Henry Birge-Lee,Maria Apostolaki,Jennifer Rexford

2024-08-19

Abstract:As the deployment of comprehensive Border Gateway Protocol (BGP) security measures is still in progress, BGP monitoring continues to play a critical role in protecting the Internet from routing attacks. Fundamentally, monitoring involves observing BGP feeds to detect suspicious announcements and taking defensive action. However, BGP monitoring relies on seeing the malicious BGP announcement in the first place! In this paper, we develop a novel attack that can hide itself from all state-of-the-art BGP monitoring systems we tested while affecting the entire Internet. The attack involves launching a sub-prefix hijack with the RFC-specified NO_EXPORT community attached to prevent networks with the malicious route installed from sending the route to BGP monitoring systems. We study the viability of this attack at four tier-1 networks and find all networks we studied were vulnerable to the attack. Finally, we propose a mitigation that significantly improves the robustness of the BGP monitoring ecosystem. Our paper aims to raise awareness of this issue and offer guidance to providers to protect against such attacks.

Cryptography and Security,Networking and Internet Architecture

Meng Meng,Ruijuan Zheng,Mingchuan Zhang,Junlong Zhu,Qingtao Wu

DOI: https://doi.org/10.1007/978-3-030-38961-1_12

2019-01-01

Abstract:The Border Gateway Protocol (BGP) is a vital protocol on the Internet. However, the BGP is susceptible against the prefix interception attack, how to seek a secure route against prefix interception attacks is an important problem. For this reason, we propose a novel and effective router selection method on the Internet. First, we evaluate resilience of autonomous systems against prefix interception attacks. Second, we evaluate security risk of next-hop routers and we also obtain the historical performance of next-hop routers via online learning. Finally, we compromise the two performance metrics of routers' resilience and historical performance to choose a secure route. Our method is verified by network simulations. The results show that the proposed method has more resilience against prefix interception attacks.

WANG Bin,AN Jin-liang,WU Chun-ming,LAN Ju-long

DOI: https://doi.org/10.3969/j.issn.1000-436x.2012.05.012

2012-01-01

Journal of Communications

Abstract:A new approach was studied for BGP security:SE-BGP.By analyzing the security of SE-BGP,was found it had some secure leaks which couldnt resist active attack.To solve these secure problems of SE-BGP,an AS-alliance-based secure BGP scheme :SA-BGP was proposed,which used the aggregate signatures algorithm based on RSA.The SA-BGP has strong ability of security that can effectively verify the propriety of IP prefix origination and verifies the validity of an AS to announce network layer reachability information (NLRI).SA-BGP can large-scale reduced the number of the used certificates.Performance evaluation results that SA-BGP can be implemented efficiently and the incurred overhead,in terms of time and space,ptable in practice.

Qi Li,Jiajia Liu,Yih-Chun Hu,Mingwei Xu,Jianping Wu

DOI: https://doi.org/10.1109/mnet.2018.1800171

IF: 10.294

2019-01-01

IEEE Network

Abstract:The BGP suffers from numerous security vulnerabilities, for example, fake routing updates incurring traffic hijacking and interception. The BGPsec protocol is supposed to fix these vulnerabilities by attesting routing updates. Although the BGP security problem has been extensively studied, the security of BGP with BGPsec is not well studied yet. We argue that even secured with BGPsec, BGP still has inherent security vulnerabilities. In particular, traffic can still be hijacked. In this article, we systematically study the vulnerabilities of BGP with BGPsec. We find that the protocol still cannot achieve the desired security guarantee of inter-domain routing. In particular, it is unable to ensure correct packet delivery on the Internet. We measure the impacts of the vulnerabilities by using a real data trace, and discuss enhancements to the design and the implementation of the secure BGP protocol, which allows BGP to achieve strong secure inter-domain routing.

