Tomas Hlavacek,Haya Shulman,Niklas Vogel,Michael Waidner

2023-03-21

Abstract:IP prefix hijacks allow adversaries to redirect and intercept traffic, posing a threat to the stability and security of the Internet. To prevent prefix hijacks, networks should deploy RPKI and filter bogus BGP announcements with invalid routes. In this work we evaluate the impact of RPKI deployments on the security and resilience of the Internet. We aim to understand which networks filter invalid routes and how effective that filtering is in blocking prefix hijacks. We extend previous data acquisition and analysis methodologies to obtain more accurate identification of networks that filter invalid routes with RPKI. We find that more than 27% of networks enforce RPKI filtering and show for the first time that deployments follow the business incentives of inter-domain routing: providers have an increased motivation to filter in order to avoid losing customers' traffic. Analyzing the effectiveness of RPKI, we find that the current trend to deploy RPKI on routeservers of Internet Exchange Points (IXPs) only provides a localized protection against hijacks but has negligible impact on preventing their spread globally. In contrast, we show that RPKI filtering in Tier-1 providers greatly benefits the security of the Internet as it limits the spread of hijacks to a localized scope. Based on our observations, we provide recommendations on the future roadmap of RPKI deployment. We make our datasets available for public use [<a class="link-external link-https" href="https://sit4.me/rpki" rel="external noopener nofollow">this https URL</a>].

Networking and Internet Architecture,Cryptography and Security

XL Zhao,D Pei,L Wang,D Massey,A Mankin,SF Wu,LX Zhang

DOI: https://doi.org/10.1109/dsn.2002.1028887

2002-01-01

Abstract:Network measurement has shown that a specific IP address prefix may be announced by more than one autonomous system (AS), a phenomenon commonly referred to as Multiple Origin AS, or MOAS. MOAS can be due to either operational need to support multi-homing, or false route announcements due to configuration or implementation errors, or even by intentional attacks. Packets following such bogus routes will be either dropped or, in the case of an intentional attack, delivered to a machine of the attacker's choosing.This paper presents a protocol enhancement to BGP which enables BGP to detect bogus route announcements from false origins. Rather than imposing cryptography-based authentication and encryption to secure routing message exchanges, our solution makes use of the rich connectivity among ASes that exists in the Internet. Simulation results show that this simple solution can effectively detect false routing announcements even in the presence of multiple compromised routers, become more robust in larger topologies, and can substantially reduce the impact of false routing announcements even with a partial deployment.

Xingang Shi,Yang Xiang,Zhiliang Wang,Xia Yin,Jianping Wu

DOI: https://doi.org/10.1145/2398776.2398779

2012-01-01

Abstract:Border Gateway Protocol (BGP) plays a critical role in the Internet inter-domain routing reliability. Invalid routes generated by mis-configurations or forged by malicious attacks may hijack the traffic and devastate the Internet routing system, but it is unlikely that a secure BGP can be deployed in the near future to completely prevent them. Although many hijacking detection systems have been developed, they more or less have weaknesses such as long detection delay, high false alarm rate and deployment difficulty, and no systematic detection results have been studied. This paper proposes Argus, an agile system that can accurately detect prefix hijackings and deduce the underlying cause of route anomalies in a very fast way. Argus is based on correlating the control and data plane information closely and pervasively, and has been continuously monitoring the Internet for more than one year. During this period, around 40K routing anomalies were detected, from which 220 stable prefix hijackings were identified. Our analysis on these events shows that, hijackings that have only been theoretically studied before do exist in the Internet. Although the frequency of new hijackings is nearly stable, more specific prefixes are hijacked more frequently. Around 20% of the hijackings last less than ten minutes, and some can pollute 90% of the Internet in less than two minutes. These characteristics make \emph{Argus} especially useful in practice. We further analyze some representative cases in detail to help increase the understanding of prefix hijackings in the Internet.

