SEAD-FHC: Secure Efficient Distance Vector Routing with Fixed Hash Chain length

Ad hoc networks are highly dynamic routing networks cooperated by a collection of wireless mobile hosts without any assistance of a centralized access point. Secure Efficient Ad hoc Distance Vector (SEAD) is a proactive routing protocol, based on the design of Destination Sequenced Distance Vector routing protocol (DSDV). SEAD provides a robust protocol against attackers trying to create incorrect routing state in the other node. However, the computational cost creating and evaluating hash chain increases if number of hops in routing path increased. In this paper, we propose Secure Efficient Ad hoc Distance Vector with fixed hash chain length in short SEAD-FHC protocol to minimize and stabilize the computational complexity that leads minimization in delay time and maximization in throughput. A series of simulation experiments are conducted to evaluate the performance

Analysis of Effects of BGP Black Hole Routing on a Network like the NIPRNET

The Department of Defense (DoD) relies heavily on the Non-secure Internet Protocol Router Network (NIPRNET) to exchange information freely between departments, services, bases, posts, and ships. The NIPRNET is vulnerable to various attacks, to include physical and cyber attacks. One of the most frequently used cyber attacks by criminally motivated hackers is a Distributed Denial of Service (DDoS) attack. DDoS attacks can be used to exhaust network bandwidth and router processing capabilities, and as a leveraging tool for extortion. Border Gateway Protocol (BGP) black hole routing is a responsive defensive network technique for mitigating DDoS attacks. BGP black hole routing directs traffic destined to an Internet address under attack to a null address, essentially stopping the DDoS attack by dropping all traffic to the targeted system. This research examines the ability of BGP black hole routing to effectively defend a network like the NIPRNET from a DDoS attack, as well as examining two different techniques for triggering BGP black hole routing during a DDoS attack. This thesis presents experiments with three different DDoS attack scenarios to determine the effectiveness of BGP black hole routing. Remote-triggered black hole routing is then compared against customer-triggered black hole routing to examine how well each technique reacts under a DDoS attack. The results from this study show BGP black hole routing to be highly successful. It also shows that remote-triggered black hole routing is much more effective than customer-triggered

A FRAMEWORK FOR DEFENDING AGAINST PREFIX HIJACK ATTACKS

Border Gateway Protocol (BGP) prefix hijacking is a serious problem in the Internet today. Although there are several services being offered to detect a prefix hijack, there has been little work done to prevent a hijack or to continue providing network service during a prefix hijack attack. This thesis proposes a novel framework to provide defense against prefix hijacking which can be offered as a service by Content Distribution Networks and large Internet Service Providers. Our experiments revealed that the hijack success rate reduced from 90.36% to 30.53% at Tier 2, 84.65% to 10.98% at Tier 3 and 82.45% to 8.39% at Tier 4 using Autonomous Systems (ASs) of Akamai as Hijack Prevention Service Provider. We also observed that 70% of the data captured by Hijack Prevention Service Provider (HPSP) can be routed back to Victim. However if we use tunneling, i.e. trying to route data to neighbors of Victims which in turn sends the traffic to Victims, we observed that data can be routed to Victim 98.09% of the time. Also, the cost of such redirection is minimal, since the average increase in path length was observed to be 2.07 AS hops

