Upload
chidi
View
47
Download
0
Tags:
Embed Size (px)
DESCRIPTION
17 th ACM CCS Poster (October, 2010) 18 th NDSS Symposium (February 2011). Losing Control of the Internet: Using the Data Plane to Attack the Control Plane. Max Schuchard , Abedelaziz Mohaisen , Denis Foo Kune , Nicholas Hopper, Yongdae Kim University of Minnesota. Eugene Y. Vasserman - PowerPoint PPT Presentation
Citation preview
Losing Control of the Internet:Using the Data Plane to Attack the Control PlaneMax Schuchard,Abedelaziz Mohaisen,Denis Foo Kune,Nicholas Hopper,Yongdae KimUniversity of Minnesota
Eugene Y. VassermanKansas State University
17th ACM CCS Poster (October, 2010)18th NDSS Symposium (February 2011)
A Seminar at Advanced Defense Lab
2
Outline•Introduction•Background•The CXPST Attack•Simulation•Toward Defenses•Related Work
A Seminar at Advanced Defense Lab
3
Introduction – New Type DDoS
3Target
Internet
CBR
CBR CBR
Attackers
BotsTarget link
Destination
A Seminar at Advanced Defense Lab
4
How serious can the attack be?•In this paper, we propose a new attack
▫Coordinated Cross Plane Session Termination(CXPST)
▫We attack BGP sessions
A Seminar at Advanced Defense Lab
5
Shrew Attack [link]•Low-Rate TCP-Targeted Denial of Service
Attacks
•Aleksandar Kuzmanovic and Edward W. Knightly (Rice University)
•ACM SIGCOMM 2003
A Seminar at Advanced Defense Lab
6
TCP Retransmission
TCP Congesti
on Window
Size(packets)
Time
minRTO 2 x minRTOInitial
windowsize
No packet lossACKs received
packet lossNo ACK received
4 x minRTO
A Seminar at Advanced Defense Lab
7
Shrew Attack (cont.)
TCP congestion window size(segments)
Time
minRTO 2 x minRTOInitial windowsize 4 x minRTO
A Seminar at Advanced Defense Lab
8
Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing•Ying Zhang, Z. Morley Mao, Jia Wang
(University of Michigan & AT&T Labs Research)
•NDSS Symposium 2007
•We term it the ZMW attack
A Seminar at Advanced Defense Lab
9
Border Gateway Protocol [wiki]•The Internet can be divided into two
distinct parts▫The data plane, which forwards packets to
their destination
▫the control plane, which determines the path to any given destination The BGP is the de facto standard routing
protocol
A Seminar at Advanced Defense Lab
10
BGP Sessions
CBRBRAS 1 AS 2BGP session
Transport: TCP connection
Keepalive
CBRBR
Keepalive
confirm peer liveliness; determine peer reachability
BGP HoldTimer expired
BGP session reset
A Seminar at Advanced Defense Lab
11
Attacking BGP SessionsUDP-based attack flow
Attacker A
Receiver B
Router R1
CBR
Router R2
CBR
Retransmitted BGP Keepalive
messageminRTO
A Seminar at Advanced Defense Lab
12
Attacking BGP SessionsUDP-based attack flow
Attacker A
Receiver B
Router R1
CBR
Router R2
CBR
minRTO
2nd Retransmitted BGP Keepalive
message
2*minRTO
A Seminar at Advanced Defense Lab
13
Background•BGP update messages
▫When one router in an AS changes its routing table, it recomputes its routing table, and informs its neighboring ASes of the change via a BGP update message. This change might trigger the same series of
events in other border routers.
A Seminar at Advanced Defense Lab
14
Background (cont.)•BGP Stability
▫When a set of routes oscillates rapidly between being available and unavailable it is termed route flapping.