Ben Scott,Michael N. Johnstone,Patryk Szewczyk,Steven Richardson

DOI: https://doi.org/10.1016/j.comnet.2024.110257

IF: 5.493

2024-02-19

Computer Networks

Abstract:The Border Gateway Protocol (BGP), acting as the communication protocol that binds the Internet, remains vulnerable despite Internet security advancements. This is not surprising, as the Internet was not designed to be resilient to cyber-attacks, therefore the detection of anomalous activity was not of prime importance to the Internet creators. Detection of BGP anomalies can potentially provide network operators with an early warning system to focus on protecting networks, systems, and infrastructure from significant impact, improve security posture and resilience, while ultimately contributing to a secure global Internet environment. In this paper, we present a novel technique for the detection of BGP anomalies in different events. This research uses publicly available datasets of BGP messages collected from the repositories, Route Views and Réseaux IP Européens (RIPE). Our contribution is the application of a time series data mining approach, Matrix Profile (MP) , to detect BGP anomalies in all categories of BGP events. Advantages of the MP detection technique compared to extant approaches include that it is domain agnostic, is assumption-free, requires few parameters, does not require training data, and is scalable and storage efficient. The single hyper-parameter analysed in MP shows it is robust to change. Our results indicate the MP detection scheme is competitive against existing detection schemes. A novel BGP anomaly detection scheme is also proposed for further research and validation.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Lan Wang,Xiaoliang Zhao,Dan Pei,Randy Bush,Daniel Massey,Allison Mankin,S. Felix Wu,Lixia Zhang

DOI: https://doi.org/10.1145/637201.637231

2002-01-01

Abstract:Despite BGP's critical importance as the de-facto Internet inter-domain routing protocol, there is little understanding of how BGP actually performs under stressful conditions when dependable routing is most needed. In this paper, we examine BGP's behavior during one stressful period, the Code Red/Nimda attack on September 18, 2001. The attack was correlated with a 30-fold increase in the BGP update messages at a monitoring point which peers with a number of Internet service providers. Our examination of BGP's behavior during the event concludes that BGP exhibited no significant abnormality, and that over 40% of the observed updates can be attributed to the monitoring artifact in current BGP measurement settings. Our analysis, however, does reveal several weak points in both the protocol and its implementation, such as BGP's sensitivity to the transport session reliability, its inability to avoid the global propagation of small local changes, and its certain implementation features whose otherwise benign effects only get amplified under stressful conditions. We also identify areas for improvement in the current network measurement and monitoring effort.

Dan Pei,Lixia Zhang

2005-01-01

Abstract:At a fundamental level, all Internet applications rely on a dependable packet delivery service provided by the Internet routing system. However, measurements have shown that various faults (i.e., physical failures or misbehavior) occur from time to time in the Internet. For physical failures of routers or links, it takes existing Internet protocols 3 minutes on average to converge to alternative paths, resulting in interrupted packet delivery. For misbehavior (i.e., mis-configurations or malicious attacks) that could result in data traffic hijacking, current Internet routing protocols provide little defense. This dissertation studies how to build resilient Internet routing protocols to provide reliable packet delivery despite the faults in the context of Border Gateway Protocol (BGP). First, we evaluate the performance of the existing routing protocols in the face of physical failures, as measured by their ability to continue packet delivery service during routing convergence. Our results show that quickly propagating new reachability information has the most impact on the packet delivery performance. We also show that BGP's update rate-limiting timer is the major contributing factor to the duration of the transient loops. Second, to speed up BGP convergence and improve packet delivery, we propose the Root Cause Notification approach. This approach explicitly signals the failure information, which enables a node to invalidate all the paths that have become obsolete because of the same failure. It reduces the upper bound of BGP routing convergence delay from O(n) to O(d), where n is the number of nodes in a BGP network and d is the network diameter. We also develop a framework that enables us to fill the gaps in analytical results for existing convergence improvement algorithms. Third, we propose a novel semantic checking approach and develop mechanisms for detecting invalid paths in BGP and further identifying the attacker. In this approach, a node accumulates a network topology using the root cause in formation, path information in BGP message, and on-demand queries. A high detection ratio is achieved by comparing the received paths with the paths predicted based on the accumulated topology.

Tobias Bühler,Alexandros Milolidakis,Romain Jacob,Marco Chiesa,Stefano Vissicchio,Laurent Vanbever

DOI: https://doi.org/10.48550/arXiv.2301.12843

2023-01-30

Abstract:The lack of security of the Internet routing protocol (BGP) has allowed attackers to divert Internet traffic and consequently perpetrate service disruptions, monetary frauds, and even citizen surveillance for decades. State-of-the-art defenses rely on geo-distributed BGP monitors to detect rogue BGP announcements. As we show, though, attackers can easily evade detection by engineering their announcements. This paper presents Oscilloscope, an approach to accurately detect BGP hijacks by relying on real-time traffic analysis. As hijacks inevitably change the characteristics of the diverted traffic, the key idea is to track these changes in real time and flag them. The main challenge is that "normal" Internet events (e.g., network reconfigurations, link failures, load balancing) also change the underlying traffic characteristics - and they are way more frequent than hijacks. Naive traffic analyses would hence lead to too many false positives. We observe that hijacks typically target a subset of the prefixes announced by Internet service providers and only divert a subset of their traffic. In contrast, normal events lead to more uniform changes across prefixes and traffic. Oscilloscope uses this observation to filter out non-hijack events by checking whether they affect multiple related prefixes or not. Our experimental evaluation demonstrates that Oscilloscope quickly and accurately detects hijacks in realistic traffic traces containing hundreds of events.

