A Firewall for Routers: Protecting Against Routing Misbehavior - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

A Firewall for Routers: Protecting Against Routing Misbehavior

Description:

Alarm reports, policy improvements. BGP session. BGP session. BGP session ... Raising alarms. Deployed with centralized routing decision platform, e.g. RCP ... – PowerPoint PPT presentation

Number of Views:108
Avg rating:3.0/5.0

less

Transcript and Presenter's Notes

Title: A Firewall for Routers: Protecting Against Routing Misbehavior


1
A Firewall for RoutersProtecting Against
Routing Misbehavior
  • Jia Wang
  • ATT Labs-Research
  • Joint work with
  • Ying Zhang and Z. Morley Mao
  • University of Michigan

1
2
Interdomain routing Border Gateway Protocol (BGP)
  • Disseminating routing information between ISPs
  • Incremental an update indicates a routing change
  • Path vector based list of ASes in the path
  • Policy based route selection based on each ISPs
    policy
  • Controlling packet forwarding in the data plane

I can reach 141.213.15.0/24 via AS B A
I can reach 141.213.15.0/24 via AS A
I can reach 141.213.15.0/24
AS C
AS B
AS D
Internet
3
Example IP prefix hijacking
Pathd A
Pathd BA
Pathd CBA
destination
AS C
AS D
AS B
Prefix p
source
AS F
BGP Announcement (prefix p)
4
Internet routing security problems
  • Routers assume updates from neighbor are correct
  • Routing correctness is vulnerable to
    misconfigurations, attacks, and protocol
    ambiguities
  • There is no security guarantee in BGP
  • Secure protocol, e.g. SBGP, is slowly adopted and
    cannot eliminate misconfigurations

5
Our approach
  • Q can a network locally protects against routing
    misbehavior from external networks?
  • A a proactive scheme to correct routing updates
    locally
  • Route Normalizer
  • Sits between local router and remote router
  • Detects and corrects problems by taking advantage
    of local information

6
Outline
  • Design of Route Normalizer
  • Functionality of Route Normalizer
  • Prototype implementation and evaluation
  • Empirical results
  • Discussion

7
Route Normalizer architecture
BGP traffic
Optional config input (e.g. local router
configuration)
Optional data input (e.g. external BGP data)
Route Normalizer
Individual alarms
Policy Engine
Policy configuration
Aggregated alarm reports
8
Design principles
  • Perform basic checking to ensure protocol
    semantic correctness
  • Make use of local network information
  • Take advantage of external information to assist
    route anomaly detection
  • Assume dominant history behavior is mostly
    correct
  • Use anomaly detection to influence route
    selection to avoid anomalous routes

9
Deployment scenario I
  • Route Normalizer observes data plane traffic
  • No configuration changes on remote router

Case I transparent TCP proxy setup
BGP session
Route Normalizer
Remote router
Local router
Data traffic
Data traffic
BGP traffic
Normalized BGP traffic
BGP session
BGP session
Alarm reports, policy improvements
Case II two BGP sessions
10
Deployment scenario II
  • No data traffic traverse Route Normalizer
  • Route Normalizer peers with both routers
  • Configuration changes on local router

BGP session
Route Normalizer
Local router
Remote router
Data traffic
BGP traffic
Normalized BGP traffic
BGP traffic
Alarm reports, policy improvements
BGP session
11
Outline
  • Design of Route Normalizer
  • Functionality of Route Normalizer
  • Prototype implementation and evaluation
  • Empirical evaluation using BGP data
  • Discussion

12
Functionality of Route Normalizer
  • Fix violation of BGP semantics
  • Fix violation of routing policy
  • Detect routing anomalies
  • Manage load and instability

13
Fix violation of BGP semantics
  • Mal-formed BGP updates
  • Incorrect attribute values, e.g. AS level loops
  • Attributes with private information
  • Missing mandatory attribute values
  • Route Normalizer action
  • Modify or drop the updates
  • Avoid router crashes
  • Avoid ambiguity if alternate route exists
  • Generate alarms

14
Fix violations of routing policies
  • Specifying policies with best common practice
  • Export policy should follow AS relationship
    constraints
  • Nexthop AS and IP should match the BGP neighbors
    AS and IP
  • Route Normalizer action
  • Modify or drop the updates if alternate route
    exists
  • Generate alarms

15
Detect routing anomalies
  • Anomalous routing behavior
  • Address hijacking
  • Routing inconsistency
  • Route Normalizer action
  • Drop the updates if alternate route exists
  • Generate alarms

16
Load management and instability mitigation
  • Manage router workload
  • Mitigate load due to identical routing updates
  • Mitigate against router DoS attacks
  • Mitigate instability of flapping prefixes
  • Mitigate instability of session resets
  • Route Normalizer action
  • Drop duplicate updates
  • Filter BGP attack traffic, delay updates
  • Emulate route flap damping, delay updates
  • Emulate graceful restart, delay updates

17
Outline
  • Design of Route Normalizer
  • Functionality of Route Normalizer
  • Prototype implementation and evaluation
  • Empirical evaluation using BGP data
  • Discussion

18
Prototype
  • Initialization
  • Checking path attributes
  • Anomaly detection

18
19
Prototype evaluation
  • Platform
  • 3 GHz Pentium IV CPU, 1.5GB memory, 100Mbps
  • System throughput
  • 77.9Mbps or 64,916 packets/sec
  • Slight degradation on throughput with more peers
  • Memory consumption
  • 20MB memory consumption for 16 days data
  • Slight increase on memory consumption with more
    peers

20
Outline
  • Design of Route Normalizer
  • Functionality of Route Normalizer
  • Prototype implementation and evaluation
  • Empirical evaluation using BGP data
  • Discussion

21
Normalization statistics
RouteViews Oct 2006 (based on three months
history data)
22
Known routing problems from NANOG prefix leaking
  • Date July 11, 2003
  • Observations traffic from Sprint(AS 1239)
    traverses ALGX(AS 2828)s customer.
  • Reported by Route Normalizer
  • AS path 1239 6359 14751 2828 8001 violates AS
    relationship
  • Broadwing Communications (AS 6359) did not filter
    announcement from its customer (AS14751), which
    is learned from the another provider AS 2828.

23
Known routing problems from NANOG instability
  • Date Oct. 5, 2005
  • Observations Level 3 (AS 3356) terminated its
    peering relation with Cogent (AS 174)
  • Reported by Route Normalizer
  • From Level 3s perspective, 1063 (100) distinct
    prefixes withdrawn from AS 174, reported as
    anomalous routing behavior

24
Outline
  • Design of Route Normalizer
  • Functionality of Route Normalizer
  • Prototype implementation and evaluation
  • Empirical evaluation using BGP data
  • Discussion

25
Discussion
  • Attacks towards Route Normalizer
  • Resource overloaded attacks via increasing
    routing instability
  • Assigning penalty to detect malicious peers
  • Announcing malicious long AS path to increase
    computation
  • Optimizing AS relationship checking process
  • Raising alarms
  • Deployed with centralized routing decision
    platform, e.g. RCP

26
Conclusion
  • Develop a platform for BGP traffic normalization
  • Propose the use of routing anomaly detection to
    achieve more robust routing
  • Perform extensive correlation between NANOG
    emails and anomaly detection using BGP data

27
Thank you!
  • Questions?

27
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "A Firewall for Routers: Protecting Against Routing Misbehavior" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!