Yang Xiang,Zhiliang Wang,Xia Yin,Jianping Wu

DOI: https://doi.org/10.1109/ICNP.2011.6089080

2011-01-01

Abstract:The de facto inter-domain routing protocol, Border Gateway Protocol (BGP), plays a critical role in the Internet routing reliability. Invalid routes generated by mis-configurations or malicious attacks will devastate the Internet routing system. In the near future, deploying a secure BGP in the Internet to completely prevent hijacking is impossible. As a result, lots of hijacking detection systems have emerged. However, they have more or less weaknesses such as long detection delay, high false alarm rate or deploy hardness. This paper proposes Argus, an agile system to fast and accurate detect prefix hijacking. Argus already keeps on running in the Internet for two months and identified several possible hijackings. Initial results show that it usually discovers a hijacking in less than ten seconds, and can significantly decrease the false alarm rate.

WANG Bin,AN Jin-liang,WU Chun-ming,LAN Ju-long

DOI: https://doi.org/10.3969/j.issn.1000-436x.2012.05.012

2012-01-01

Journal of Communications

Abstract:A new approach was studied for BGP security:SE-BGP.By analyzing the security of SE-BGP,was found it had some secure leaks which couldnt resist active attack.To solve these secure problems of SE-BGP,an AS-alliance-based secure BGP scheme :SA-BGP was proposed,which used the aggregate signatures algorithm based on RSA.The SA-BGP has strong ability of security that can effectively verify the propriety of IP prefix origination and verifies the validity of an AS to announce network layer reachability information (NLRI).SA-BGP can large-scale reduced the number of the used certificates.Performance evaluation results that SA-BGP can be implemented efficiently and the incurred overhead,in terms of time and space,ptable in practice.

Donika Mirdita,Haya Schulmann,Niklas Vogel,Michael Waidner

2023-12-04

Abstract:Over recent years, the Resource Public Key Infrastructure (RPKI) has seen increasing adoption, with now 37.8% of the major networks filtering bogus BGP routes. Systems interact with the RPKI over Relying Party (RP) implementations that fetch RPKI objects and feed BGP routers with the validated prefix-ownership data. Consequently, any vulnerabilities or flaws within the RP software can substantially threaten the stability and security of Internet routing. We uncover severe flaws in all popular RP implementations, making them susceptible to path traversal attacks, remotely triggered crashes, and inherent inconsistencies, violating RPKI standards. We report a total of 18 vulnerabilities that canbe exploited to downgrade RPKI validation in border routers or, worse, enable poisoning of the validation process, resulting in malicious prefixes being wrongfully validated and legitimate RPKI-covered prefixes failing validation. Furthermore, our research discloses inconsistencies in the validation process, with two popular implementations leaving 8149 prefixes unprotected from hijacks, 6405 of which belong to Amazon. While these findings are significant in their own right, our principal contribution lies in developing CURE, the first-of-its-kind system to systematically detect bugs, vulnerabilities, and RFC compliance issues in RP implementations via automated test generation. CURE is a powerful RPKI publication point emulator that enables easy and efficient fuzzing of complex RP validation pipelines. It is designed with a set of novel techniques, utilizing differential and stateful fuzzing. We generated over 600 million test cases and tested all popular RPs on them. Following our disclosure, the vendors already assigned CVEs to the vulnerabilities we found.

Cryptography and Security

Donika Mirdita,Haya Schulmann,Michael Waidner

2024-08-22

Abstract:The Resource Public Key Infrastructure (RPKI) is the main mechanism to protect inter-domain routing with BGP from prefix hijacks. It has already been widely deployed by large providers and the adoption rate is getting to a critical point. Almost half of all the global prefixes are now covered by RPKI and measurements show that 27% of networks are already using RPKI to validate BGP announcements. Over the past 10 years, there has been much research effort in RPKI, analyzing different facets of the protocol, such as software vulnerabilities, robustness of the infrastructure or the proliferation of RPKI validation. In this work we compile the first systemic overview of the vulnerabilities and misconfigurations in RPKI and quantify the security landscape of the global RPKI deployments based on our measurements and analysis. Our study discovers that 56% of the global RPKI validators suffer from at least one documented vulnerability. We also do a systematization of knowledge for existing RPKI security research and complement the existing knowledge with novel measurements in which we discover new trends in availability of RPKI repositories, and their communication patterns with the RPKI validators. We weave together the results of existing research and our study, to provide a comprehensive tableau of vulnerabilities, their sources, and to derive future research paths necessary to prepare RPKI for full global deployment.

