Interdomain Route Leak Mitigation: A Pragmatic Approach

The Internet has grown to support many vital functions, but it is not administered by any central authority. Rather, the many smaller networks that make up the Internet - called Autonomous Systems (ASes) - independently manage their own distinct host address space and routing policy. Routers at the borders between ASes exchange information about how to reach remote IP prefixes with neighboring networks over the control plane with the Border Gateway Protocol (BGP). This inter-AS communication connects hosts across AS boundaries to build the illusion of one large, unified global network - the Internet. Unfortunately, BGP is a dated protocol that allows ASes to inject virtually any routing information into the control plane. The Internet’s decentralized administrative structure means that ASes lack visibility of the relationships and policies of other networks, and have little means of vetting the information they receive. Routes are global, connecting hosts around the world, but AS operators can only see routes exchanged between their own network and directly connected neighbor networks. This mismatch between global route scope and local network operator visibility gives rise to adverse routing events like route leaks, which occur when an AS advertises a route that should have been kept within its own network by mistake. In this work, we explore our thesis: that malicious and unintentional route leaks threaten Internet availability, but pragmatic solutions can mitigate their impact. Leaks effectively reroute traffic meant for the leak destination along the leak path. This diversion of flows onto unexpected paths can cause broad disruption for hosts attempting to reach the leak destination, as well as obstruct the normal traffic on the leak path. These events are usually due to misconfiguration and not malicious activity, but we show in our initial work that vrouting-capable adversaries can weaponize route leaks and fraudulent path advertisements to enhance data plane attacks on Internet infrastructure and services. Existing solutions like Internet Routing Registry (IRR) filtering have not succeeded in solving the route leak problem, as globally disruptive route leaks still periodically interrupt the normal functioning of the Internet. We examine one relatively new solution - Peerlocking or defensive AS PATH filtering - where ASes exchange toplogical information to secure their networks. Our measurements reveal that Peerlock is already deployed in defense of the largest ASes, but has found little purchase elsewhere. We conclude by introducing a novel leak defense system, Corelock, designed to provide Peerlock-like protection without the scalability concerns that have limited Peerlock’s scope. Corelock builds meaningful route leak filters from globally distributed route collectors and can be deployed without cooperation from other network

A Quantitative Framework for Assessing Vulnerability and Redundancy of Freight Transportation Networks

Freight transportation networks are an important component of everyday life in modern society. Disruption to these networks can make peoples’ daily lives extremely difficult as well as seriously cripple economic productivity. This dissertation develops a quantitative framework for assessing vulnerability and redundancy of freight transportation networks. The framework consists of three major contributions: (1) a two- stage approach for estimating a statewide truck origin-destination (O-D) trip table, (2) a decision support tool for assessing vulnerability of freight transportation networks, and (3) a quantitative approach for measuring redundancy of freight transportation networks.The dissertation first proposes a two-stage approach to estimate a statewide truck O-D trip table. The proposed approach is supported by two sequential stages: the first stage estimates a commodity-based truck O-D trip table using the commodity flows derived from the Freight Analysis Framework (FAF) database, and the second stage uses the path flow estimator (PFE) concept to refine the truck trip table obtained from the first stage using the truck counts from the statewide truck count program. The model allows great flexibility of incorporating data at different spatial levels for estimating the truck O- D trip table. The results from the second stage provide us a better understanding of truck flows on the statewide truck routes and corridors, and allow us to better manage the anticipated impacts caused by network disruptions.A decision support tool is developed to facilitate the decision making system through the application of its database management capabilities, graphical user interface, GIS-based visualization, and transportation network vulnerability analysis. The vulnerability assessment focuses on evaluating the statewide truck-freight bottlenecks/chokepoints. This dissertation proposes two quantitative measures: O-D connectivity (or detour route) in terms of distance and freight flow pattern change in terms of vehicle miles traveled (VMT). The case study adopts a “what-if” analysis approach by generating the disruption scenarios of the structurally deficient bridges in Utah due to earthquakes. In addition, the potential impacts of disruptions to multiple bridges in both rural and urban areas are evaluated and compared to the single bridge failure scenarios.This dissertation also proposes an approach to measure the redundancy of freight transportation networks based on two main dimensions: route diversity and network spare capacity. The route diversity dimension is used to evaluate the existence of multiple efficient routes available for users or the degree of connections between a specific O-D pair. The network spare capacity dimension is used to quantify the network- wide spare capacity with an explicit consideration of congestion effect. These two dimensions can complement each other by providing a two-dimensional characterization of freight transportation network redundancy. Case studies of the Utah statewide transportation network and coal multimodal network are conducted to demonstrate the features of the vulnerability and redundancy measures and the applicability of the quantitative assessment methodology