11 research outputs found
BGP Security in Partial Deployment: Is the Juice Worth the Squeeze?
As the rollout of secure route origin authentication with the RPKI slowly
gains traction among network operators, there is a push to standardize secure
path validation for BGP (i.e., S*BGP: S-BGP, soBGP, BGPSEC, etc.). Origin
authentication already does much to improve routing security. Moreover, the
transition to S*BGP is expected to be long and slow, with S*BGP coexisting in
"partial deployment" alongside BGP for a long time. We therefore use
theoretical and experimental approach to study the security benefits provided
by partially-deployed S*BGP, vis-a-vis those already provided by origin
authentication. Because routing policies have a profound impact on routing
security, we use a survey of 100 network operators to find the policies that
are likely to be most popular during partial S*BGP deployment. We find that
S*BGP provides only meagre benefits over origin authentication when these
popular policies are used. We also study the security benefits of other routing
policies, provide prescriptive guidelines for partially-deployed S*BGP, and
show how interactions between S*BGP and BGP can introduce new vulnerabilities
into the routing system
Preventing Attacks on BGP Policies: One Bit is Enough
The Internet is comprised of many autonomous systems (AS) managed
by independent entities that use the Border Gateway Protocol
(BGP) to route their traffic. Although it is the de facto standard for
establishing paths across the Internet, BGP is not a secure protocol
and the Internet infrastructure often experiences attacks, such
as prefix hijacking and attribute mangling, incurring great costs
to ASes that experience them. Various solutions have been proposed
in response to these attacks, such as Secure BGP, but they
do not address traffic attraction attacks that stem from export policy
violations. In these attacks, malicious ASes can introduce paths
that are legitimate from the protocol standpoint and yet malicious
to the users of that protocol. Although these attacks have been
studied before, no solution has yet been proposed. In this paper,
we thoroughly characterize this set of attacks and propose a very
lightweight and effective scheme to address them. Our scheme requires
no manual configuration. We show that even if only a small
fraction of ASes deploy our scheme, the amount of possible attacks
reduces by on order of magnitude
How Secure and Quick is QUIC? Provable Security and Performance Analyses
QUIC is a secure transport
protocol developed by Google and implemented in Chrome in 2013, currently
representing one of the most promising solutions to decreasing latency
while intending to provide security properties similar with TLS.
In this work we shed some light on QUIC\u27s strengths and weaknesses
in terms of its provable security and performance guarantees in the presence of attackers.
We first introduce a security model for analyzing performance-driven protocols like QUIC
and prove that QUIC satisfies our definition under reasonable assumptions on the protocol\u27s building blocks.
However, we find that QUIC does not satisfy the traditional notion of forward secrecy that is provided by some modes of TLS,
e.g., TLS-DHE.
Our analyses also reveal that with simple bit-flipping and replay attacks on some
public parameters exchanged during the handshake, an
adversary could easily prevent QUIC from achieving minimal latency
advantages either by having it fall back to TCP or by causing
the client and server to have an inconsistent view of their
handshake leading to a failure to complete the connection.
We have implemented these attacks and demonstrated that they
are practical.
Our results suggest that QUIC\u27s security weaknesses are introduced by the very mechanisms used to reduce latency,
which highlights the seemingly inherent trade off between minimizing latency and providing `good\u27 security guarantees
Evaluating security-enhanced interdomain routing protocols in full and partial deployment
The Internet consists of over 50 thousand smaller networks, called Autonomous Systems (ASes) (e.g., AT&T, Sprint, Google), that use the Border Gateway Protocol (BGP) to figure out how to reach each other. One way or another, we all rely on BGP because it is what glues the Internet together, but despite its crucial role, BGP remains vulnerable to propagation of bogus routing information due to malicious attacks or unintentional misconfigurations.
The United States Department of Homeland Security (DHS) views BGP security as part of its national strategy for securing the Internet, and there is a big push to standardize a secure variant of BGP (S*BGP) by the Internet Engineering Task Force (IETF). However, S*BGP properties and their impact on the Internet's routing infrastructure, especially in partial deployment, have not yet been fully understood.
To address this issue, in this thesis we use methodologies from applied cryptography, algorithms, and large scale simulations to study the following three key properties with respect to their deployment:
1. provable security guarantees,
2. stability in full and partial deployment with or without attackers,
3. benefits and harm resulting from full and partial deployment.