Cryptography and Security

Yan Yang,Xingang Shi,Xia Yin,Zhiliang Wang

DOI: https://doi.org/10.1109/trustcom.2016.0068

2016-01-01

Abstract:The correct functioning of inter-domain routing is of vital importance to the ever expanding Internet. As a common threat to the Internet, prefix hijackings often hijack traffic destined to some Autonomous Systems(ASes), leading to routing black holes or traffic interception. In this paper, we study two typical categories of prefix hijackings, namely false origin hijacking and man-in-the-middle interception, by extensive simulations. Our simulations are based on a new model which takes both the hierarchical Internet structure and the AS connectivity degrees into consideration. With this model, we explore the attacking/hijacking power of different ASes and their resisting power to this attack, where different categories of hijackings exhibit different characteristics. In addition, we also confirm that our results still hold considering various factors in the real Internet, including hidden links, prefix distribution, and RPKI, a countermeasure to prefix hijackings that is undergoing an active deployment in inter-domain routing. Some explanations and case studies are given to help better understanding of our results, which we hope will facilitate the deployment of RPKI and inspire new research.

Song Li,Haixin Duan,Zhiliang Wang,Jinjin Liang,Xing Li

DOI: https://doi.org/10.1007/s11432-015-5490-8

2016-01-01

Science China Information Sciences

Abstract:Previous research in interdomain routing security has often focused on prefix hijacking. However,several prefix interception events have happened lately, which poses a new security challenge to the interdomain routing system. Compared to prefix hijacking, prefix interception is much harder to detect, as it avoids black hole by forwarding the hijacked traffic back to the victim. In this paper, we present a novel method to detect prefix interception. Our approach exploits a key observation about prefix interception: during a prefix interception event, the attacker detours the intercepted traffic through its network, which turns it into a new important"transit point" for access to the victim. By collecting data plane information to detect the emerging "transit point" and using control plane information to verify it, our scheme can identify prefix interception in real time.The results of Internet experiments and Internet-scale simulations show that our method is accurate with low false alarm rate(0.28%) and false negative rate(2.26%).

Qi Li,Xinwen Zhang,Xin Zhang,Purui Su

DOI: https://doi.org/10.1109/tdsc.2014.2345381

2015-01-01

Abstract:Border Gateway Protocol (BGP) is vulnerable to routing attacks because of the lack of inherent verification mechanism. Several secure BGP schemes have been proposed to prevent routing attacks by leveraging cryptographic verification of BGP routing updates. In this paper, we present a new type of attacks, called TIGER, which aims to invalidate the “proven” security of these secure BGP schemes and allow ASes to announce forged routes even under full deployment of any existing secure BGP proposal. By launching TIGER attacks, malicious ASes can easily generate and announce forged routes which can be successfully verified by the existing secure BGP schemes. Furthermore, TIGER attacks can evade existing routing anomaly detection schemes by guaranteeing routing data-plane availability and consistency of control- and data-plane. Toward a new securing BGP scheme, we propose Anti-TIGER to detect and defend against TIGER attacks. Anti-TIGER enables robust TIGER detection by collaborations between ASes. In particular, we leverage Spread Spectrum Communication technique to watermark certain special probing packets, which manifest the existence of TIGER attacks. Anti-TIGER does not require any modifications in routing data-plane, therefore it is easy to deploy and incrementally deployable. We evaluate the effectiveness of TIGER and Anti-TIGER by experiments with real AS topologies of the Internet. Our experiment results show that TIGER attacks can successfully hijack a considerable number of prefixes. In the meanwhile, Anti-TIGER can achieve 100 percent detection ratio of TIGER attacks.

SU Yingying,LI Dan,YE Honglin

DOI: https://doi.org/10.11959/j.issn.1000-0801.2021050

2021-01-01

Abstract:The BGP (border gateway protocol) did not fully consider security issues at the beginning of its design.With the rapid growth of the Internet, its security risks have become incrementally obvious.Academia and industry have proposed many solutions to the security issues faced by inter-domain routing, and what is really deployed is the RPKI (resource public key infrastructure) promoted by the IETF (the Internet Engineering Task Force).The development status and research advances of RPKI were surveyed, with emphasis on problems of RPKI, existing solutions, and related limitations.Moreover, latest achievements on RPKI function extension were introduced.Finally, future research directions were concluded.

