Losing Control of the Internet:Using the Data Plane to Attack the Control PlaneMax Schuchard,Abedelaziz Mohaisen,Denis Foo Kune,Nicholas Hopper,Yongdae KimUniversity of Minnesota

Eugene Y. VassermanKansas State University

17th ACM CCS Poster (October, 2010)18th NDSS Symposium (February 2011)

A Seminar at Advanced Defense Lab

2

Outline•Introduction•Background•The CXPST Attack•Simulation•Toward Defenses•Related Work

A Seminar at Advanced Defense Lab

3

Introduction – New Type DDoS

3Target

Internet

CBR

CBR CBR

Attackers

BotsTarget link

Destination

A Seminar at Advanced Defense Lab

4

How serious can the attack be?•In this paper, we propose a new attack

▫Coordinated Cross Plane Session Termination(CXPST)

▫We attack BGP sessions

A Seminar at Advanced Defense Lab

5

Shrew Attack [link]•Low-Rate TCP-Targeted Denial of Service

Attacks

•Aleksandar Kuzmanovic and Edward W. Knightly (Rice University)

•ACM SIGCOMM 2003

A Seminar at Advanced Defense Lab

6

TCP Retransmission

TCP Congesti

on Window

Size(packets)

Time

minRTO 2 x minRTOInitial

windowsize

No packet lossACKs received

packet lossNo ACK received

4 x minRTO

A Seminar at Advanced Defense Lab

7

Shrew Attack (cont.)

TCP congestion window size(segments)

Time

minRTO 2 x minRTOInitial windowsize 4 x minRTO

A Seminar at Advanced Defense Lab

8

Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing•Ying Zhang, Z. Morley Mao, Jia Wang

(University of Michigan & AT&T Labs Research)

•NDSS Symposium 2007

•We term it the ZMW attack

A Seminar at Advanced Defense Lab

9

Border Gateway Protocol [wiki]•The Internet can be divided into two

distinct parts▫The data plane, which forwards packets to

their destination

▫the control plane, which determines the path to any given destination The BGP is the de facto standard routing

protocol

A Seminar at Advanced Defense Lab

10

BGP Sessions

CBRBRAS 1 AS 2BGP session

Transport: TCP connection

Keepalive

CBRBR

Keepalive

confirm peer liveliness; determine peer reachability

BGP HoldTimer expired

BGP session reset

A Seminar at Advanced Defense Lab

11

Attacking BGP SessionsUDP-based attack flow

Attacker A

Receiver B

Router R1

CBR

Router R2

CBR

Retransmitted BGP Keepalive

messageminRTO

A Seminar at Advanced Defense Lab

12

Attacking BGP SessionsUDP-based attack flow

Attacker A

Receiver B

Router R1

CBR

Router R2

CBR

minRTO

2nd Retransmitted BGP Keepalive

message

2*minRTO

A Seminar at Advanced Defense Lab

13

Background•BGP update messages

▫When one router in an AS changes its routing table, it recomputes its routing table, and informs its neighboring ASes of the change via a BGP update message. This change might trigger the same series of

events in other border routers.

A Seminar at Advanced Defense Lab

14

Background (cont.)•BGP Stability

▫When a set of routes oscillates rapidly between being available and unavailable it is termed route flapping.

▫Some defense mechanisms Minimum Route Advertisement Intervals

(MRAI) BGP Graceful Restart [rfc 4724] Route Flap Damping [rfc 2439]

A Seminar at Advanced Defense Lab

15

The CXPST Attack•We force the targeted links to oscillate

between “up” and “down” states. In essence, CXPST induces targeted route flapping.

•By creating a series of localized failures that have near global impact, CXPST has the potential to overwhelm the computational capacity of a large set of routers on the Internet.

A Seminar at Advanced Defense Lab

16

The Key Tasks•First, the correct BGP sessions must be

selected for attack.

•Second, the attacker needs to direct the traffic of his botnet onto the targeted links.

•Lastly, the attacker must find a way to minimize the impact of existing mechanisms.

A Seminar at Advanced Defense Lab

17

Selecting Targets (cont.)•Edge betweenness centrality [wiki]

▫

•Modified definition▫

Vts st

stB

eeC

Vts

stB epatheC

A Seminar at Advanced Defense Lab

18

Selecting Targets•By aggregating the tracerouting results

an attacker can generate a rough measure of the BGP betweenness of links.

•Equal cost multi-path routing (ECMP) [wiki]▫Any links that are possibly using it are

removed from the set of potential targets.

A Seminar at Advanced Defense Lab

19

Attack Traffic Management•The strategy fails to take into account the

fact that network topology is dynamic.▫the attacker must ensure that the path

does not contain other links that are being targeted as well.

A Seminar at Advanced Defense Lab

20

Attack Traffic Management (cont.)•there is the possibility that we will

saturate bandwidth capacity on the way to the target link.▫Sunder and Perrig, “The Coremelt Attack,”

ESORICS 2009

▫Max flow Algorithm

A Seminar at Advanced Defense Lab

21

Simulation•We started building our simulator’s

topology by examining the wealth of data on the AS-level topology of the Internet made available from CAIDA. [link]

•Using January 2010 data

•The result was a connected graph with 1829 ASes and nearly 13, 000 edges.

A Seminar at Advanced Defense Lab

22

Simulation - Bandwidth•Core AS links

▫OC-768 (38.5 Gbit/s)•The attacker’s resources

▫OC-3 (155Mbit/s)

A Seminar at Advanced Defense Lab

23

Simulation - Botnet•Recent papers on botnet enumeration

have given us some insight into the distribution of bots throughout the Internet.▫Waledac botnet [link]

A Seminar at Advanced Defense Lab

24

Simulation Results•CXPST was simulated with botnets of 64,

125, 250, and 500 thousand nodes.

•Targets were selected from the core routers in our topology, the top 10% of ASes by degree.

A Seminar at Advanced Defense Lab

25

Simulation Results – Failed Sessions

A Seminar at Advanced Defense Lab

26

Simulation Results – BGP Update•Normal loads from RouteViews [link]

A Seminar at Advanced Defense Lab

27

Simulation Results – BGP Update•Median router load under attacks

A Seminar at Advanced Defense Lab

28

Simulation Results – BGP Update•Some top AS under attack

A Seminar at Advanced Defense Lab

29

Simulation Results – Time-to-Process•The default hold time is 180 secs

A Seminar at Advanced Defense Lab

30

Toward Defenses

A Seminar at Advanced Defense Lab

31

Our method•Stop ZMW attack

▫Remove the mechanism that allows Zhang et al.’s attack to function This is easier said then done

▫Disabling hold timer functionality in routers

A Seminar at Advanced Defense Lab

32

Our method - Partially Deployed

A Seminar at Advanced Defense Lab

33

Related Work - Know Attacks on BGP•Bellovin and Gansner

▫divert existing traffic to a desired set of nodes assumes a perfect knowledge of the current

network topology

•Sunder and Perrig▫Coremelt

A Seminar at Advanced Defense Lab

34

Related Work – BGP Attack Prevention•Packet-filtering or push-back techniques

•Improving resilience by providing failover paths

•BGP behavior analysis

A Seminar at Advanced Defense Lab

35

Thank You