1 / 27

A Firewall for Routers: Protecting Against Routing Misbehavior

A Firewall for Routers: Protecting Against Routing Misbehavior. Jia Wang AT&T Labs-Research Joint work with Ying Zhang and Z. Morley Mao University of Michigan. 1. Interdomain routing: Border Gateway Protocol (BGP). Disseminating routing information between ISPs

deanne
Download Presentation

A Firewall for Routers: Protecting Against Routing Misbehavior

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Firewall for Routers:Protecting Against Routing Misbehavior Jia Wang AT&T Labs-Research Joint work with Ying Zhang and Z. Morley Mao University of Michigan 1 A Firewall for Routers: Protecting Against Routing Misbehavior

  2. Interdomain routing: Border Gateway Protocol (BGP) Disseminating routing information between ISPs Incremental: an update indicates a routing change Path vector based: list of ASes in the path Policy based: route selection based on each ISP’s policy Controlling packet forwarding in the data plane AS A BR BR BR BR C C C C “I can reach 141.213.15.0/24 via AS B A” “I can reach 141.213.15.0/24 via AS A” “I can reach 141.213.15.0/24” AS C AS D AS B Internet A Firewall for Routers: Protecting Against Routing Misbehavior

  3. Example: IP prefix hijacking p: [CBA] p: [CF] AS A BR BR BR BR C C C C Path:d =[A] Path:d =[BA] Path:d =[CBA] destination AS C AS D AS B Prefix p source AS F BGP Announcement: (prefix p) A Firewall for Routers: Protecting Against Routing Misbehavior

  4. Internet routing security problems A Firewall for Routers: Protecting Against Routing Misbehavior • Routers assume updates from neighbor are correct • Routing correctness is vulnerable to misconfigurations, attacks, and protocol ambiguities • There is no security guarantee in BGP • Secure protocol, e.g. SBGP, is slowly adopted and cannot eliminate misconfigurations

  5. Our approach A Firewall for Routers: Protecting Against Routing Misbehavior Q: can a network locally protects against routing misbehavior from external networks? A: a proactive scheme to correct routing updates locally • Route Normalizer • Sits between local router and remote router • Detects and corrects problems by taking advantage of local information

  6. Outline A Firewall for Routers: Protecting Against Routing Misbehavior Design of Route Normalizer Functionality of Route Normalizer Prototype implementation and evaluation Empirical results Discussion

  7. Route Normalizer architecture BGP traffic Optional config input (e.g. local router configuration) Optional data input (e.g. external BGP data) Route Normalizer Individual alarms Policy Engine Policy configuration Aggregated alarm reports A Firewall for Routers: Protecting Against Routing Misbehavior

  8. Design principles A Firewall for Routers: Protecting Against Routing Misbehavior Perform basic checking to ensure protocol semantic correctness Make use of local network information Take advantage of external information to assist route anomaly detection Assume dominant history behavior is mostly correct Use anomaly detection to influence route selection to avoid anomalous routes

  9. Deployment scenario I BR BR C C Case I: transparent TCP proxy setup BGP session Remote router Route Normalizer Local router Data traffic Data traffic Normalized BGP traffic BGP traffic BGP session BGP session Alarm reports, policy improvements Case II: two BGP sessions Route Normalizer observes data plane traffic No configuration changes on remote router A Firewall for Routers: Protecting Against Routing Misbehavior

  10. Deployment scenario II BR BR C C BGP session Local router Route Normalizer Remote router Data traffic BGP traffic BGP traffic Normalized BGP traffic Alarm reports, policy improvements BGP session A Firewall for Routers: Protecting Against Routing Misbehavior • No data traffic traverse Route Normalizer • Route Normalizer peers with both routers • Configuration changes on local router

  11. Outline A Firewall for Routers: Protecting Against Routing Misbehavior Design of Route Normalizer Functionality of Route Normalizer Prototype implementation and evaluation Empirical evaluation using BGP data Discussion

  12. Functionality of Route Normalizer A Firewall for Routers: Protecting Against Routing Misbehavior Fix violation of BGP semantics Fix violation of routing policy Detect routing anomalies Manage load and instability

