Network security routing security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 53

Network Security: Routing security PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on
  • Presentation posted in: General

Network Security: Routing security. Aapo Kalliola T-110.5241 Network security Aalto University, Nov-Dec 2012. Outline. Structure of internet Routing basics Security issues Attack Solutions (?) Censorship and avoidance Case studies. Couldn’t routing be trivial?.

Download Presentation

Network Security: Routing security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Network security routing security

Network Security: Routing security

Aapo Kalliola

T-110.5241 Network securityAalto University, Nov-Dec 2012


Outline

Outline

  • Structure of internet

  • Routing basics

  • Security issues

  • Attack

  • Solutions (?)

  • Censorship and avoidance

  • Case studies


Couldn t routing be trivial

Couldn’t routing be trivial?

”Explosive growth is taxing current Internet routing mechanisms. New sites continue to join the Internet… In some sense, the Internet is a victim of its own success; many routing protocols are being used in environments for which they had not been designed.”

- Thomas Narten, ”Internet routing”, 1989


Routing basics

Routing basics


Internet

Internet (?)


Internet late 1980s

Internet, late 1980s

Hosts, networks and gateways

N1

N2

N3

G1

G3

H1

H3

G5

G2

G4

N5

N4

H3

G6


Internet 1990s

Internet, 1990s

Hierarchical structure

National

backbone

NAP

NAP

Regional

access

providers

Local

access

providers

ISP

Cust.

IP

networks


Internet 2000s

Internet 2000s

Rise of hyper giants

Google, CDNs etc.

National backbone

Global core

IXP

IXP

IXP

ISP

Regional /

Tier 2

providers

ISP

Cust.

IP

networks

8


Internet 2010s

Internet 2010s

Rise of IXPs

Google, CDNs etc.

National backbone

IXP

IXP

IXP

Huge traffic

ISP

ISP

Cust.

IP

networks

9

9


What routing where

What routing where?

  • Interior Gateway Protocols (IGP) within an Autonomous System (AS)

  • Exterior Gateway Protocols (EGP) between AS

    • EGP can also refer to the precursor of BGP

    • Border Gateway Protocol (BGP) is, in practise, the only EGP in use

IGP /

BGP

BGP

IGP

IGP

IGP

Customer

network

End host

ISP

IXP

Back-bone


Routing in and between autonomous systems ases

Routing in and between Autonomous Systems (Ases)

  • Tens of thousands of ASes

  • Hundreds of thousands of BGP prefixes

    • AS(path) – network –prefixes, basically

    • 12345 35.128.0.0/16

  • Internally motivated by efficiency

  • Externally motivated by

    • Link costs

    • Transmission capacity

    • Load

    • Policy decisions


Bgp prefix numbers increasing

BGP prefix numbers increasing

(Team cymru global BGP prefix count, November 2013)


Interior gateway protocols

Interior gateway protocols

  • IGPs exchange routing information within an AS

  • Link-state protocols maintain information about the whole network topology

    • Open Shortest Path First (OSPF)

    • Intermediate System to Intermediate System (IS-IS)

  • Distance-vector protocols converge over time to common understanding of paths

    • RIP / RIPv2

    • IGRP

  • Hybrid protocols have features from both

    • E-IGRP


Border gateway protocol

Border gateway protocol

  • BGP is the procol for making routing decisions between ASes

  • Routing decisions are not made by automation but rather by commercial interests

  • Two main types of relations:

    • Peering – exchanging traffic freely between peers

    • Transit – smaller AS buying data transit from larger AS


Network security routing security

BGP

  • Design goals

    • Scalability for connecting AS on internet scale

    • Enabling policy decisions such as filtering route announcements

    • Must work in a distributed competitive environment (vs. early centralized internet)

  • Two types of BGP sessions

    • eBGP for routers from different ASes

      • Route information exchange between ASes

    • iBGP for routers within AS

      • Disseminating information about learned external routes within AS


How routes are distributed

How routes are distributed

  • AS may be in three relations to another AS:

    • Peer

    • Customer

    • Provider

  • Typical model, not always so:

    • Routes from customers are re-distributed to customers, peers and providers

    • Peer-learned routes are re-distributed to customers but not to other peers nor to providers

    • Provider-learned routes are re-distributed to customers, but not to other providers, nor to any peers


Bgp cont

BGP (cont.)