Optimization of BGP Convergence and Prefix Security in IP/MPLS Networks

Multi-Protocol Label Switching-based networks are the backbone of the operation of the Internet, that communicates through the use of the Border Gateway Protocol which connects distinct networks, referred to as Autonomous Systems, together. As the technology matures, so does the challenges caused by the extreme growth rate of the Internet. The amount of BGP prefixes required to facilitate such an increase in connectivity introduces multiple new critical issues, such as with the scalability and the security of the aforementioned Border Gateway Protocol. Illustration of an implementation of an IP/MPLS core transmission network is formed through the introduction of the four main pillars of an Autonomous System: Multi-Protocol Label Switching, Border Gateway Protocol, Open Shortest Path First and the Resource Reservation Protocol. The symbiosis of these technologies is used to introduce the practicalities of operating an IP/MPLS-based ISP network with traffic engineering and fault-resilience at heart. The first research objective of this thesis is to determine whether the deployment of a new BGP feature, which is referred to as BGP Prefix Independent Convergence (PIC), within AS16086 would be a worthwhile endeavour. This BGP extension aims to reduce the convergence delay of BGP Prefixes inside of an IP/MPLS Core Transmission Network, thus improving the networks resilience against faults. Simultaneously, the second research objective was to research the available mechanisms considering the protection of BGP Prefixes, such as with the implementation of the Resource Public Key Infrastructure and the Artemis BGP Monitor for proactive and reactive security of BGP prefixes within AS16086. The future prospective deployment of BGPsec is discussed to form an outlook to the future of IP/MPLS network design. As the trust-based nature of BGP as a protocol has become a distinct vulnerability, thus necessitating the use of various technologies to secure the communications between the Autonomous Systems that form the network to end all networks, the Internet