Networking and Internet Architecture

Qi Li,Xinwen Zhang,Xin Zhang,Purui Su

DOI: https://doi.org/10.1109/tdsc.2014.2345381

2015-01-01

Abstract:Border Gateway Protocol (BGP) is vulnerable to routing attacks because of the lack of inherent verification mechanism. Several secure BGP schemes have been proposed to prevent routing attacks by leveraging cryptographic verification of BGP routing updates. In this paper, we present a new type of attacks, called TIGER, which aims to invalidate the “proven” security of these secure BGP schemes and allow ASes to announce forged routes even under full deployment of any existing secure BGP proposal. By launching TIGER attacks, malicious ASes can easily generate and announce forged routes which can be successfully verified by the existing secure BGP schemes. Furthermore, TIGER attacks can evade existing routing anomaly detection schemes by guaranteeing routing data-plane availability and consistency of control- and data-plane. Toward a new securing BGP scheme, we propose Anti-TIGER to detect and defend against TIGER attacks. Anti-TIGER enables robust TIGER detection by collaborations between ASes. In particular, we leverage Spread Spectrum Communication technique to watermark certain special probing packets, which manifest the existence of TIGER attacks. Anti-TIGER does not require any modifications in routing data-plane, therefore it is easy to deploy and incrementally deployable. We evaluate the effectiveness of TIGER and Anti-TIGER by experiments with real AS topologies of the Internet. Our experiment results show that TIGER attacks can successfully hijack a considerable number of prefixes. In the meanwhile, Anti-TIGER can achieve 100 percent detection ratio of TIGER attacks.

Joel Obstfeld,Xiaoyu Chen,Olivier Frebourg,Pavan Sudheendra

DOI: https://doi.org/10.48550/arXiv.1705.08666

2017-05-24

Abstract:BGP (Border Gateway Protocol) serves as the primary routing protocol for the Internet, enabling Autonomous Systems (individual network operators) to exchange network reachability information. Alongside significant on-going research and development efforts, there is a practical need to understand the nature of events that occur on the Internet. Network operators are acutely aware of security-related incidents such as 'Prefix Hijacking' as well as the impact of network instabilities that ripple through the Internet. Recent research focused on the study of BGP anomalies (both network/prefix instability and security-related incidents) has been based on the analysis of historical logs. Further analysis to understand the nature of these anomalous events is not always sufficient to be able to differentiate malicious activities, such as prefix- or sub-prefix- hijacking, from those events caused by inadvertent misconfigurations. In addition, such techniques are challenged by a lack of sufficient resources to store and process data feeds in real-time from multiple BGP Vantage Points (VPs). In this paper, we present a BGP Deep-analysis application developed using the PNDA (Platform for Network Data Analytics) 'Big-Data' platform. PNDA provides a highly scalable environment that enables the ingestion and processing of 'live' BGP feeds from many vantage points in a schema-agnostic manner. The Apache Spark-based application, in conjunction with PNDA's distributed processing capabilities, is able to perform high-level insights as well as near-to-real-time statistical analysis

Networking and Internet Architecture

LI Song,ZHUGE Jian-Wei,LI Xing

DOI: https://doi.org/10.3724/sp.j.1001.2013.04346

2013-01-01

Journal of Software

Abstract:BGP is a core Internet routing protocol.The Internet inter-domain routing relies on the exchange of BGP routing information.BGP has significant vulnerabilities,which have been found to cause problems such as prefix hijacking,route leak and Internet-targeted denial of service attack.First,by analyzing BGP route propagation and BGP routing policies,the fundamental flaw in the design of the protocol is revealed.The paper then discusses possible threats to BGP and presents a route leak model,which contributes to the description of its characteristics.Second,the existing defense mechanisms for BGP security are generalized,and their shortcomings are exposed.The paper then classifies various BGP security-enhancing technologies and studies them in detail to explore their advantages and disadvantages.Finally,the research trends of BGP security are discussed in this paper.

Alex A. Stewart,Marta F. Antoszkiewicz

DOI: https://doi.org/10.48550/arXiv.0908.0175

2009-08-03

Networking and Internet Architecture

Abstract:The Border Gateway Protocol (BGP) is an important component in today's IP network infrastructure. As the main routing protocol of the Internet, clear understanding of its dynamics is crucial for configuring, diagnosing and debugging Internet routing problems. Despite the increase in the services that BGP provide such as MPLS VPNs, there is no much progress achieved in automating the BGP management tasks. In this paper we discuss some of the problems encountered by network engineers when managing BGP networks. We also describe some of the open source tools and methods that attempt to resolve these issues. Then we present some of the features that, if implemented, will ease BGP management related tasks.

