Bootstrapping Accountability in the Internet We Have

Lack of accountability makes the Internet vulnerable to numerous attacks, including prefix hijacking, route forgery, source address spoofing, and DoS flooding attacks. This paper aims to bring accountability to the Internet with low-cost and deployable enhancements. We present IPA, a design that uses the readily available top-level DNSSEC infrastructure and BGP to bootstrap accountability. We show how IPA enables a suite of security modules that can combat various network-layer attacks. Our evaluation shows that IPA introduces modest overhead and is gradually deployable. We also discuss how the design incentivizes early adoption.

[1]  Daniel Massey,et al.  Protocol Modifications for the DNS Security Extensions RFC 4035 | NIST , 2005 .

[2]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[3]  Scott Rose,et al.  Resource Records for the DNS Security Extensions, RFC 4034 | NIST , 2005 .

[4]  Christos H. Papadimitriou,et al.  Free-riding and whitewashing in peer-to-peer systems , 2006, IEEE J. Sel. Areas Commun..

[5]  Simon Josefsson Storing Certificates in the Domain Name System (DNS) , 2006, RFC.

[6]  Nick Feamster,et al.  Accountable internet protocol (aip) , 2008, SIGCOMM '08.

[7]  Daniel Massey,et al.  Quantifying the operational status of the DNSSEC deployment , 2008, IMC '08.

[8]  Brian Weis,et al.  (R)Evolutionary Bootstrapping of a Global PKI for Securing BGP , 2006, HotNets.

[9]  Michael E. Kounavis,et al.  Encrypting the internet , 2010, SIGCOMM '10.

[10]  Evangelos Kranakis,et al.  Pretty Secure BGP, psBGP , 2005, NDSS.

[11]  Xin Liu,et al.  NetFence: preventing internet denial of service from inside out , 2010, SIGCOMM '10.

[12]  Paul Vixie,et al.  Classless IN-ADDR.ARPA delegation , 1998, RFC.

[13]  Enke Chen,et al.  BGP Support for Four-octet AS Number Space , 2007, RFC.

[14]  Andreas Haeberlen,et al.  PeerReview: practical accountability for distributed systems , 2007, SOSP.

[15]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[16]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[17]  Jeffrey S. Chase,et al.  Strong accountability for network storage , 2007, TOS.

[18]  Xin Liu,et al.  Internet Protocol Made Accountable , 2009, HotNets.

[19]  Scott Rose,et al.  Protocol Modifications for the DNS Security Extensions , 2005, RFC.

[20]  David A. Maltz,et al.  AS-Based Accountability as a Cost-Effective DDoS Defense , 2007, HotBots.

[21]  Pavlin Radoslavov,et al.  Designing extensible IP router software , 2005, NSDI.

[22]  Adrian Perrig,et al.  Modeling adoptability of secure BGP protocols , 2006, SIGMETRICS '06/Performance '06.

[23]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[24]  Hui Zhang,et al.  Hierarchical packet fair queueing algorithms , 1996, SIGCOMM '96.

[25]  Scott Rose,et al.  Resource Records for the DNS Security Extensions , 2005, RFC.

[26]  Donald E. Eastlake,et al.  Storing Certificates in the Domain Name System (DNS) , 1999, RFC.

[27]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[28]  Jia Wang,et al.  Making Routers Last Longer with ViAggre , 2009, NSDI.

[29]  Patrick D. McDaniel,et al.  Origin authentication in interdomain routing , 2003, CCS '03.

[30]  Yih-Chun Hu,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM.

[31]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[32]  Xin Liu,et al.  Passport: Secure and Adoptable Source Authentication , 2008, NSDI.

[33]  Jose Nizario,et al.  Georgia DDoS Attacks—A Quick Summary of Observations , 2008 .

[34]  Matt Crawford,et al.  Binary Labels in the Domain Name System , 1999, RFC.

[35]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[36]  Adrian Perrig,et al.  Modeling adoptability of secure BGP protocol , 2006, SIGCOMM 2006.

[37]  R. Gieben,et al.  DNSSEC Operational Practices , 2006, RFC.