The Maestro Attack: Orchestrating Malicious Flows with BGP

We present the Maestro Attack, a Link Flooding Attack (LFA) that leverages Border Gateway Protocol (BGP) engineering techniques to improve the flow density of botnet-sourced Distributed Denial of Service (DDoS) on transit links. Specific-prefix routes poisoned for certain Autonomous Systems (ASes) are advertised by a compromised network operator to channel bot-to-bot ows over a target link. Publicly available AS relationship data feeds a greedy heuristic that iteratively builds a poison set of ASes to perform the attack. Given a compromised BGP speaker with advantageous positioning relative to the target link in the Internet topology, an adversary can expect to enhance flow density by more than 30 percent. For a large botnet (e.g., Mirai), the bottom line result is augmenting the DDoS by more than a million additional infected hosts. Interestingly, the size of the adversary-controlled AS plays little role in this effect; attacks on large core links can be effected by small, resource-limited ASes. Link vulnerability is evaluated across several metrics, including BGP betweenness and botnet flow density, and we assess where an adversary must be positioned to execute the attack most successfully. Mitigations are presented for network operators seeking to insulate themselves from this attack

Interdomain Route Leak Mitigation: A Pragmatic Approach

The Internet has grown to support many vital functions, but it is not administered by any central authority. Rather, the many smaller networks that make up the Internet - called Autonomous Systems (ASes) - independently manage their own distinct host address space and routing policy. Routers at the borders between ASes exchange information about how to reach remote IP prefixes with neighboring networks over the control plane with the Border Gateway Protocol (BGP). This inter-AS communication connects hosts across AS boundaries to build the illusion of one large, unified global network - the Internet. Unfortunately, BGP is a dated protocol that allows ASes to inject virtually any routing information into the control plane. The Internet’s decentralized administrative structure means that ASes lack visibility of the relationships and policies of other networks, and have little means of vetting the information they receive. Routes are global, connecting hosts around the world, but AS operators can only see routes exchanged between their own network and directly connected neighbor networks. This mismatch between global route scope and local network operator visibility gives rise to adverse routing events like route leaks, which occur when an AS advertises a route that should have been kept within its own network by mistake. In this work, we explore our thesis: that malicious and unintentional route leaks threaten Internet availability, but pragmatic solutions can mitigate their impact. Leaks effectively reroute traffic meant for the leak destination along the leak path. This diversion of flows onto unexpected paths can cause broad disruption for hosts attempting to reach the leak destination, as well as obstruct the normal traffic on the leak path. These events are usually due to misconfiguration and not malicious activity, but we show in our initial work that vrouting-capable adversaries can weaponize route leaks and fraudulent path advertisements to enhance data plane attacks on Internet infrastructure and services. Existing solutions like Internet Routing Registry (IRR) filtering have not succeeded in solving the route leak problem, as globally disruptive route leaks still periodically interrupt the normal functioning of the Internet. We examine one relatively new solution - Peerlocking or defensive AS PATH filtering - where ASes exchange toplogical information to secure their networks. Our measurements reveal that Peerlock is already deployed in defense of the largest ASes, but has found little purchase elsewhere. We conclude by introducing a novel leak defense system, Corelock, designed to provide Peerlock-like protection without the scalability concerns that have limited Peerlock’s scope. Corelock builds meaningful route leak filters from globally distributed route collectors and can be deployed without cooperation from other network

Hematopoiesis and leukemogenesis in mice expressing oncogenic NrasG12D from the endogenous locus

NRAS is frequently mutated in hematologic malignancies. We generated Mx1-Cre, Lox-STOP-Lox (LSL)-NrasG12D mice to comprehensively analyze the phenotypic, cellular, and biochemical consequences of endogenous oncogenic Nras expression in hematopoietic cells. Here we show that Mx1-Cre, LSL-NrasG12D mice develop an indolent myeloproliferative disorder but ultimately die of a diverse spectrum of hematologic cancers. Expressing mutant Nras in hematopoietic tissues alters the distribution of hematopoietic stem and progenitor cell populations, and Nras mutant progenitors show distinct responses to cytokine growth factors. Injecting Mx1-Cre, LSL-NrasG12D mice with the MOL4070LTR retrovirus causes acute myeloid leukemia that faithfully recapitulates many aspects of human NRAS-associated leukemias, including cooperation with deregulated Evi1 expression. The disease phenotype in Mx1-Cre, LSL-NrasG12D mice is attenuated compared with Mx1-Cre, LSL-KrasG12D mice, which die of aggressive myeloproliferative disorder by 4 months of age. We found that endogenous KrasG12D expression results in markedly elevated Ras protein expression and Ras-GTP levels in Mac1+ cells, whereas Mx1-Cre, LSL-NrasG12D mice show much lower Ras protein and Ras-GTP levels. Together, these studies establish a robust and tractable system for interrogating the differential properties of oncogenic Ras proteins in primary cells, for identifying candidate cooperating genes, and for testing novel therapeutic strategies