  • Data plane in green: host to host traffic

  • Control plane in blue: BGP route information

  • Both BGP and data flows need to work in reverse for two-way communication

    • Reverse path doesn’t need to be the same, though

AS1

AS2

AS7

AS5

H2

AS6

AS4

H1


Bgp leak hijack

BGP leak/hijack

  • Another AS claims to have a better route to a certain network

  • Reverse direction doesn’t need to be hijacked unless the attacker wants to do a MitM attack

AS1

AS2

AS7

AS5

H2

AS6

AS4

H3

H1


How an as is created

How an AS is created

  • Apply for an AS number from local Regional Internet Registry

  • Get a connection to an IXP

    • Could also just use a normal ISP -> waste of AS numbers

  • Get transit or peering from another AS

    • -> you’re on!


Security issues in routing

Security issues in routing


Attacks on bgp outside

Attacks on BGP – outside

  • Link cutting

    • Physical

    • Logical

    • DoS

  • Attacks using data plane

    • Clever use of data plane DDoS to cut BGP connections


Cxpst

CXPST

  • CXPST is an extension of previous low-rate TCP attack work on DDoSing big routers

  • Ingredients:

    • medium botnet (250000 bots)

    • Internet structure recoinnassance

    • Good timing

  • Overwhelm one router at a time

    • Router drops its BGP connections

    • When the router is re-establishing BGP connections, target the neighbours

  • Could theoretically take down large parts of internet


Attacks on bgp inside

Attacks on BGP – inside

  • Attacks on control plane

    • Route leaks

    • Route hijacks

    • Man-in-the-Middle

      • Tricky but possible

  • Possible to find attacker AS, though not trivial


How to get inside

How to get inside?

  • Set up a throw-away AS

    • Use false information and stolen credit cards

  • Establish transit/peering

    • No need to have many connections

  • Advertise malicious routes

  • Profit!!

    • (or whatever you want to do with the traffic you get)

  • Leave the AS untended


Route leaking hijacking

Route leaking / hijacking

  • Route leaking

    • Accidental by definition

    • AS_x has multiple links to other Ases

    • AS_x gets complete internet route announcement set from its provider

    • AS_x accidentally announces the set through another AS link

    • This wrong annoucement gets propagated

    • -> all traffic from affected ASes goes to AS_x

  • Route hijacking

    • Malicious by definition

    • AS_x announces a very good path to the target network

    • ASes receiving the annoucement prefer this path and route directed to target to AS_x

    • -> traffic directed to attack target from affected ASes gets intercepted by AS_x

  • Could be indistinguishable from each other


Bgp man in the middle

BGP Man-in-the-Middle

  • Traceroute & plan reply path to target

  • Note the ASN’s seen towards target from traceroute& BGP table on your router

  • Apply as-path prepends naming each of the ASN’s intended for reply path

  • Set up static routes towards the next hop of the first AS in reply path

  • -> done


Case from nov 2013

Case from Nov 2013


Attacks

Attacks


Traffic snooping

Traffic snooping

  • Comprehensive traffic recording?

    • This might already be going on without need for BGP attacks

  • Popularization of IXPs?

    • ”A few people operate the SIX with a few Cisco switches in a rack. Essentially every major carrier and service provider now connects to the SIX..”

    • Not really indicative of any real problem with IXPs, just that there are many different parties involved in getting a data packet from source to destination


Traffic spoofing

Traffic spoofing

  • MITM for all traffic

    • Can also modify, possibly without detection

  • Total interception

    • Faked replies

  • Censorship purposes

    • Dropping / reseting / redirecting replies


Other

Other

  • Spamming (fly-by)

    • Capture a network that hasn’t been used for malicious activity

    • Send spam from the network

    • Network gets blocked

    • Repeat

  • DoS

    • Capture the target network

    • Drop the incoming traffic

  • Target impersonation

    • Capture the target network

    • Reply to incoming traffic with valid responses of your own

  • Attacking the routers themselves

    • Default passwords


How to react

How to react?

  • Analysis of what is happening

    • Where the attack originates

  • Malicious vs. Accidental

    • Malicious attacks difficult to stop

      • Must get several ASes to cooperate in filtering out the offending route announcements

    • Accidents fixed by informing the origin of the erronous traffic -> fixes in minutes, usually

  • After origin is fixed the global routing state corrects itself

    • Complete correction might take a long time: hours/days


Solutions

Solutions (?)


