42 research outputs found
The use of maxLength in the RPKI
This document recommends that operators avoid using the maxLength attribute when issuing Route Origin Authorizations (ROAs) in the Resource Public Key Infrastructure (RPKI). These recommendations complement those in [RFC7115].https://datatracker.ietf.org/doc/draft-yossigi-rpkimaxlen/First author draf
Evaluation of the Deployment Status of RPKI and Route Filtering
The Border Gateway Protocol (BGP) is an essential infrastructure element, often termed “the glue that keeps the Internet together”. Even in its current version 4 , BGP misses essential security mechanisms that would allow to validate routing information distributed through BGP in terms of its authenticity and integrity. While mechanisms like BGPsec have been proposed many years ago, so far they have not found widespread adoption and many experts believe they never will due to their inherent complexity.
To ensure a minimal level of protection, most Internet service providers (ISPs) rely on heuristic filtering of routing information advertised from neighboring autonomous systems (AS). One approach is called Path Origin Validation where an ISP tries to verify whether the AS advertising a certain IP prefix is actually the legitimate owner of this prefix
The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire
The vulnerability of the Internet has been demonstrated by prominent IP
prefix hijacking events. Major outages such as the China Telecom incident in
2010 stimulate speculations about malicious intentions behind such anomalies.
Surprisingly, almost all discussions in the current literature assume that
hijacking incidents are enabled by the lack of security mechanisms in the
inter-domain routing protocol BGP. In this paper, we discuss an attacker model
that accounts for the hijacking of network ownership information stored in
Regional Internet Registry (RIR) databases. We show that such threats emerge
from abandoned Internet resources (e.g., IP address blocks, AS numbers). When
DNS names expire, attackers gain the opportunity to take resource ownership by
re-registering domain names that are referenced by corresponding RIR database
objects. We argue that this kind of attack is more attractive than conventional
hijacking, since the attacker can act in full anonymity on behalf of a victim.
Despite corresponding incidents have been observed in the past, current
detection techniques are not qualified to deal with these attacks. We show that
they are feasible with very little effort, and analyze the risk potential of
abandoned Internet resources for the European service region: our findings
reveal that currently 73 /24 IP prefixes and 7 ASes are vulnerable to be
stealthily abused. We discuss countermeasures and outline research directions
towards preventive solutions.Comment: Final version for TMA 201
Análise da Implantação do RPKI no Brasil
Sequestro de prefixos é um problema que enfrentamos atualmente na internet que pode levar a indisponibilidade de um ASN ou roubo de informações. Existem diversas ferramentas para se proteger desse tipo de ataque, sendo o RPKI o mais promissor, onde é criado certificados digitais para autorizar um ASN a anunciar determinado prefixo e o Brasil está adotando esta solução. Neste trabalho de conclusão analisamos o crescimento da implantação do RPKI neste primeiro ano de adoção no Brasil. Também correlacionamos informações que mostram que os treinamentos para utilização dessa ferramenta têm impulsionado significativamente para o crescimento da adoção do RPKI.Prefix hijacking is a problem we currently face on the internet that can lead to the DoS attack or steal information. There are several tools to protect against this type of attack, the RPKI being the most promising, where digital certificates are created to authorize an ASN to announce a certain prefix, and Brazil is adopting this solution. In this work we analyze the growth of the implementation of RPKI in this first year of adoption in Brazil. We also correlated information that shows that training to use this tool has significantly boosted the growth in the adoption of RPKI
Why internet protocols need incentives
Internet routers are a commons. While modest regulatory measures have generally been successful for Information Communication Technologies (ICT), this paper argues that the lack of regulation has hindered the technological evolution of the Internet in some areas. This issue is examined through five Internet problems, and the technological solutions adopted. The key contribution of this paper is the explanation of these issues and the identification of areas where misaligned incentives promote inadequate solutions or inaction. The paper reviews the available measures to encourage the adoption of globally beneficial Internet technologies
BGP Hijacking Classification
Recent reports show that BGP hijacking has increased substantially. BGP hijacking allows malicious ASes to obtain IP prefixes for spamming as well as intercepting or blackholing traffic. While systems to prevent hijacks are hard to deploy and require the cooperation of many other organizations, techniques to detect hijacks have been a popular area of study. In this paper, we classify detected hijack events in order to document BGP detectors output and understand the nature of reported events. We introduce four categories of BGP hijack: typos, prepending mistakes, origin changes, and forged AS paths. We leverage AS hegemony-a measure of dependency in AS relationship-to identify forged AS paths in a fast and efficient way. Besides, we utilize heuristic approaches to find common operators\u27 mistakes such as typos and AS prepending mistakes. The proposed approach classifies our collected ground truth into four categories with 95.71% accuracy. We characterize publicly reported alarms (e.g. BGPMon) with our trained classifier and find 4%, 1%, and 2% of typos, prepend mistakes, and BGP hijacking with a forged AS path, respectively
Securing Internet Applications from Routing Attacks
Attacks on Internet routing are typically viewed through the lens of
availability and confidentiality, assuming an adversary that either discards
traffic or performs eavesdropping. Yet, a strategic adversary can use routing
attacks to compromise the security of critical Internet applications like Tor,
certificate authorities, and the bitcoin network. In this paper, we survey such
application-specific routing attacks and argue that both application-layer and
network-layer defenses are essential and urgently needed. While
application-layer defenses are easier to deploy in the short term, we hope that
our work serves to provide much needed momentum for the deployment of
network-layer defenses