17th ACM CCS Poster (October, 2010) 18th NDSS Symposium (February 2011) Losing Control of the Internet: Using the Data Plane to Attack the Control Plane Max Schuchard, Abedelaziz Mohaisen, Denis Foo Kune, Nicholas Hopper, Yongdae Kim University of Minnesota Eugene Y. Vasserman Kansas State University 2 A Seminar at Advanced Defense Lab Outline • • • • • • Introduction Background The CXPST Attack Simulation Toward Defenses Related Work 3 A Seminar at Advanced Defense Lab Introduction – New Type DDoS Internet BR C BR C Target link Bots BR C Target Destination 3 Attackers 4 A Seminar at Advanced Defense Lab How serious can the attack be? • In this paper, we propose a new attack ▫ Coordinated Cross Plane Session Termination (CXPST) ▫ We attack BGP sessions 5 A Seminar at Advanced Defense Lab Shrew Attack [link] • Low-Rate TCP-Targeted Denial of Service Attacks • Aleksandar Kuzmanovic and Edward W. Knightly (Rice University) • ACM SIGCOMM 2003 6 A Seminar at Advanced Defense Lab TCP Retransmission No packet loss ACKs received TCP Congestion Window Size (packets) Initial window size packet loss No ACK received minRTO 2 x minRTO 4 x minRTO Time 7 A Seminar at Advanced Defense Lab Shrew Attack (cont.) TCP congestion window size (segments) Initial window size minRTO 2 x minRTO 4 x minRTO Time 8 A Seminar at Advanced Defense Lab Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing • Ying Zhang, Z. Morley Mao, Jia Wang (University of Michigan & AT&T Labs Research) • NDSS Symposium 2007 • We term it the ZMW attack 9 A Seminar at Advanced Defense Lab Border Gateway Protocol [wiki] • The Internet can be divided into two distinct parts ▫ The data plane, which forwards packets to their destination ▫ the control plane, which determines the path to any given destination The BGP is the de facto standard routing protocol 10 A Seminar at Advanced Defense Lab BGP Sessions Keepalive BGP session reset Keepalive confirm peer liveliness; determine peer reachability BGP HoldTimer expired AS 1 BGP session BR BR C Transport: TCP connection BR BR C AS 2 11 A Seminar at Advanced Defense Lab Attacking BGP Sessions UDP-based attack flow Retransmitted BGP Keepalive message Attacker A minRTO BR C Router R1 Receiver B BR C Router R2 12 A Seminar at Advanced Defense Lab Attacking BGP Sessions UDP-based attack flow 2nd Retransmitted BGP Keepalive message Attacker A minRTO 2*minRTO BR C Router R1 Receiver B BR C Router R2 13 A Seminar at Advanced Defense Lab Background • BGP update messages ▫ When one router in an AS changes its routing table, it recomputes its routing table, and informs its neighboring ASes of the change via a BGP update message. This change might trigger the same series of events in other border routers. 14 A Seminar at Advanced Defense Lab Background (cont.) • BGP Stability ▫ When a set of routes oscillates rapidly between being available and unavailable it is termed route flapping. ▫ Some defense mechanisms Minimum Route Advertisement Intervals (MRAI) BGP Graceful Restart [rfc 4724] Route Flap Damping [rfc 2439] 15 A Seminar at Advanced Defense Lab The CXPST Attack • We force the targeted links to oscillate between “up” and “down” states. In essence, CXPST induces targeted route flapping. • By creating a series of localized failures that have near global impact, CXPST has the potential to overwhelm the computational capacity of a large set of routers on the Internet. 16 A Seminar at Advanced Defense Lab The Key Tasks • First, the correct BGP sessions must be selected for attack. • Second, the attacker needs to direct the traffic of his botnet onto the targeted links. • Lastly, the attacker must find a way to minimize the impact of existing mechanisms. 17 A Seminar at Advanced Defense Lab Selecting Targets (cont.) • Edge betweenness centrality [wiki] ▫ st e C B e s tV st • Modified definition ▫ CB e path e s tV st 18 A Seminar at Advanced Defense Lab Selecting Targets • By aggregating the tracerouting results an attacker can generate a rough measure of the BGP betweenness of links. • Equal cost multi-path routing (ECMP) [wiki] ▫ Any links that are possibly using it are removed from the set of potential targets. 19 A Seminar at Advanced Defense Lab Attack Traffic Management • The strategy fails to take into account the fact that network topology is dynamic. ▫ the attacker must ensure that the path does not contain other links that are being targeted as well. 20 A Seminar at Advanced Defense Lab Attack Traffic Management (cont.) • there is the possibility that we will saturate bandwidth capacity on the way to the target link. ▫ Sunder and Perrig, “The Coremelt Attack,” ESORICS 2009 ▫ Max flow Algorithm 21 A Seminar at Advanced Defense Lab Simulation • We started building our simulator’s topology by examining the wealth of data on the AS-level topology of the Internet made available from CAIDA. [link] • Using January 2010 data • The result was a connected graph with 1829 ASes and nearly 13, 000 edges. 22 A Seminar at Advanced Defense Lab Simulation - Bandwidth • Core AS links ▫ OC-768 (38.5 Gbit/s) • The attacker’s resources ▫ OC-3 (155Mbit/s) 23 A Seminar at Advanced Defense Lab Simulation - Botnet • Recent papers on botnet enumeration have given us some insight into the distribution of bots throughout the Internet. ▫ Waledac botnet [link] 24 A Seminar at Advanced Defense Lab Simulation Results • CXPST was simulated with botnets of 64, 125, 250, and 500 thousand nodes. • Targets were selected from the core routers in our topology, the top 10% of ASes by degree. 25 A Seminar at Advanced Defense Lab Simulation Results – Failed Sessions 26 A Seminar at Advanced Defense Lab Simulation Results – BGP Update • Normal loads from RouteViews [link] 27 A Seminar at Advanced Defense Lab Simulation Results – BGP Update • Median router load under attacks 28 A Seminar at Advanced Defense Lab Simulation Results – BGP Update • Some top AS under attack 29 A Seminar at Advanced Defense Lab Simulation Results – Time-to-Process • The default hold time is 180 secs 30 A Seminar at Advanced Defense Lab Toward Defenses 31 A Seminar at Advanced Defense Lab Our method • Stop ZMW attack ▫ Remove the mechanism that allows Zhang et al.’s attack to function This is easier said then done ▫ Disabling hold timer functionality in routers 32 A Seminar at Advanced Defense Lab Our method - Partially Deployed 33 A Seminar at Advanced Defense Lab Related Work - Know Attacks on BGP • Bellovin and Gansner ▫ divert existing traffic to a desired set of nodes assumes a perfect knowledge of the current network topology • Sunder and Perrig ▫ Coremelt 34 A Seminar at Advanced Defense Lab Related Work – BGP Attack Prevention • Packet-filtering or push-back techniques • Improving resilience by providing failover paths • BGP behavior analysis 35 A Seminar at Advanced Defense Lab
© Copyright 2026 Paperzz