Lancheng Qin,Li Chen,Dan Li,Honglin Ye,Yutian Wang

DOI: https://doi.org/10.14722/ndss.2024.24214

2024-01-01

Abstract:BGP hijacking is one of the most important threats to routing security.To improve the reliability and availability of inter-domain routing, a lot of work has been done to defend against BGP hijacking, and Route Origin Validation (ROV) has become the best current practice.However, although the Mutually Agreed Norms for Routing Security (MANRS) has been encouraging network operators to at least validate announcements of their customers, recent research indicates that a large number of networks still do not fully deploy ROV or propagate illegitimate announcements of their customers.To understand ROV deployment in the real world and why network operators are not following the action proposed by MANRS, we make a long-term measurement for ROV deployment and further find that many non-compliant networks may deploy ROV only at part of customer interfaces, or at provider or peer interfaces.Then, we present the first notification experiment to investigate the impact of notifications on ROV remediation.However, our analysis indicates that none of the notification treatments has a significant effect.After that, we conduct a survey among network operators and find that economical and technical problems are the two major classes of reasons for non-compliance.Seeking a realistic ROV deployment strategy, we perform large-scale simulations, and, to our surprise, find that not following MANRS Action 1 can lead to better defence of prefix hijacking.Finally, with all our findings, we provide practical recommendations and outline future directions to help promote ROV deployment.

Yan Yang,Xia Yin,Xingang Shi,Zhiliang Wang,Jiong He,Tom Z. J. Fu,Marianne Winslett

DOI: https://doi.org/10.1016/j.comnet.2019.06.017

IF: 5.493

2019-01-01

Computer Networks

Abstract:As autonomous systems tend to forward packets along the path with minimal routing cost, Internet routes are unevenly distributed on physical links. Links which a large number of routes go through are called routing bottlenecks. Flooding such routing bottlenecks can degrade or even cut off the network connectivity in a large area, making them a serious vulnerability of the Internet. In this paper, we study the characteristics of inter-domain routing bottlenecks and point out that they can be further aggravated by manipulating BGP updates to launch prefix hijackings. We first simulate large quantities of AS-level routing paths to illustrate the pervasiveness of inter-domain routing bottlenecks, as well as their direction, topological location, distance and concentration. Then, we propose a method for measuring and aggravating inter-domain bottlenecks of some AS, such that link flooding on them can be effectively amplified in a stealthy way. Moreover, adversary can adjust the specific method according to its purpose of malicious behaviour. At last, we discuss how inter-domain routing bottlenecks may be affected as the Internet evolves, where we witness the new, or wider, deployment of some routing related mechanisms.

Jun He,Yahui Li,Han Zhang,Ming Wang,Changqing An,Jilong Wang

DOI: https://doi.org/10.1109/icc45041.2023.10278923

2023-01-01

Abstract:Prefix hijackings have always been a significant security issue in BGP and have continued to occur in recent years. Detecting prefix hijackings is a vital part of defending against them. Most detection approaches mainly rely on the feed from the monitors of public route collector infrastructures. We propose an injected sub-prefix hijacking that utilizes the BGP communities attribute and AS path poisoning to control the propagation of invalid sub-prefix routes. This attack only pollutes neighboring ASes, thus guaranteeing the invisibility to monitors. Then the attacker can stealthily hijack traffic passing through the polluted ASes. Through extensive simulations, we show that this attack has an enormous impact and propose the crucial indicator affecting the attacker's capability. Finally, we demonstrate that existing defenses are difficult to handle this attack and then propose several defense strategies against it.

