Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Brief Announcement: Network-Destabilizing Attacks Robert Lychev Sharon Goldberg Michael Schapira Georgia Institute of Technology, Atlanta, USA Boston University, Boston, USA Hebrew University of Jerusalem, Israel [email protected] [email protected] ABSTRACT seen in the wild were never intended to create BGP instabilities. However, given the delicate conditions required to avoid BGP instabilities [3,4], the fact that a misbehaving AS has never caused the system to tip into an unstable state is quite surprising. How, then, can we explain the observed stability of today’s Internet in the face of common errors and attacks? This work sheds light on this phenomenon by first noticing that almost every observed misconfiguration/at- tack to date shares a common characteristic: even when a router announces egregiously bogus information, it will continue to announce the same bogus information for the duration of its misconfiguration/attack. We call this a “fixed-route attack”, and show that although fixed-route attacks can destabilize a network in general, the routing policies used in today’s Internet prevent such attacks from triggering instabilities. We provide an explanation for the observed stability of today’s Internet in the face of common configuration errors and attacks. Categories and Subject Descriptors C.2.2 [Network Protocols]: Routing Protocols Keywords Interdomain routing, stability, security, BGP 1. [email protected] MOTIVATION The Internet is composed of smaller networks, called Autonomous Systems (ASes) (e.g., AT&T, Bank of America, Google, etc.). ASes use the Border Gateway Protocol (BGP) to learn how to reach distant ASes on the Internet via announcements from their neighboring ASes. Each BGP announcement contains a list of every AS en route to a destination; an AS repeatedly applies its local routing policy to select a single available route to each destination, and announces that route to its neighbors. BGP routing suffers from a number of serious problems: Bogus routing information. Because the Internet currently lacks infrastructure to validate the correctness of information in routing messages (e.g., does the route actually exist? is one AS impersonating another?), an AS can announce bogus routes and, thus, influence the routes selected by other ASes. We see this quite frequently in practice [1]; a typical cause is a configuration error [7], but we also worry about attacks where a router deliberately manipulates routing information, thereby drawing traffic to its network [8]. Instability. BGP allows ASes great expressiveness in configuring local routing policies. Unfortunately, these routing policies can interact in ways that lead to persistent routing oscillations, i.e., situations where some ASes endlessly change the route they select, even when the network structure is static (in terms of network topology, ASes’ routing policies, etc.). BGP oscillations render the network unpredictable and can significantly harm network performance [5]. On the bright side, we have never seen events in which bogus routing information has inadvertently lead to a BGP instability. One might claim that the anomalies we have 2. OUR MODEL We model (see [6]) BGP dynamics in the presence of fixedroute attackers, extending the standard model of BGP dynamics [4]. The network is modeled as an undirected graph G = (V, E), where the node (vertex) set represents the ASes, and the edge set represents BGP communication links. The vertex set contains a unique destination node d to which all other nodes in V aim to establish routes.1 The routing system evolves over an infinite sequence of discrete time steps, where at each time step a subset of the nodes is “activated”. Whenever a non-attacker node is activated it executes the following actions: (1) process the most recent BGP route announcements received from neighboring nodes; (2) select a single “best” available route according to a local ranking of routes; and (3) announce this route to a subset of the neighboring nodes via update messages according to a local “route-export policy”. When an attacker node is activated, it announces a fixed route (list of nodes ending in d) to each neighbor. Other than requiring that the attacker announce the same route to a given neighbor for the duration of the attack, no other restrictions are imposed on the attacker. The attacker can pretend to be the destination (announce “d”), announce different (fixed!) routes to different neighbors, announce no route to some neighbors, etc. We seek conditions which imply guaranteed network stability, i.e., that from some moment forth, every non-attacker node’s chosen route remain unchanged, for every choice of initial state of the system and of “fair” schedule of node activation and update message arrivals. (In “fair” schedules, no Copyright is held by the author/owner(s). PODC’12, July 16–18, 2012, Madeira, Portugal. ACM 978-1-4503-1450-3/12/07. 1 This is the standard model [4], as BGP establishes routes to every destination IP prefix independently. 331 node is indefinitely starved from acting, or from receiving update messages from a neighbor.) Update messages in our model can be arbitrarily delayed and even dropped, and our positive results do not require assumptions on the order of update message arrivals. 