Dejing Dou,Jun Li,Han Qin,Shiwoong Kim,Sheng Zhong

DOI: https://doi.org/10.1137/1.9781611972771.46

2007-01-01

Abstract:Abnormal events, such as security attacks, misconfigurations, or electricity failures, could have severe consequences toward the normal operation of the Border Gateway Protocol (BGP) that is in charge of the delivery of packets between different autonomous domains, a key operation for the Internet to function. Unfortunately, it has been a difficult task for network security researchers and engineers to classify and detect these events. In our previous work, we have shown that with classification (which relies on the labeling with domain knowledge from BGP experts), it is feasible to effectively detect and distinguish some worms and blackouts from normal BGP behaviors. In this paper, we move one important step forward we show that we can automatically detect and classify between different abnormal BGP events based on a hierarchy discovered by clustering. As a systematic application of data mining, we devise a clustering method based on normalized BGP data that forms a tree-like hierarchy of abnormal BGP event classes. We then obtain a set of classification rules for each class (node) in the hierarchy, thus able to label unknown BGP data to a closest class. Our method works even as the BGP dynamics evolve over time, as shown in our experiments with seven different abnormal events during a four-year period. Our work, in a more general context, shows it is promising to conduct an interdisciplinary research between network security and data mining in solving real-world problems.

Yi GUO,Haixin DUAN,Liancheng ZHANG,Han QIU

DOI: https://doi.org/10.1360/n112016-00160

2017-01-01

Abstract:BGP (border gateway protocol) based inter-domain routing systems play an important role in the Internet. However, the BGP has certain design flaws, which result in many serious security problems for inter-domain routing systems. Compared to traditional attacks, such as prefix hijacking, large-scale LDoS attacks against inter-domain routing systems are extremely hard to detect, which is reflected in its attack traffic and reactions appearing to be legal. The concealment of such attacks makes existing security solutions insufficient. In this paper, we first analyze the feasibility of utilizing similarity theory for assessing the security situations in inter-domain routing systems. We then propose a similarity-theory-based method for evaluating the security situations in inter-domain routing systems. It uses multiple characteristics to describe the system security situation collectively and evaluates the security situation by measuring the deviation degree of the security characteristics to their norms. Because the ability of each characteristic to represent different attacks is not the same, we make use of weighted similarity to assess the deviation of the fusion characteristics from their normal state at various times. Experimental results show that our method can perceive threats in their early stages, regardless of an inter-domain routing system suffering from control plan attacks or data plan attacks.

Xingang Shi,Yang Xiang,Zhiliang Wang,Xia Yin,Jianping Wu

DOI: https://doi.org/10.1145/2398776.2398779

2012-01-01

Abstract:Border Gateway Protocol (BGP) plays a critical role in the Internet inter-domain routing reliability. Invalid routes generated by mis-configurations or forged by malicious attacks may hijack the traffic and devastate the Internet routing system, but it is unlikely that a secure BGP can be deployed in the near future to completely prevent them. Although many hijacking detection systems have been developed, they more or less have weaknesses such as long detection delay, high false alarm rate and deployment difficulty, and no systematic detection results have been studied. This paper proposes Argus, an agile system that can accurately detect prefix hijackings and deduce the underlying cause of route anomalies in a very fast way. Argus is based on correlating the control and data plane information closely and pervasively, and has been continuously monitoring the Internet for more than one year. During this period, around 40K routing anomalies were detected, from which 220 stable prefix hijackings were identified. Our analysis on these events shows that, hijackings that have only been theoretically studied before do exist in the Internet. Although the frequency of new hijackings is nearly stable, more specific prefixes are hijacked more frequently. Around 20% of the hijackings last less than ten minutes, and some can pollute 90% of the Internet in less than two minutes. These characteristics make \emph{Argus} especially useful in practice. We further analyze some representative cases in detail to help increase the understanding of prefix hijackings in the Internet.