A software defined networking architecture for secure routing

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2014O tamanho e aceitação que a internet ganhou veio ajudar à inovação e a partilha entre utilizadores, mas em contrapartida aumentou o risco de tanto a infraestrutura da internet como as pessoas que a utilizam serem alvos de ciber-ataques. Esta é apenas uma visão parcial do problema, pois para suportar a crescente utilização da internet a infraestrutura cresceu sem a maturação de vários protocols e algoritmos que executam alguns dos serviços mais básicos com que convivemos todos os dias na internet. Um dos melhores exemplos ´e o do Border Gateway Protocol, um protocolo de troca de informação de roteamento que está em uso há mais de 20 anos mas possui vários problemas de segurança conhecidos. O desenho inicial do protocolo, aliado à ineficiência das redes tradicionais impediram a adoção das várias adições de segurança já propostas para o protocolo. O protocolo não possui atualizações de segurança que o protejam contra os vários tipos de ataques já descobertos, como prefix hijacking, intercepção e ataques no plano de dados. Estes ataques podem ter consequências graves durante períodos de tempo não negligenciáveis, como reportado em [33, 19]. As propostas já existentes, como o S-BGP[27], soBGP[48] e Origin Authentication[12], apesar de eficazes na proteção contra um ou mais ataques contra o BGP, não foram adoptadas na prática devido aos seus elevados requisitos computacionais ou de implementação. Neste trabalho resumimos os problemas para adopcão de soluções de segurança em três pontos principais: 1. Algumas soluções requerem poder computacional ou capacidade de memória que nem todos os dispositivos de rede que correm BGP em funcionamento conseguem suportar; 2. A solução requer alterações ao protocolo BGP em funcionamento; 3. A solução não garante benefícios de segurança imediatos ao AS que a adoptar; A investigação actual tem chegado à conclusão que muitos dos problemas das redes tradicionais surgem devido `a necessidade de os dispositivos de rede participarem em protocolos complexos para executar funções de rede que vão além do seu objetivo: encaminhar pacotes [24]. Como consequência, as redes tornaram-se bastante complexas e portanto difíceis de gerir e escalar. A falta de segurança radica também neste problema. Em alternativa às redes tradicionais, a comunidade científica e a indústria têm vindo a adoptar um novo tipo de redes, as Software Defined Networks (SDN). Estas redes sepathe datapathram o plano de controlo do plano de dados, passando toda a lógica e estado de rede para um controlador logicamente centralizado, mantendo nos dispositivos de rede apenas a tarefa de encaminhar pacotes. Os controladores SDN implementam funções de rede através de aplicações que executam no próprio ambiente do controlador em vez de obrigar os dispositivos de rede a implementarem esses protocolos. Um desses controladores é o OpenDaylight, que tem o apoio de alguns dos maiores nomes da indústria como a Cisco, IBM, HP e Juniper, e espera-se ser a principal referência no futuro. Neste trabalho propomos duas aplicações SDNs para o controlador OpenDaylight: RFProxy e BGPSec. O RFProxy é um dos três componentes base da aplicação Route- Flow, uma plataforma de servic¸os de roteamento para SDN. O RFProxy é o único componente da aplicação a executar no controlador e é responsável por gerir e configurar os switches de acordo com as decisões tomadas pelo RFServer. Esta aplicação vem aumentar o número de opções para a utilização do RouteFlow e proporciona uma plataforma de roteamento avançada e eficiente para o OpenDaylight. A aplicação BGPSec tem como objetivo garantir proteção contra ataques de prefix hijacking, onde um atacante tenta redireccionar todo o tráfego destinado a um AS para si. Esta proteção é conseguida através da validação dos dados recebidos do BGP. Ao utilizar uma aplicação para a validação dos anúncios BGP em vez de obrigar os dispositivos de rede a executarem este processamento, o desenho e implementação tornam-se mais simples e permitem um maior conjunto de opções quando comparado com as implementações necessárias em redes tradicionais. A utilização de uma aplicação SDN para este efeito é algo inovador e traz vantagens quando comparada com as redes tradicionais. Em particular, o ambiente SDN permite mitigar os dois primeiros problemas de adopção de uma extensão de segurança, ao passar o processamento para o controlador e a não requerer uma alteração protocolo BGP. As contribuições principais deste trabalho podem ser resumidas da seguinte forma: 1. Implementação e avaliação de um serviço avançado de roteamento em ambiente SDN, nomeadamente ao controlador OpenDaylight; 2. Análise dos problemas de segurança do BGP e das extensões de segurança já propostas para redes tradicionais; 3. Desenho, implementação e avaliação de uma aplicação de segurança para o BGP baseada em SDN;The Internet has evolved from a small group of interconnected computers to an infrastructure that supports billions of devices including computers, smartphones, etc, all with increasing demands in terms of network requirements. The architecture of traditional networks hinders their capability of fulfilling these demands, mainly due to the tight coupling of the data and control planes. Network devices are required to handle and participate in complex distributed protocols to perform network tasks such as routing, making networks very complex and thus affecting their scalability, performance, management and innovation ease. The Border Gateway Protocol, the de facto protocol for routing between Autonomous Systems (ASes) is one of the fundamental protocols for the operation of the internet. However, it was created in a time where the internet was composed of fewer ASes that trusted each other and in the information they provided, which is now unsafe to assume. The internet growth also resulted in an increase in the attacks against the internet routing infrastructure, and several misbehaviors have been detected, either due to attacks against the protocol or misconfiguration. Although several solutions have been presented to solve the security issues of BGP, no proposal has yet been adopted due to three main reasons:_ The solution requires either a computational power or memory size that not all currently deployed BGP speakers will be able to withstand; _ The solution incurs changes to the BGP protocol currently in use; _ The solution does not bring immediate security benefits for the adopting AS; Software-Defined Networking (SDN) is an emerging network paradigm that aims to solve the problems of traditional networks by decoupling the data and control planes, moving the latter to a logically centralized controller while making network devices execute solely the former. All network tasks and applications run on top of the controller, which abstracts the network and greatly simplifies the development and testing of new applications and protocols. Forwarding rules are installed and removed using OpenFlow, a vendor-independent communications protocol for SDNs. Several SDN controllers have been developed by different companies and researchers, several of them open-source. One of such kind is the OpenDaylight (ODL) controller, supported by some of the top names in the IT industry (e.g. Cisco, IBM, HP). The goal of ODL is to create a controller of reference and help accelerate SDN evolution and adoption. Although the controller is the core component of a SDN, network logic is performed by an application running on top of it. An example is RouteFlow, a routing platform that provides flexible and scalabe IP routing services to a SDN. Routing decisions are made by creating a virtual network that mimics the topology of the physical infrastructure and by analyzing the routing tables of the virtual devices. RouteFlow is composed by three components: RFClient, RFServer and RFProxy, with the latter running in the controller. The first contribution of this work is the implementation and evaluation of the RFProxy module for the OpenDaylight controller. An SDN architecture provides a new environment to improve BGP security through the creation of an application to run on top of the controller. Such approach mitigates the first two adoption problems mentioned above by offloading the additional processing to the controller and by not requiring changes to the BGP protocol. The other contribution of this work is the study and analysis of the BGP security problems and traditional solutions, and how to address them in a SDN environment. We implemented and evaluated BGPSec, a security application for the OpenDaylight controller that provides the network with protection against prefix hijacking attacks, where a malicious AS tries to direct the traffic destined to an AS onto itself

