We present novel and practical techniques to accurately detect IP prefix hijacking attacks in real time to facilitate mitigation. Attacks may hijack victim’s address space to disrupt network services or perpetrate malicious activities such as spamming and DoS attacks without disclosing identity. We propose novel ways to significantly improve the detection accuracy by combining analysis of passively collected BGP routing updates with data plane fingerprints of suspicious prefixes. The key insight is to use data plane information in the form of edge network fingerprinting to disambiguate suspect IP hijacking incidences based on routing anomaly detection. Conflicts in data plane fingerprints provide much more definitive evidence of successful IP prefix hijacking. Utilizing multiple real-time BGP feeds, we demonstrate the ability of our system to distinguish between legitimate routing changes and actual attacks. Strong correlation with addresses that originate spam emails from a spam honeypot confirms the accuracy of our techniques.

We present a game-theoretic model that captures many of the intricacies of interdomain routing in today’s Internet. In this model, the strategic agents are source nodes located on a network, who aim to send traffic to a unique destination node. The interaction between the agents is dynamic and complex – asynchronous, sequential, and based on partial information. Best-reply dynamics in this model capture crucial aspects of the only interdomain routing protocol de facto, namely the Border Gateway Protocol (BGP). We study complexity and incentive-related issues in this model. Our main results are showing that in realistic and well-studied settings, BGP is incentive-compatible. I.e., not only does myopic behaviour of all players converge to a “stable ” routing outcome, but no player has motivation to unilaterally deviate from the protocol. Moreover, we show that even coalitions of players of any size cannot improve their routing outcomes by collaborating. Unlike the vast majority of works in mechanism design, our results do not require any monetary transfers (to or by the agents).

We study situations in which autonomous systems (ASes) may have incentives to send BGP announcements differing from the AS-level paths that packets traverse in the data plane. Prior work on this issue assumed that ASes seek only to obtain the best possible outgoing path for their traffic. In reality, other factors can influence a rational AS’s behavior. Here we consider a more natural model, in which an AS is also interested in attracting incoming traffic (e.g., because other ASes pay it to carry their traffic). We ask what combinations of BGP enhancements and restrictions on routing policies can ensure that ASes have no incentive to lie about their data-plane paths. We find that protocols like S-BGP alone are insufficient, but that S-BGP does suffice if coupled with additional (quite unrealistic) restrictions on routing policies. Our game-theoretic analysis illustrates the high cost of ensuring that the ASes honestly announce data-plane paths in their BGP path announcements.

The Border Gateway Protocol (BGP) is the de facto interdomain routing protocol on the Internet. While the serious vulnerabilities of BGP are well known, no security solution has been widely deployed. The lack of adoption is largely caused by a failure to find a balance between deployability, cost, and security. In this paper, we consider the design and performance of BGP path authentication constructions that limit resource costs by exploiting route stability. Based on a year-long study of BGP traffic and indirectly supported by findings within the networking community, we observe that routing paths are highly stable. This observation leads to comprehensive and efficient constructions for path authentication. We empirically analyze the resource consumption of the proposed constructions via trace-based simulations. This latter study indicates that our constructions can reduce validation costs by as much as 97.3 % over existing proposals while requiring nominal storage resources. We conclude by considering operational issues related to incremental deployment of our solution.

This dissertation is submitted for

Abstract — BGP is the cornerstone of the Internet. However, the implicit trust assumption in BGP’s design destines its inherited vulnerability. Prefix hijacking is one of the large-scale BGPspecific routing anomalies that are able to paralyze the Internet. This calls for a hijack-proof security solution. By putting the protection against prefix hijacking the top priority, we design a lightweight hijack-proof BGP system – Hi-BGP. Hi-BGP utilizes the existing BGP system to distribute the relevant route validation information and use the information to prevent various prefix hijacking. In addition, we propose a transition scheme of Hi-BGP so that it can be incrementally deployed. At the same time, we show that Hi-BGP is lightweight and can be deployed in the Internet. I.

With a cryptographic root-of-trust for Internet routing (RPKI [18]) on the horizon, we can finally start planning the deployment of one of the secure interdomain routing protocols proposed over a decade ago (Secure BGP [24], secure origin BGP [43]). However, if experience with IPv6 is any indicator, this will be no easy task. Security concerns alone seem unlikely to provide sufficient local incentive to drive the deployment process forward. Worse yet, the security benefits provided by the S*BGP protocols do not even kick in until a large number of ASes have deployed them. Instead, we appeal to ISPs ’ interest in increasing revenue-generating traffic. We propose a strategy that governments and industry groups can use to harness ISPs’ local business objectives and drive global S*BGP deployment. We evaluate our deployment strategy using theoretical analysis and large-scale simulations on empirical data. Our results give evidence that the market dynamics created by our proposal can transition the majority of the Internet to S*BGP. 1.

We describe a new networking primitive, called a Path Verification Mechanism (PVM). There has been much recent work about how senders and receivers express policies about the paths that their packets take. For instance, a company might want fine-grained control over which providers carry which traffic between its branch offices, or a receiver may want traffic sent to it to travel through an intrusion detection service. While the ability to express policies has been well-studied, the ability to enforce policies has not. The core challenge is: if we assume an adversarial, decentralized, and high-speed environment, then when a packet arrives at a node, how can the node be sure that the packet followed an approved path? Our solution, ICING, incorporates an optimized cryptographic construction that is compact, and requires negligible configuration state and no PKI. We demonstrate ICING’s plausibility with a NetFPGA hardware implementation. At 93 % more costly than an IP router on the same platform, its cost is significant but affordable. Indeed, our evaluation suggests that ICING can scale to backbone speeds.

We analyze a secure routing protocol, Secure Path Vector (SPV), proposed in SIGCOMM 2004. SPV aims to provide authenticity for route announcements in the Border Gateway Protocol (BGP) using an efficient alternative to ordinary digital signatures, called constant-time signatures. Today, SPV is often considered the best cryptographic defense for BGP. We find subtle flaws in the design of SPV which lead to attacks that can be mounted by 60 % of Autonomous Systems in the Internet. In addition, we study several of SPV’s design decisions and assumptions and highlight the requirements for security of routing protocols. In light of our analysis, we reexamine the need for constant-time signatures and find that certain standard digital signature schemes can provide the same level of efficiency for route authenticity.

We present Descartes BGP (D-BGP), a fault detection and response framework that enhances the robustness, security, and manageability of inter-domain routing. D-BGP associates a state of “agreement,” “conflict,” or “persistent conflict” with each announced address prefix. When a D-BGP router receives a routing update in which a new AS claims to be an origin of a prefix, it alerts other D-BGP routers to collaboratively verify their ownership claim and resolve the potential conflict without reference to an oracle, such as a topology database server. If a conflict is “persistent,” a black hole may have formed, pulling traffic destined to the prefix in conflict. When this happens, D-BGP logs useful diagnostic information to aid resolution by network administrators. In spite of the black hole, the D-BGP framework allows data traffic to reach critical network services located on or needed by the hosts within the prefix. We evaluate D-BGP with the Scaleable Simulation Framework NETwork (SSFNET) simulator and show that D-BGP resolves BGP faults and misconfigurations in real time, and mitigates a persistent conflict over the ownership of an IP prefix. We show that D-BGP provides path resilience quickly and with few messages. Using BGP update data obtained during an actual black hole event, we show that D-BGP’s detection mechanism scales well.