3. Commercial routing is stable in the presence of fixedroute attacks. While the exact routing policies ASes use in practice are proprietary and unknown, the following commercial routing framework of Gao and Rexford [3] is widely believed to capture most of the routing policies used in practice. Typically, neighboring ASes have one of two bilateral business relationships: customer-provider, in which the customer purchases connectivity from the provider, and peering, in which the two peers carry transit traffic between their customers for free. These business relationships naturally induce restrictions on ASes’ routing policies: (1) an AS prefers revenue-generating routes through customers over routes through its peers and providers; and (2) an AS only carries traffic from one neighbor to another neighbor if at least one of them pays it, i.e., is its customer. ( [3] assumes that there can be no cycle of customer-provider edges in the AS-level digraph, as an AS cannot be an indirect customer of itself.) Our main result is in the Gao-Rexford framework: OUR RESULTS Network-destabilizing fixed-route attacks. A stable network can be rendered unstable even by a single fixedroute attacker. Consider, for instance, the network in the figure, where each node’s ranking of routes is as depicted beside it. Suppose each node is willing to export any route to any neighbor. Before node 0 launches an atd tack, even though each of nodes 1, 2, and 3 prefers the longer 1 2 routes to d via node 0, these 210d 130d 20d 10d routes are not available as the 0 2d 1d link (0, d) does not exist. Thus, 320d each of these nodes will choose 30d 3 3d the direct route to d, and the network is stable. After 0 launches a fixed-route attack by announcing the bogus route “0, d” to all of its neighbors, this network becomes an instance of the classic Bad Gadget network [4], which is notoriously unstable! To understand why, suppose that nodes 1 and 2 think they are routing along 2, 1, 0, d, while node 3 thinks it uses the route 3, 0, d. This is unstable, since node 1 would rather be using the route 1, 3, 0, d, and so it will change its route selection. By symmetry, this situation will repeat endlessly. Theorem 2: If all nodes have commercial routing policies, convergence to a stable routing state is guaranteed within 2X + 1 asynchronous rounds even in the presence of fixedroute attacks, where X is the depth of the customer-provider hierarchy. Like the proof of Theorem 1, the proof of Theorem 2 iteratively fixes nodes’ routes. Here, however, this iterative stabilization argument is more delicate and involves two traversals of the customer-provider hierarchy (hence the 2X factor). In today’s Internet, the depth of the customerprovider hierarchy is very shallow (roughly 5 levels on average). Hence, commercial routing guarantees not only network stability, but also fast convergence, even in the presence of fixed route attacks. We identify two interesting environments where stability is maintained in the presence of fixed-route attackers. We also quantify convergence rate in terms of asynchronous rounds [2, 9], i.e., periods of time in which each node is activated (at least once) after receiving an update message from each neighbor. Our positive results hold for any network topology, and regardless of the number and locations of the fixed-route attackers, and of the specific fixed-route attacks launched. 4. REFERENCES [1] J. Cowie. Rensys blog: China’s 18-minute mystery. http://www.renesys.com/blog/2010/11/ chinas-18-minute-mystery.shtml. [2] S. Dolev and N. Tzachar. Empire of colonies: Self-stabilizing and self-organizing distributed algorithms. In OPODIS, pages 230–243, 2006. [3] L Gao and J Rexford. Stable Internet routing without global coordination. Trans. on Networking, 2001. [4] T Griffin, F B Shepherd, and G Wilfong. The stable paths problem and interdomain routing. Trans. on Networking, 2002. [5] N. Kushman, S. Kandula, and D. Katabi. Can you hear me now?!: it must be BGP. SIGCOMM Comput. Commun. Rev., 37:75–84, March 2007. [6] R. Lychev, S. Goldberg, and M. Schapira. Network destabilizing attacks. Arxiv Report 1203.1281, march 2012. [7] S.A. Misel. “Wow, AS7007!”. Merit NANOG Archive, apr 1997. http://www.merit.edu/mail.archives/ nanog/1997-04/msg00340.html. [8] Rensys Blog. Pakistan hijacks YouTube. http://www.renesys.com/blog/2008/02/pakistan_ hijacks_youtube_1.shtml. [9] R. Sami, M. Schapira, and A. Zohar. Searching for stability in interdomain routing. In INFOCOM 2009, IEEE, pages 549 –557, april 2009. Shortest-path routing is stable in the presence of fixed-route attacks. We first consider the scenario that all non-attackers have shortest-path rankings of routes, i.e., always prefer shorter to longer routes. The following holds for all route-export policies: Theorem 1: When all nodes have shortest-path rankings, convergence to a stable routing state is guaranteed within |V | asynchronous rounds even in the presence of fixed-route attacks. To gain intuition, suppose that there is a single fixed-route attacker that pretends to be the destination by announcing “d” to all of its neighbors and that every non-attacker node is willing to export all routes to every neighboring node. In a single asynchronous round, every (non-attacker) node that is directly connected to either the real destination node, or the attacker (or both), will inevitably learn of the existence of the (real or “fake”) destination, select the direct route to the (real or “fake”) destination, and not change its choice thereafter. We can use this argument to iteratively fix all nodes’ routes within |V | asynchronous rounds. In [6] we extend this argument to multiple attackers, and to arbitrary fixed-route attacks and route-export policies. 332