Multipath inter-domain policy routing

Dissertação submetida para a obtenção do grau de Doutor em Engenharia Electrotécnica e de ComputadoresRouting can be abstracted to be a path nding problem in a graph that models the network. The problem can be modelled using an algebraic approach that describes the way routes are calculated and ranked. The shortest path problem is the most common form and consists in nding the path with the smallest cost. The inter-domain scenario introduces some new challenges to the routing problem: the routing is performed between independently con gured and managed networks; the ranking of the paths is not based on measurable metrics but on policies; and the forwarding is destination based hop-by-hop. In this thesis we departed from the Border gateway Protocol (BGP) identifying its main problems and elaborating on some ideal characteristics for a routing protocol suited for the inter-domain reality. The main areas and contributions of this work are the following: The current state of the art in algebraic modeling of routing problems is used to provide a list of possible alternative conditions for the correct operation of such protocols. For each condition the consequences in terms of optimality and network restrictions are presented. A routing architecture for the inter-domain scenario is presented. It is proven that it achieves a multipath routing solution in nite time without causing forwarding loops. We discuss its advantages and weaknesses. A tra c-engineering scheme is designed to take advantage of the proposed architecture. It works using only local information and cooperation of remote ASes to minimize congestion in the network with minimal signalling. Finally a general model of a routing protocol based on hierarchical policies is used to study how e cient is the protocol operation when the correctness conditions are met. This results in some conclusions on how the policies should be chosen and applied in order to achieve speci c goals.Portuguese Science and Technology Foundation -(FCT/MCTES)grant SFRH/BD/44476/2008; CTS multi-annual funding project PEst OE/EEI/UI0066/2011; MPSat project PTDC/EEA TEL/099074/2008; OPPORTUNISTICCR project PTDC/EEA-TEL/115981/2009; Fentocells project PTDC/EEA TEL/120666/201

Distributed Internet security and measurement

The Internet has developed into an important economic, military, academic, and social resource. It is a complex network, comprised of tens of thousands of independently operated networks, called Autonomous Systems (ASes). A significant strength of the Internet\u27s design, one which enabled its rapid growth in terms of users and bandwidth, is that its underlying protocols (such as IP, TCP, and BGP) are distributed. Users and networks alike can attach and detach from the Internet at will, without causing major disruptions to global Internet connectivity. This dissertation shows that the Internet\u27s distributed, and often redundant structure, can be exploited to increase the security of its protocols, particularly BGP (the Internet\u27s interdomain routing protocol). It introduces Pretty Good BGP, an anomaly detection protocol coupled with an automated response that can protect individual networks from BGP attacks. It also presents statistical measurements of the Internet\u27s structure and uses them to create a model of Internet growth. This work could be used, for instance, to test upcoming routing protocols on ensemble of large, Internet-like graphs. Finally, this dissertation shows that while the Internet is designed to be agnostic to political influence, it is actually quite centralized at the country level. With the recent rise in country-level Internet policies, such as nation-wide censorship and warrantless wiretaps, this centralized control could have significant impact on international reachability