  13. Fix violation of BGP semantics A Firewall for Routers: Protecting Against Routing Misbehavior • Mal-formed BGP updates • Incorrect attribute values, e.g. AS level loops • Attributes with private information • Missing mandatory attribute values • Route Normalizer action • Modify or drop the updates • Avoid router crashes • Avoid ambiguity if alternate route exists • Generate alarms

  14. Fix violations of routing policies A Firewall for Routers: Protecting Against Routing Misbehavior • Specifying policies with best common practice • Export policy should follow AS relationship constraints • Nexthop AS and IP should match the BGP neighbors’ AS and IP • Route Normalizer action • Modify or drop the updates if alternate route exists • Generate alarms

  15. Detect routing anomalies A Firewall for Routers: Protecting Against Routing Misbehavior • Anomalous routing behavior • Address hijacking • Routing inconsistency • Route Normalizer action • Drop the updates if alternate route exists • Generate alarms

  16. Load management and instability mitigation A Firewall for Routers: Protecting Against Routing Misbehavior • Manage router workload • Mitigate load due to identical routing updates • Mitigate against router DoS attacks • Mitigate instability of flapping prefixes • Mitigate instability of session resets • Route Normalizer action • Drop duplicate updates • Filter BGP attack traffic, delay updates • Emulate route flap damping, delay updates • Emulate graceful restart, delay updates

  17. Outline A Firewall for Routers: Protecting Against Routing Misbehavior Design of Route Normalizer Functionality of Route Normalizer Prototype implementation and evaluation Empirical evaluation using BGP data Discussion

  18. Prototype • Initialization • Checking path attributes • Anomaly detection A Firewall for Routers: Protecting Against Routing Misbehavior 18

  19. Prototype evaluation A Firewall for Routers: Protecting Against Routing Misbehavior • Platform • 3 GHz Pentium IV CPU, 1.5GB memory, 100Mbps • System throughput • 77.9Mbps or 64,916 packets/sec • Slight degradation on throughput with more peers • Memory consumption • 20MB memory consumption for 16 days data • Slight increase on memory consumptionwith more peers

  20. Outline A Firewall for Routers: Protecting Against Routing Misbehavior Design of Route Normalizer Functionality of Route Normalizer Prototype implementation and evaluation Empirical evaluation using BGP data Discussion

  21. Normalization statistics RouteViews: Oct 2006 (based on three months history data) A Firewall for Routers: Protecting Against Routing Misbehavior

  22. Known routing problems from NANOG: prefix leaking A Firewall for Routers: Protecting Against Routing Misbehavior • Date: July 11, 2003 • Observations: traffic from Sprint(AS 1239) traverses ALGX(AS 2828)’s customer. • Reported by Route Normalizer • AS path 1239 6359 14751 2828 8001 violates AS relationship • Broadwing Communications (AS 6359) did not filter announcement from its customer (AS14751), which is learned from the another provider AS 2828.

  23. Known routing problems from NANOG: instability A Firewall for Routers: Protecting Against Routing Misbehavior • Date: Oct. 5, 2005 • Observations: Level 3 (AS 3356) terminated its peering relation with Cogent (AS 174) • Reported by Route Normalizer • From Level 3’s perspective, 1063 (100%) distinct prefixes withdrawn from AS 174, reported as anomalous routing behavior

  24. Outline A Firewall for Routers: Protecting Against Routing Misbehavior Design of Route Normalizer Functionality of Route Normalizer Prototype implementation and evaluation Empirical evaluation using BGP data Discussion

  25. Discussion A Firewall for Routers: Protecting Against Routing Misbehavior • Attacks towards Route Normalizer • Resource overloaded attacks via increasing routing instability • Assigning penalty to detect malicious peers • Announcing malicious long AS path to increase computation • Optimizing AS relationship checking process • Raising alarms • Deployed with centralized routing decision platform, e.g. RCP

  26. Conclusion A Firewall for Routers: Protecting Against Routing Misbehavior Develop a platform for BGP traffic normalization Propose the use of routing anomaly detection to achieve more robust routing Perform extensive correlation between NANOG emails and anomaly detection using BGP data

  27. Thank you! Questions? 27 A Firewall for Routers: Protecting Against Routing Misbehavior

More Related