verify the message was sent by IBM.

Comcast: (IBM)

Local: (Comcast, IBM)

Princeton: (Local, Comcast, IBM)

Discussion of the Paper

BGP Security in Partial Deployment

19