Even Rockets Cannot Make Pigs Fly Sustainably

Can BGP be Secured with BGPsec Qi Li, ETH Zurich

Yih-Chun Hu, UIUC Xinwen Zhang, Huawei Research

BGP Is Not Secure ! The Border Gateway Protocol (BGP) is the de-

facto protocol to ensure the inter-AS connectivity of the Internet

! BGP does not have built-in mechanisms to verify if a route is genuine, it suffers from severe security vulnerabilities

! To prevent false routing updates, a wide array of secure BGP schemes has been proposed

! This study will investigate the vulnerabilities of these schemes

2/23/14 SENT 2014 2

An Attack Example ! In February 2013, global traffic was redirected to

Belarusian ISP !  US, South Korea, Germany, the Czech Republic,

Lithuania, Libya, and Iran are affected

2/23/14 SENT 2014 3

http://www.renesys.com/2013/11/mitm-internet-hijacking/

Background ! BGPsec is recently proposed by IETF

!  Leverage Resource Public Key Infrastructure (RPKI) to authenticate prefix origins

!   Insert correct AS number with the AS link signature into routing paths

! Insufficient security of BGP security schemes !  Manipulation attacks: good routes are damped (Song

et al. 2013) !  Cheating attacks: traffic forwarding paths are deviated

from the announced paths (Goldberg et al. 2008)

2/23/14 SENT 2014 4

S. Goldberg, S. Halevi, A. D. Jaggard, V. Ramachandran, and R. N. Wright, “Rationality and Traffic Attraction: Incentives for Honest Path Announcements in BGP,” Proceedings of SIGCOMM 2008

Y. Song, A. Venkataramani and L. Gao. "Identifying and Addressing Protocol Manipulation Attacks in ``Secure'' BGP", ICDCS 2013

Contribution of This Paper ! Investigate a set of security properties of BGP

!  Routing availability, Path predictability, Blackhole-resistant routing, and Loop-free routing

! Show that BGPsec is unable to achieve the

security properties

! Identify two new vulnerabilities of BGPsec and use real data to measure the impacts of the vulnerabilities

2/23/14 SENT 2014 5

Desirable Security Properties (1)

! Routing availability !  Ensure convergence in the presence of different

network events, e.g., routing attacks !  Throttle the manipulation attacks and data plane

attacks ! Path predictability

!  Senders know the path that traffic will traverse before sending out the traffic

!  Ensure that forwarding table is consistent with routing updates

2/23/14 SENT 2014 6

Desirable Security Properties (2)

! Blackhole-resistant routing !  A blackhole is used to hijack traffic to an AS that

would not traverse that AS. !  Prevent malicious AS from traffic hijacking to

blackholes ! Loop-free routing

!  No traffic will enter a forwarding loop even under attacks

!  Network links will not be overloaded by such forwarding loops

2/23/14 SENT 2014 7

Insufficiency of BGPsec ! Existing attacks show the first two properties do

not hold in BGPsec !  Routing availability: manipulation attacks !  Path predictability: cheating attacks

! This talk will show that the last two security properties are not met by BGPsec ! Blackhole-resistant routing: traffic hijacking by

launching wormhole attacks !  Loop-free routing: forwarding loops by launching mole

attacks

2/23/14 SENT 2014 8

Wormhole Attack ! Colluding Ases generate fake links with valid

signatures !  produced forged routing paths

2/23/14 SENT 2014 9

AS 2

AS 3 AS 4

AS 5 AS 6 Victim

AS 8 AS 7

r1

Tunneled link r2

AS 1 Dest

AS9

Evaluation ! Simulation based on two different measured

Internet AS topology set !  The 830-set and rv-set AS topologies

! Compute all end-to-end routing paths by simulating BGP routing according to Gao-Rexford conditions

! Measure routing paths with different attack scenarios by selecting 10 AS pairs with different degree as colluding Ases

2/23/14 SENT 2014 10

Impact of Wormhole Attacks ! The number of hijacked routing paths affected

by the attacks

! BGPsec is unable to prevent hijacking attacks

2/23/14 SENT 2014 11

0

20

40

60

80

100

0 100 200 300 400 500 600

Th

e h

ijack

ra

tio (

CD

F)

Hijacked routing paths (#)

randomhighlow

0

20

40

60

80

100

0 100 200 300 400 500

The h

ijack

ratio

(C

DF

)

Hijacked routing paths (#)

randomhigh

830-set rv-set

11% nodes’ paths are not affected

74% and 44% nodes’ paths are affected

Mole Attack ! An attacker can easily launch the mole attacks

by generating traffic to the unused prefixes to overload the victim AS link !   If a prefix is allocated to an AS and the AS does not

fully consume it !   If the Ases set a static default route to one of their

providers ! To launch a mole attack and flood the target AS

link, the attacker needs to locate a target prefix that will traverse the the vulnerable link

2/23/14 SENT 2014 12

A Mole Attack Example

2/23/14 SENT 2014 13

AS 4 allocated prefixes: 10.10.0.0/16

AS 1

Address Nexthop AS 10.10.1.0/24 self 0.0.0.0/0 AS 3

Routing table within AS 4

vulnerable links

10.10.10.0/24: a target prefix

AS 2 AS 3

vulnerable link vulnerable link

Traffic dest: 10.10.10.10

Evaluation ! Use traceroute to measure the routing paths to

all /24 prefixes and use Routeview data to do prefix-to-AS mapping

! A target prefix is identified when the path to the prefix includes repeating AS links

! Measure the number of vulnerable links that can be the attack target and the number of target prefixes that can be used to attack the vulnerable links

2/23/14 SENT 2014 14

Vulnerability to Mole Attacks ! The distribution of vulnerable links and target

prefixes exhibit strong locality

2/23/14 SENT 2014 15

0

0.5

1

1.5

2

2.5

3

3.5

4

0 50 100 150 200 250 300

The n

um

ber

of ta

rgets

(10

3)

Prefix (x.0.0.0/8)

vulnerable linkstraget prefixes

§  170K /24 prefixes across the entire IPv4 address space can be used to flood the vulnerable links

§  A vulnerable link can be flooded by using six /24 prefix blocks

Conclusion ! We find that BGP armed with BGPsec cannot

achieve any of the security properties due to their fundamental design principles

! We identify two new vulnerabilities of BGPsec

! We should rethink the fundamental tenets of BGP and BGPsec designs

2/23/14 SENT 2014 16

Questions?

Thank You!

2/23/14 SENT 2014 17

! Song et al. present protocol manipulation attacks to BGPsec, e.g., attacks to RFD and MARI

Backup: Manipulation Attack

2/23/14 SENT 2014 18

AS 1 AS 6

AS 4

AS 2 AS 5

Victim

Dest

AS 3

r1 r2 r3

Y. Song, A. Venkataramani and L. Gao, "Identifying and Addressing Protocol Manipulation Attacks in ``Secure'' BGP", ICDCS 2013

Backup: Cheating Attack ! Victim will adopt routing paths that they do not

know (Goldberg et al. 2008)

2/23/14 SENT 2014 19

AS 1

AS 2 AS 3

AS 4 Dest

AS 5

Victim

r2

r3

r1 AS 7

AS 8 AS 9

AS 10

S. Goldberg, S. Halevi, A. D. Jaggard, V. Ramachandran, and R. N. Wright, “Rationality and Traffic Attraction: Incentives for Honest Path Announcements in BGP,” Proceedings of SIGCOMM 2008.