With our analysis we have discovered possible security weaknesses in previously proposed secure BGP variants and suggest possible fixes to address them. Our analysis also reveals that security benefits from partially deployed S*BGP are likely to be meager, unless a significant fraction of ASes deploy it. At the same time, complex interactions between S*BGP and the insecure, legacy BGP can introduce new vulnerabilities and instabilities into the Internet's routing infrastructure. We suggest possible strategies for mitigating such pitfalls and facilitating S*BGP deployment in practice.Ph.D
Designing Enforceable Network Contracts
Internet connectivity depends on contractual agreements between
cooperating entities, such as administrative domains
(AD), where an agreement over a certain level of service is
made. Contracts (e.g., SLAs) for providing certain levels of
service must be enforceable, and ADs must have an incentive
to meet their contractual obligations. Previous work has
designed mechanisms for both pricing and network accountability,
but no existing work examines contract structures
with respect to different accountability frameworks, and how
together they may affect an AD’s incentives to fulfill contracts.
We study how different contract structures—in particular,
path-based versus pairwise contracts—affect ADs’
incentives to establish contracts (which, in turn, can affect
overall connectivity) and, once contracts are established, to
forward traffic according accordingly.
This paper presents several contributions. First, we derive
sufficient conditions for path-based contract systems and accountability
frameworks for entities to have an incentive to
forward traffic according to their contracts, provided that all
parties involved are rational. Second, we show that for path-based
contracts at equilibrium where nodes are encouraged
to fulfill their contracts, only a constant amount of monitoring
is required for every participant to make a positive
profit; this is not the case for pairwise contracts. Third, we
show how systems that rely on pairwise contracts are prone
to depeering in presence of sufficient supply and demand
due to coarse granularity, a contractual failure that systems
which rely on path-based contracts are immune to. We propose
modifications to pairwise contracts that could prevent
such failures. Finally, we present situations of depeering that
may be unpreventable due to maliciously behaving parties
for both pairwise and path-based contract structures. For
such scenarios, we show that while path-based contracts allow
the sender of traffic to get reimbursed, this is not guaranteed
in pairwise contract systems
Provable Security of S-BGP and other Path Vector Protocols: Model, Analysis and Extensions
This paper provides the provable-security treatment of path vector routing protocols. We first design a security definition for routing path vector protocols by studying, generalizing, and formalizing numerous known threats. Our model incorporates three major security goals. It is quite strong, yet simple to use. We prove by reduction that S-BGP satisfies two out of the security model’s three goals, assuming the underlying signature scheme is secure. Under the same assumption, we next show how the protocol can be modified to meet all three security goals simultaneously. We also analyze SoBGP and show that it fails to meet two security goals. Finally, we study security of partial PKI deployment of path vector protocols when not all nodes have public keys. We investigate the possibilities of relaxing the PKI requirement and relying on non-cryptographic physical security of networks that use the protocol in order to achieve possibly weaker, but still well-defined, notions of security. We also present the necessary and sufficient conditions to achieve full security in the partial PKI deployment scenario. We believe our conclusions will prove useful for protocol developers, standards bodies and government agencies
Stepping-Stone Detection via Request-Response Traffic Analysis
In this paper, we propose a new method to detect stepping-stone intrusion by computing the linearity between the numbers of send packets and the numbers of echo packets. The linearity of two relayed connections is better than that of two non-relayed connections. We develop a connection-chain detection procedure that may be used as a stepping-stone detection tool. Our procedure is based on analyzing correlations between the frequencies at which cumulative numbers of packets are sent in outgoing connections and at which packets are sent in that of the incoming connections. The experiment and simulation results show this method can resist intruders ’ time and chaff evasion better than other approaches
Stepping-Stone Detection Via Request-Response Traffic Analysis
Abstract. In this paper, we develop an algorithm that may be used as a stepping-stone detection tool. Our approach is based on analyzing correlations between the cumulative number of packets sent in outgoing connections and that of the incoming connections. We present a study of our method’s effectiveness with actual connections as well as simulations of time-jittering (introduction of inter-packet delay) and chaff (introduction of superfluous packets). Experimental results suggest that our algorithm works well in the following scenarios: (1) distinguishing connection chains that go through the same stepping stone host and carry traffic of users who perform similar operations at the same time; and (2) distinguishing a single connection chain from unrelated incoming and outgoing connections even in the presence of chaff. The result suggests that timejittering will not diminish our method’s usefulness.