Identifying and Addressing Protocol Manipulation Attacks in "Secure" BGP

Over more than a decade, researchers have studied a number of control and data plane attacks on BGP, the Internet's interdomain routing protocol, in the presence of malicious ASes. These prior efforts have largely focused on attacks that can be addressed using traditional cryptographic mechanisms to ensure authentication or integrity (e.g., S-BGP). Although augmenting BGP with authentication and integrity mechanisms is critical, it is far from sufficient to prevent attacks based on manipulating the complex BGP protocol itself. In this paper, we identify two serious protocol manipulation attacks that undermine the two most fundamental goals of the BGP control plane -- to ensure reachability and enable ASes to pick routes according to their routing policies -- despite the presence of S-BGP-like mechanisms. Our key contributions are to (1) formalize two critical security properties, (2) experimentally validate using commodity router implementations that BGP fails to achieve them, (3) quantify the extent of the resulting vulnerabilities in the Internet's AS topology, and (4) design and implement simple modifications to provably ensure that those properties are satisfied. Our experiments show that, a single malicious AS can cause thousands of other ASes to become disconnected from thousands of other ASes for arbitrarily long, while our proposed modifications almost completely eliminates such attacks.

[1]  Kwan-Liu Ma,et al.  Performing BGP experiments on a semi-realistic Internet testbed environment , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[2]  David Wetherall,et al.  Studying Black Holes in the Internet with Hubble , 2008, NSDI.

[3]  Daniel Massey,et al.  Analysis of BGP Update Surge during Slammer Worm Attack , 2003, IWDC.

[4]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[5]  Farnam Jahanian,et al.  Internet inter-domain traffic , 2010, SIGCOMM '10.

[6]  Evangelos Kranakis,et al.  On interdomain routing security and pretty secure BGP (psBGP) , 2007, TSEC.

[7]  Jennifer Rexford,et al.  Don't Secure Routing Protocols, Secure Data Delivery , 2006, HotNets.

[8]  Patrick D. McDaniel,et al.  A Survey of BGP Security Issues and Solutions , 2010, Proceedings of the IEEE.

[9]  Constantinos Dovrolis,et al.  Beware of BGP attacks , 2004, CCRV.

[10]  Lixin Gao,et al.  On inferring autonomous system relationships in the Internet , 2000, Globecom '00 - IEEE. Global Telecommunications Conference. Conference Record (Cat. No.00CH37137).

[11]  Ramesh Govindan,et al.  BGP Route Flap Damping , 1998, RFC.

[12]  Sharon Goldberg,et al.  How secure are secure interdomain routing protocols? , 2014, Comput. Networks.

[13]  D. Richard Kuhn,et al.  Study of BGP Peering Session Attacks and Their Impacts on Routing Performance , 2006, IEEE Journal on Selected Areas in Communications.

[14]  A. Dammer How Secure are Secure Interdomain Routing Protocols , 2011 .

[15]  Abhijit Bose,et al.  Delayed Internet routing convergence , 2000, SIGCOMM.

[16]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[17]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[18]  Ruibing Hao,et al.  An approach to accelerate convergence for path vector protocol , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[19]  Patrick D. McDaniel,et al.  Origin authentication in interdomain routing , 2003, CCS '03.

[20]  Daniel Massey,et al.  BGP-RCN: improving BGP convergence through root cause notification , 2005, Comput. Networks.

[21]  Gordon T. Wilfong,et al.  The stable paths problem and interdomain routing , 2002, TNET.

[22]  Bruce M. Maggs,et al.  R-BGP: Staying Connected in a Connected World , 2007, NSDI.

[23]  Vitaly Shmatikov,et al.  Truth in advertising: lightweight verification of route integrity , 2007, PODC '07.