LI Song,ZHUGE Jian-Wei,LI Xing

DOI: https://doi.org/10.3724/sp.j.1001.2013.04346

2013-01-01

Journal of Software

Abstract:BGP is a core Internet routing protocol.The Internet inter-domain routing relies on the exchange of BGP routing information.BGP has significant vulnerabilities,which have been found to cause problems such as prefix hijacking,route leak and Internet-targeted denial of service attack.First,by analyzing BGP route propagation and BGP routing policies,the fundamental flaw in the design of the protocol is revealed.The paper then discusses possible threats to BGP and presents a route leak model,which contributes to the description of its characteristics.Second,the existing defense mechanisms for BGP security are generalized,and their shortcomings are exposed.The paper then classifies various BGP security-enhancing technologies and studies them in detail to explore their advantages and disadvantages.Finally,the research trends of BGP security are discussed in this paper.

Pang-Wei Tsai,Aris Cahyadi Risdianto,Meng Hui Choi,Satis Kumar Permal,Teck Chaw Ling

DOI: https://doi.org/10.3390/fi13070171

2021-06-30

Future Internet

Abstract:In global networks, Border Gateway Protocol (BGP) is widely used in exchanging routing information. While the original design of BGP did not focus on security protection against deliberate or accidental errors regarding to routing disruption, one of fundamental vulnerabilities in BGP is a lack of insurance in validating authority for announcing network layer reachability. Therefore, a distributed repository system known as Resource Public Key Infrastructure (RPKI) has been utilized to mitigate this issue. However, such a validation requires further deployment steps for Autonomous System (AS), and it might cause performance and compatibility problems in legacy network infrastructure. Nevertheless, with recent advancements in network innovation, some traditional networks are planning to be restructured with Software-Defined Networking (SDN) technology for gaining more benefits. By using SDN, Internet eXchange Point (IXP) is able to enhance its capability of management by applying softwarized control methods, acting as a Software-Defined eXchange (SDX) center to handle numerous advertisement adaptively. To use the SDN method to strengthen routing security of IXP, this paper proposed an alternative SDX development, SD-BROV, an SDX-based BGP Route Origin Validation mechanism that establishes a flexible route exchange scenario with RPKI validation. The validating application built in the SDN controller is capable of investigating received routing information. It aims to support hybrid SDN environments and help non-SDN BGP neighbors to get trusted routes and drop suspicious ones in transition. To verify proposed idea with emulated environment, the proof-of-concept development is deployed on an SDN testbed running over Research and Education Networks (RENs). During BGP hijacking experiment, the results show that developed SD-BROV is able to detect and stop legitimate traffic to be redirected by attacker, making approach to secure traffic forwarding on BGP routers.

Wenqi Chen,Zhiliang Wang,Dongqi Han,Chenxin Duan,Xia Yin,Jiahai Yang,Xingang Shi

DOI: https://doi.org/10.14722/ndss.2022.24214

2022-01-01

Abstract:Securing inter-domain routing systems of the Internet from illegitimate prefix annoucements has been a great concern for the researchers and network operators.After the failure of many BGP (Border Gateway Protocol) security enhancement mechanisms to achieve extensive deployment, it is encouraging to see that the deployment of RPKI (Resource Public Key Infrastructure) is gradually increasing worldwide.For a deeper understanding of the impact of RPKI, many studies have been devoted to measuring the deployment of RPKI, including the deployment of ROA (Route Origin Authorization) and ROV (Route Origin Validation).Unlike the measurement of ROA deployment which can be directly derived from the data in RPKI repository, the measurement of ROV deployment requires more sophisticated measurement and inference techniques.However, existing work has limited measurement range, and the inference methods are either inaccurate or inefficient.In this paper, we propose a new framework, ROV-MI, for the measurement of ROV deployment, which consist of a largescale measurement infrastructure driven by in-the-wild RPKI invalid prefixes in the control plane to detect the filtering of these invalid updates with active probing in the data plane, and an efficient and accurate inference algorithm based on Bayesian inference techniques.We implement ROV-MI for measuring real-world ROV deployment and compare it to prior works, and the results show that ROV-MI can accurately infer ROV adoption of ∼10 times more ASes (Autonomous Systems) with less than 20% of the execution time compared to current stateof-the-art methods.