▫Some defense mechanisms Minimum Route Advertisement Intervals
(MRAI) BGP Graceful Restart [rfc 4724] Route Flap Damping [rfc 2439]
A Seminar at Advanced Defense Lab
15
The CXPST Attack•We force the targeted links to oscillate
between “up” and “down” states. In essence, CXPST induces targeted route flapping.
•By creating a series of localized failures that have near global impact, CXPST has the potential to overwhelm the computational capacity of a large set of routers on the Internet.
A Seminar at Advanced Defense Lab
16
The Key Tasks•First, the correct BGP sessions must be
selected for attack.
•Second, the attacker needs to direct the traffic of his botnet onto the targeted links.
•Lastly, the attacker must find a way to minimize the impact of existing mechanisms.
A Seminar at Advanced Defense Lab
17
Selecting Targets (cont.)•Edge betweenness centrality [wiki]
▫
•Modified definition▫
Vts st
stB
eeC
Vts
stB epatheC
A Seminar at Advanced Defense Lab
18
Selecting Targets•By aggregating the tracerouting results
an attacker can generate a rough measure of the BGP betweenness of links.
•Equal cost multi-path routing (ECMP) [wiki]▫Any links that are possibly using it are
removed from the set of potential targets.
A Seminar at Advanced Defense Lab
19
Attack Traffic Management•The strategy fails to take into account the
fact that network topology is dynamic.▫the attacker must ensure that the path
does not contain other links that are being targeted as well.
A Seminar at Advanced Defense Lab
20
Attack Traffic Management (cont.)•there is the possibility that we will
saturate bandwidth capacity on the way to the target link.▫Sunder and Perrig, “The Coremelt Attack,”
ESORICS 2009
▫Max flow Algorithm
A Seminar at Advanced Defense Lab
21
Simulation•We started building our simulator’s
topology by examining the wealth of data on the AS-level topology of the Internet made available from CAIDA. [link]
•Using January 2010 data
•The result was a connected graph with 1829 ASes and nearly 13, 000 edges.
A Seminar at Advanced Defense Lab
22
Simulation - Bandwidth•Core AS links
▫OC-768 (38.5 Gbit/s)•The attacker’s resources
▫OC-3 (155Mbit/s)
A Seminar at Advanced Defense Lab
23
Simulation - Botnet•Recent papers on botnet enumeration
have given us some insight into the distribution of bots throughout the Internet.▫Waledac botnet [link]
A Seminar at Advanced Defense Lab
24
Simulation Results•CXPST was simulated with botnets of 64,
125, 250, and 500 thousand nodes.
•Targets were selected from the core routers in our topology, the top 10% of ASes by degree.
A Seminar at Advanced Defense Lab
25
Simulation Results – Failed Sessions
A Seminar at Advanced Defense Lab
26
Simulation Results – BGP Update•Normal loads from RouteViews [link]
A Seminar at Advanced Defense Lab
27
Simulation Results – BGP Update•Median router load under attacks
A Seminar at Advanced Defense Lab
28
Simulation Results – BGP Update•Some top AS under attack
A Seminar at Advanced Defense Lab
29
Simulation Results – Time-to-Process•The default hold time is 180 secs
A Seminar at Advanced Defense Lab
30
Toward Defenses
A Seminar at Advanced Defense Lab
31
Our method•Stop ZMW attack
▫Remove the mechanism that allows Zhang et al.’s attack to function This is easier said then done
▫Disabling hold timer functionality in routers
A Seminar at Advanced Defense Lab
32
Our method - Partially Deployed
A Seminar at Advanced Defense Lab
33
Related Work - Know Attacks on BGP•Bellovin and Gansner
▫divert existing traffic to a desired set of nodes assumes a perfect knowledge of the current
network topology
•Sunder and Perrig▫Coremelt
A Seminar at Advanced Defense Lab
34
Related Work – BGP Attack Prevention•Packet-filtering or push-back techniques
•Improving resilience by providing failover paths
•BGP behavior analysis
A Seminar at Advanced Defense Lab
35
Thank You