Download Brief Announcement: Network-Destabilizing Attacks

Brief Announcement: Network-Destabilizing Attacks
Robert Lychev
Sharon Goldberg
Michael Schapira
Georgia Institute of
Technology, Atlanta, USA
Boston University,
Boston, USA
Hebrew University of
Jerusalem, Israel
[email protected]
[email protected]
ABSTRACT
seen in the wild were never intended to create BGP instabilities. However, given the delicate conditions required to
avoid BGP instabilities [3,4], the fact that a misbehaving AS
has never caused the system to tip into an unstable state is
quite surprising. How, then, can we explain the observed
stability of today’s Internet in the face of common errors
and attacks?
This work sheds light on this phenomenon by first noticing that almost every observed misconfiguration/at- tack to
date shares a common characteristic: even when a router
announces egregiously bogus information, it will continue to
announce the same bogus information for the duration of its
misconfiguration/attack. We call this a “fixed-route attack”,
and show that although fixed-route attacks can destabilize
a network in general, the routing policies used in today’s
Internet prevent such attacks from triggering instabilities.
We provide an explanation for the observed stability of today’s Internet in the face of common configuration errors
and attacks.
Categories and Subject Descriptors
C.2.2 [Network Protocols]: Routing Protocols
Keywords
Interdomain routing, stability, security, BGP
1.
[email protected]
MOTIVATION
The Internet is composed of smaller networks, called Autonomous Systems (ASes) (e.g., AT&T, Bank of America,
Google, etc.). ASes use the Border Gateway Protocol (BGP)
to learn how to reach distant ASes on the Internet via announcements from their neighboring ASes. Each BGP announcement contains a list of every AS en route to a destination; an AS repeatedly applies its local routing policy
to select a single available route to each destination, and
announces that route to its neighbors. BGP routing suffers
from a number of serious problems:
Bogus routing information. Because the Internet currently lacks infrastructure to validate the correctness of information in routing messages (e.g., does the route actually
exist? is one AS impersonating another?), an AS can announce bogus routes and, thus, influence the routes selected
by other ASes. We see this quite frequently in practice [1]; a
typical cause is a configuration error [7], but we also worry
about attacks where a router deliberately manipulates routing information, thereby drawing traffic to its network [8].
Instability. BGP allows ASes great expressiveness in configuring local routing policies. Unfortunately, these routing
policies can interact in ways that lead to persistent routing oscillations, i.e., situations where some ASes endlessly
change the route they select, even when the network structure is static (in terms of network topology, ASes’ routing
policies, etc.). BGP oscillations render the network unpredictable and can significantly harm network performance [5].
On the bright side, we have never seen events in which bogus routing information has inadvertently lead to a BGP
instability. One might claim that the anomalies we have
2. OUR MODEL
We model (see [6]) BGP dynamics in the presence of fixedroute attackers, extending the standard model of BGP dynamics [4]. The network is modeled as an undirected graph
G = (V, E), where the node (vertex) set represents the ASes,
and the edge set represents BGP communication links. The
vertex set contains a unique destination node d to which all
other nodes in V aim to establish routes.1 The routing system evolves over an infinite sequence of discrete time steps,
where at each time step a subset of the nodes is “activated”.
Whenever a non-attacker node is activated it executes the
following actions: (1) process the most recent BGP route
announcements received from neighboring nodes; (2) select
a single “best” available route according to a local ranking
of routes; and (3) announce this route to a subset of the
neighboring nodes via update messages according to a local
“route-export policy”. When an attacker node is activated,
it announces a fixed route (list of nodes ending in d) to each
neighbor. Other than requiring that the attacker announce
the same route to a given neighbor for the duration of the
attack, no other restrictions are imposed on the attacker.
The attacker can pretend to be the destination (announce
“d”), announce different (fixed!) routes to different neighbors, announce no route to some neighbors, etc.
We seek conditions which imply guaranteed network stability, i.e., that from some moment forth, every non-attacker
node’s chosen route remain unchanged, for every choice of
initial state of the system and of “fair” schedule of node activation and update message arrivals. (In “fair” schedules, no
Copyright is held by the author/owner(s).
PODC’12, July 16–18, 2012, Madeira, Portugal.
ACM 978-1-4503-1450-3/12/07.
1
This is the standard model [4], as BGP establishes routes
to every destination IP prefix independently.
331
node is indefinitely starved from acting, or from receiving
update messages from a neighbor.) Update messages in our
model can be arbitrarily delayed and even dropped, and our
positive results do not require assumptions on the order of
update message arrivals.
3.