Chen Shen,Ruixin Wang,Xiang Li,Peiying Zhang,Kai Liu,Lizhuang Tan

DOI: https://doi.org/10.3390/electronics13204072

IF: 2.9

2024-10-17

Electronics

Abstract:In the Internet, ASs are interconnected using BGP. However, due to a lack of security considerations in the design of BGP, a series of security issues arise during the propagation of routing information, such as prefix hijacking, route leakage, and AS path tampering. Therefore, this paper conducts research on the detection of route leakage. By analyzing BGP routing information, we abstract the routing propagation relationship between ASs into a network topology graph, and extract graph features from the graph abstracted from routing data at certain time intervals. Based on the structural robustness features and centrality measurement features of the graph, we determine whether a route leakage has occurred during the current time period. To this end, we use machine learning methods and propose a weighted voting model. This model trains multiple single models and assigns weights to them, and through the weighted analysis of the results of multiple models, it can determine whether a route leakage has occurred. In addition, to determine the corresponding weights, we use genetic algorithms for identifying route leaks. The experimental results show that the method used in this paper has a high accuracy rate, and compared with a single model, it performs better on multiple datasets.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yang Xiang,Zhiliang Wang,Xia Yin,Jianping Wu

DOI: https://doi.org/10.1109/ICNP.2011.6089080

2011-01-01

Abstract:The de facto inter-domain routing protocol, Border Gateway Protocol (BGP), plays a critical role in the Internet routing reliability. Invalid routes generated by mis-configurations or malicious attacks will devastate the Internet routing system. In the near future, deploying a secure BGP in the Internet to completely prevent hijacking is impossible. As a result, lots of hijacking detection systems have emerged. However, they have more or less weaknesses such as long detection delay, high false alarm rate or deploy hardness. This paper proposes Argus, an agile system to fast and accurate detect prefix hijacking. Argus already keeps on running in the Internet for two months and identified several possible hijackings. Initial results show that it usually discovers a hijacking in less than ten seconds, and can significantly decrease the false alarm rate.

Yi Guo,Haixin Duan,Jikun Chen,Fu Miao

DOI: https://doi.org/10.1016/j.comnet.2016.09.017

IF: 5.493

2016-01-01

Computer Networks

Abstract:The BGP-based inter-domain routing system plays an important role in the Internet. However, the BGP has some design flaws, which result in many serious security problems for the inter-domain routing system. Recently there has been a new kind of LDoS attack against BGP sessions from data plane. Compared to traditional control plane threats, such as prefix hijacking, the new attack, BGP-LDoS exploits the vulnerability of adaptive mechanism of BGP and would trigger a wild range of cascading failure in inter domain routing system. Unfortunately, existing methods are difficult to detect this threat. To end this, we propose a method based on adaptive fusion of multi features to perceive security threats of inter domain routing system. Several statistics attributes of BGP routing information are firstly chosen to be security features. Then we establish a normal state sub-model for each security features and fuse them together to describe the normal state of the system by linear weighting. Since the fusion model represents the system security state very well, we can obtain the threat probability by computing the deviation of security features from their normal values. The experimental results show that the method can perceive not only control plane threats but also data plane threats of inter domain routing system.

Yangyang Wang,Mingwei Xu

DOI: https://doi.org/10.1145/3405837.3411403

2020-01-01

Abstract:On the Internet, Border Gateway Protocol (BGP) is the standard to construct inter-domain routes among autonomous systems (ASes). Data traffic follows the inverse direction of BGP route propagation. For the outbound traffic, an AS can make its own selection in the range of the routes received from its peering neighbor ASes, and change the traffic outbound paths for better performance or bypassing failures. It is more difficult for ASes to control inbound traffic paths because it cannot determine the selection for remote ASes. An AS only has to manipulate BGP path attributes of the advertised prefixes it owns to trigger the potential path change from other ASes to itself.

Johannes Krupp,Christian Rossow

DOI: https://doi.org/10.1109/eurosp51992.2021.00036

2021-09-01

Abstract:Amplification DDoS attacks inherently rely on IP spoofing to steer attack traffic to the victim. At the same time, IP spoofing undermines prosecution, as the originating attack infrastructure remains hidden. Researchers have therefore proposed various mechanisms to trace back amplification attacks (or IP-spoofed attacks in general). However, existing traceback techniques require either the cooperation of external parties or a priori knowledge about the attacker. We propose BGPEEK-A-Boo, a BGP-based approach to trace back amplification attacks to their origin network. BGPEEK-A-Boo monitors amplification attacks with honeypots and uses BGP Poisoning to temporarily shut down ingress traffic from selected Autonomous Systems. By systematically probing the entire AS space, we detect systems forwarding and originating spoofed traffic. We then show how a graph-based model of BGP route propagation can reduce the search space, resulting in a 5 x median speed-up and over 20x for ¼ of all cases. BGPEEK-A-Boo achieves a unique traceback result 60% of the time in a simulation-based evaluation supported by real-world experiments.