Sanity checks

Sanity checks

  • Maximum number of routes accepted from a neighbouring AS

    • Helps against accidental ”all-of-internet here” route leaks

  • Not accepting too specific routes

    • /22 probably ok, /32 suspicious

  • Cutting BGP sessions that clearly advertise erronous routes

    • Might cause even worse problems


Origin authentication

Origin authentication

  • An AS gets a crypto certificate from its RIR containing its network and AS number

  • It’s possibly to verify AS identity using Resource Public Key Infrastructure (RPKI)

  • Additional overhead

  • Many routers don’t support RPKI


Secure origin bgp

Secure Origin BGP

  • Certificate-based system, backed by Cisco

  • Options for transporting certificates by various means

    • Even on data plane

  • Tweaking routes by accepting some and denying some possible


S bgp

S-BGP

  • Certificate-based system, somewhat similar to soBGP

  • Requires PKI

  • Provides path verification and point-to-point security between routers (IPSec)

  • Authorization for both advertising ownership of a network and for advertising being part of a route


Data plane verification

Data-plane verification

  • Requires functionality on both control and data plane

  • In addition to doing normal BGP operation check for data plane reachability problems

    • Works for blackholing, accidents and stale routes

  • Does not require PKI infrastructure

  • Overhead!


Counterpoint 1 3

Counterpoint 1/3

  • Partial adoption of secured BGP may actually decrease the overall security of a network!

  • BGP Security in Partial Deployment: Is the Juice Worth the Squeeze?. Lychev et al., SIGCOMM 2013

    • http://conferences.sigcomm.org/sigcomm/2013/papers/sigcomm/p171.pdf


Counterpoint 2 3

Counterpoint 2/3

W

  • ?

Y

X offers the shorter path

Z

X

V

  • ?

Shorter path!

P/S

P/S

P/S

P/S

P/S

M

D

prefix


Counterpoint 3 3

Counterpoint 3/3

Y experiences collateral damage because X is secure!

W

  • ?

Y

W offers the shorter path!

Z

X

V

  • ?

P/S

P/S

P/S

P/S

P/S

P/S

M

D

prefix


Censorship and avoidance

Censorship and avoidance


Great firewall of china

Great firewall of China

  • Does

    • snooping

    • filtering

    • DNS injection

  • Also tries to prevent accessing foreign proxies for free internet access

  • Unwittingly also affects also traffic transiting through China

    • For instance German subnets have received censored DNS replies

    • Hopefully fixed since published fall 2012


Decoy routing

Decoy Routing

  • Setup routers with special functionality randomly around the internet

  • Censored end host apparently try to access allowed content

  • A special router is on path to allowed content

  • The special router recognizes the end host are routes request to censored content

  • Censored content origin is faked to look like allowed content origin

  • Censored end host receives the censored content


Problems in previous proposal

Problems in previous proposal

  • The special routers need to be on the traffic path

    • Number of routers required already quite high ..

    • .. especially if the censor has lots of connections

  • If the censor is capable of modifying routing

    • Interconnectivity way too high to deploy enough routers

    • Nation-wide censorship usually is routing-capable


More case studies

More case studies


As 7007 incident 1997

AS 7007 incident, 1997

  • ..where the BGP worries started

  • AS 7007 started leaking a large part of complete route table

    • -> Much of traffic in internet blackholed

  • Took priority in BGP due to chopping announced networks to /24 blocks

  • BGP cleanup took quite a while


Icann dns root server l 2008

ICANN DNS root server L, 2008

  • ICANN moved root server L to a new IP address

  • Regardless, the old IP kept responding to DNS requests


Pakistan blocking youtube 2008

Pakistan blocking Youtube, 2008

  • Country-internal blocking by leaked to the whole internet


China telecom 2010

China Telecom 2010

  • China “leaked”routes and captures a significant portion of internet traffic for some minutes


Australia outage 2012

Australia outage, 2012

  • 30 mins

  • Filtering failure leading to route leakage leading to BGP session kill due to maximum prefix limiting


Summary

Summary

  • Logical structure of internet is a function of commercial interests and geography

  • Internet routing is largely based on trust and correct operation

  • Don’t blindly trust internet routing

  • Good practises help!

    • http://tools.ietf.org/html/draft-jdurand-bgp-security-00


Further reading

Further reading

  • BGP Man-in-the-Middle

    • http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf

    • http://www.renesys.com/2013/11/mitm-internet-hijacking/

  • China's 18-Minute Mystery

    • http://www.renesys.com/blog/2010/11/chinas-18-minute-mystery.shtml

  • How the Internet in Australia went down under

    • http://www.bgpmon.net/how-the-internet-in-australia-went-down-under/

  • How Secure are Secure Interdomain Routing Protocols?

    • http://research.microsoft.com/pubs/120428/bgpattack-full.pdf


  • Login