Commercial routing is stable in the presence of fixedroute attacks. While the exact routing policies ASes use
in practice are proprietary and unknown, the following commercial routing framework of Gao and Rexford [3] is widely
believed to capture most of the routing policies used in practice. Typically, neighboring ASes have one of two bilateral
business relationships: customer-provider, in which the customer purchases connectivity from the provider, and peering,
in which the two peers carry transit traffic between their
customers for free. These business relationships naturally
induce restrictions on ASes’ routing policies: (1) an AS
prefers revenue-generating routes through customers over
routes through its peers and providers; and (2) an AS only
carries traffic from one neighbor to another neighbor if at
least one of them pays it, i.e., is its customer. ( [3] assumes
that there can be no cycle of customer-provider edges in the
AS-level digraph, as an AS cannot be an indirect customer
of itself.) Our main result is in the Gao-Rexford framework:
OUR RESULTS
Network-destabilizing fixed-route attacks. A stable
network can be rendered unstable even by a single fixedroute attacker. Consider, for instance, the network in the
figure, where each node’s ranking of routes is as depicted
beside it. Suppose each node is willing to export any route
to any neighbor.
Before node 0 launches an atd
tack, even though each of nodes
1, 2, and 3 prefers the longer
1
2
routes to d via node 0, these
210d
130d
20d
10d
routes are not available as the
0
2d
1d
link (0, d) does not exist. Thus,
320d
each of these nodes will choose
30d
3
3d
the direct route to d, and the
network is stable. After 0 launches a fixed-route attack by
announcing the bogus route “0, d” to all of its neighbors, this
network becomes an instance of the classic Bad Gadget
network [4], which is notoriously unstable! To understand
why, suppose that nodes 1 and 2 think they are routing
along 2, 1, 0, d, while node 3 thinks it uses the route 3, 0, d.
This is unstable, since node 1 would rather be using the
route 1, 3, 0, d, and so it will change its route selection. By
symmetry, this situation will repeat endlessly.
Theorem 2: If all nodes have commercial routing policies,
convergence to a stable routing state is guaranteed within
2X + 1 asynchronous rounds even in the presence of fixedroute attacks, where X is the depth of the customer-provider
hierarchy.
Like the proof of Theorem 1, the proof of Theorem 2
iteratively fixes nodes’ routes. Here, however, this iterative stabilization argument is more delicate and involves
two traversals of the customer-provider hierarchy (hence the
2X factor). In today’s Internet, the depth of the customerprovider hierarchy is very shallow (roughly 5 levels on average). Hence, commercial routing guarantees not only network stability, but also fast convergence, even in the presence of fixed route attacks.
We identify two interesting environments where stability is maintained in the presence of fixed-route attackers.
We also quantify convergence rate in terms of asynchronous
rounds [2, 9], i.e., periods of time in which each node is activated (at least once) after receiving an update message
from each neighbor. Our positive results hold for any network topology, and regardless of the number and locations
of the fixed-route attackers, and of the specific fixed-route
attacks launched.
4. REFERENCES
[1] J. Cowie. Rensys blog: China’s 18-minute mystery.
http://www.renesys.com/blog/2010/11/
chinas-18-minute-mystery.shtml.
[2] S. Dolev and N. Tzachar. Empire of colonies:
Self-stabilizing and self-organizing distributed
algorithms. In OPODIS, pages 230–243, 2006.
[3] L Gao and J Rexford. Stable Internet routing without
global coordination. Trans. on Networking, 2001.
[4] T Griffin, F B Shepherd, and G Wilfong. The stable
paths problem and interdomain routing. Trans. on
Networking, 2002.
[5] N. Kushman, S. Kandula, and D. Katabi. Can you hear
me now?!: it must be BGP. SIGCOMM Comput.
Commun. Rev., 37:75–84, March 2007.
[6] R. Lychev, S. Goldberg, and M. Schapira. Network
destabilizing attacks. Arxiv Report 1203.1281, march
2012.
[7] S.A. Misel. “Wow, AS7007!”. Merit NANOG Archive,
apr 1997. http://www.merit.edu/mail.archives/
nanog/1997-04/msg00340.html.
[8] Rensys Blog. Pakistan hijacks YouTube.
http://www.renesys.com/blog/2008/02/pakistan_
hijacks_youtube_1.shtml.
[9] R. Sami, M. Schapira, and A. Zohar. Searching for
stability in interdomain routing. In INFOCOM 2009,
IEEE, pages 549 –557, april 2009.
Shortest-path routing is stable in the presence of
fixed-route attacks. We first consider the scenario that
all non-attackers have shortest-path rankings of routes, i.e.,
always prefer shorter to longer routes. The following holds
for all route-export policies:
Theorem 1: When all nodes have shortest-path rankings,
convergence to a stable routing state is guaranteed within
|V | asynchronous rounds even in the presence of fixed-route
attacks.
To gain intuition, suppose that there is a single fixed-route
attacker that pretends to be the destination by announcing
“d” to all of its neighbors and that every non-attacker node
is willing to export all routes to every neighboring node. In
a single asynchronous round, every (non-attacker) node that
is directly connected to either the real destination node, or
the attacker (or both), will inevitably learn of the existence
of the (real or “fake”) destination, select the direct route to
the (real or “fake”) destination, and not change its choice
thereafter. We can use this argument to iteratively fix all
nodes’ routes within |V | asynchronous rounds. In [6] we
extend this argument to multiple attackers, and to arbitrary
fixed-route attacks and route-export policies.
332