Yang Xiang,Xingang Shi,Jianping Wu,Zhiliang Wang,Xia Yin

DOI: https://doi.org/10.1016/j.comnet.2012.11.019

2012-01-01

Abstract:The inter-domain routing protocol, Border Gateway Protocol (BGP), plays a critical role in the reliability of the Internet routing system, but forged routes generated by malicious attacks or mis-configurations may devastate the system. The security problem of BGP has attracted considerable attention, and although several solutions have been proposed, none of them have been widely deployed due to weaknesses such as high computational cost or potential security compromise. This paper proposes Fast Secure BGP (FS-BGP), an efficient mechanism for securing AS paths and preventing prefix hijacking by signing critical AS path segments. We prove that FS-BGP can achieve a similar level of security as S-BGP, but with much higher efficiency. Our experiments use BGP UPDATE data collected from real backbone routers. Compared with S-BGP, FS-BGP only requires a very small cache, and can reduce the cost of signing and verification by orders of magnitude. Indeed, the signing and verification can be accomplished as fast as the most bursty BGP UPDATE arrivals, which implies that FS-BGP will hardly delay the propagation of routing information.

Man Zeng,Xiaohong Huang,Pei Zhang,Dandan Li,Kun Xie

DOI: https://doi.org/10.1109/tdsc.2024.3371644

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Resource Public Key Infrastructure (RPKI) defends against BGP prefix hijacking by signing Route Origin Authorizations (ROAs) and filtering malicious BGP routes with ROAs. However, RPKI&#x27;s low deployment weakens its defense against prefix hijacking. In the absence of a large fraction of Autonomous Systems (ASes) signing ROAs, the incentive to use filtering to eliminate hijacked prefixes commensurately decreases. There is a cyclic dependency here because reduced filtering in turn lessens the incentive for non-adoptees to become adoptees. Previous studies on RPKI deployment are mainly from the measurement perspective or focus on the deployment of large Internet Service Providers (ISPs). The above circular dependency problem inside the RPKI has not been fully studied. To improve RPKI&#x27;s defense, this paper studies the circular dependency problem from an evolutionary game theory perspective. We model the strategy evolution of ASes choosing to deploy signing alone, deploy filtering alone, or deploy both signing and filtering. The results show that when the deployment rates of signing and filtering reach a certain range, the evolution can reach an ideal deployment state at a faster speed. Therefore, to increase the probability of evolution reaching the ideal deployment state, we propose RPKIN to widen this interval and reduce the minimum deployment rate required for signing and filtering.

computer science, information systems, software engineering, hardware & architecture

Dan Pei,Lixia Zhang

2005-01-01

Abstract:At a fundamental level, all Internet applications rely on a dependable packet delivery service provided by the Internet routing system. However, measurements have shown that various faults (i.e., physical failures or misbehavior) occur from time to time in the Internet. For physical failures of routers or links, it takes existing Internet protocols 3 minutes on average to converge to alternative paths, resulting in interrupted packet delivery. For misbehavior (i.e., mis-configurations or malicious attacks) that could result in data traffic hijacking, current Internet routing protocols provide little defense. This dissertation studies how to build resilient Internet routing protocols to provide reliable packet delivery despite the faults in the context of Border Gateway Protocol (BGP). First, we evaluate the performance of the existing routing protocols in the face of physical failures, as measured by their ability to continue packet delivery service during routing convergence. Our results show that quickly propagating new reachability information has the most impact on the packet delivery performance. We also show that BGP's update rate-limiting timer is the major contributing factor to the duration of the transient loops. Second, to speed up BGP convergence and improve packet delivery, we propose the Root Cause Notification approach. This approach explicitly signals the failure information, which enables a node to invalidate all the paths that have become obsolete because of the same failure. It reduces the upper bound of BGP routing convergence delay from O(n) to O(d), where n is the number of nodes in a BGP network and d is the network diameter. We also develop a framework that enables us to fill the gaps in analytical results for existing convergence improvement algorithms. Third, we propose a novel semantic checking approach and develop mechanisms for detecting invalid paths in BGP and further identifying the attacker. In this approach, a node accumulates a network topology using the root cause in formation, path information in BGP message, and on-demand queries. A high detection ratio is achieved by comparing the received paths with the paths predicted based on the accumulated topology.