Design of Lightweight Alternatives to Secure Border Gateway Protocol and Mitigate against Control and Data Plane Attacks

Israr, Junaid

01 May 2012

Border Gateway Protocol (BGP) is the backbone of routing infrastructure in the Internet. In its current form, it is an insecure protocol with potential for propagation of bogus routing information. There have been several high-profiles Internet outages linked to BGP in recent times. Several BGP security proposals have been presented in the literature; however, none has been adopted so far and, as a result, securing BGP remains an unsolved problem to this day. Among existing BGP security proposals, Secure BGP (S-BGP) is considered most comprehensive. However, it presents significant challenges in terms of number of signature verifications and deployment considerations. For it to provide comprehensive security guarantees, it requires that all Autonomous Systems (ASes) in the Internet to adopt the scheme and participate in signature additions and verifications in BGP messages. Among others, these challenges have prevented S-BGP from being deployed today. In this thesis, we present two novel lightweight security protocols, called Credible BGP (C-BGP) and Hybrid Cryptosystem BGP (HC-BGP), which rely on security mechanisms in S-BGP but are designed to address signature verification overhead and deployment challenges associated with S-BGP. We develop original and detailed analytical and simulation models to study performance of our proposals and demonstrate that the proposed schemes promise significant savings in terms of computational overhead and security performance in presence of malicious ASes in the network. We also study the impact of IP prefix hijacking on control plane as well as data plane. Specifically, we analyze the impact of bogus routing information on Inter-Domain Packet Filters and propose novel and simple extensions to existing BGP route selection algorithm to combat bogus routing information.

BGP

security

RPKI

IP spoofing

S-BGP

C-BGP

Design of Lightweight Alternatives to Secure Border Gateway Protocol and Mitigate against Control and Data Plane Attacks

Israr, Junaid

01 May 2012

Border Gateway Protocol (BGP) is the backbone of routing infrastructure in the Internet. In its current form, it is an insecure protocol with potential for propagation of bogus routing information. There have been several high-profiles Internet outages linked to BGP in recent times. Several BGP security proposals have been presented in the literature; however, none has been adopted so far and, as a result, securing BGP remains an unsolved problem to this day. Among existing BGP security proposals, Secure BGP (S-BGP) is considered most comprehensive. However, it presents significant challenges in terms of number of signature verifications and deployment considerations. For it to provide comprehensive security guarantees, it requires that all Autonomous Systems (ASes) in the Internet to adopt the scheme and participate in signature additions and verifications in BGP messages. Among others, these challenges have prevented S-BGP from being deployed today. In this thesis, we present two novel lightweight security protocols, called Credible BGP (C-BGP) and Hybrid Cryptosystem BGP (HC-BGP), which rely on security mechanisms in S-BGP but are designed to address signature verification overhead and deployment challenges associated with S-BGP. We develop original and detailed analytical and simulation models to study performance of our proposals and demonstrate that the proposed schemes promise significant savings in terms of computational overhead and security performance in presence of malicious ASes in the network. We also study the impact of IP prefix hijacking on control plane as well as data plane. Specifically, we analyze the impact of bogus routing information on Inter-Domain Packet Filters and propose novel and simple extensions to existing BGP route selection algorithm to combat bogus routing information.

BGP

security

RPKI

IP spoofing

S-BGP

C-BGP

Ensuring a Valid Source and Destination for Internet Traffic

Ehrenkranz, Toby, Ehrenkranz, Toby

January 2012

The Internet has become an indispensable resource for today's society. It is at the center of the today's business, entertainment, and social world. However, the core of our identities on the Internet, the IP addresses that are used to send and receive data throughout the Internet, are insecure. Attackers today are able to send data purporting to be from nearly any location (IP spoofing) and to reroute data destined for victims to the attackers themselves (IP prefix hijacking). Victims of these attacks may experience denial of service, misplaced blame, and theft of their traffic. These attacks are of the utmost importance since they affect the core layer of the Internet. Although the mechanisms of the attacks are different, they are essentially different sides of the same coin; spoofing attacks forge the identity of the sender, while hijacking attacks forge the identity of the receiver. They revolve around the same underlying lack of a secure identity on the Internet. This research reviews the existing state of the art IP spoofing and IP prefix hijacking research and proposes new defenses to close the missing gaps and provide a new level of security to our identities on the Internet. This material is based upon work supported by the National Science Foundation under Grants No. CNS-0520326 and CNS-1118101. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. This dissertation includes both previously published/unpublished and co-authored material.

Anomaly detection

Identity

IP prefix hijacking

IP spoofing

Networking

Routing

Design of Lightweight Alternatives to Secure Border Gateway Protocol and Mitigate against Control and Data Plane Attacks

Israr, Junaid

January 2012

Border Gateway Protocol (BGP) is the backbone of routing infrastructure in the Internet. In its current form, it is an insecure protocol with potential for propagation of bogus routing information. There have been several high-profiles Internet outages linked to BGP in recent times. Several BGP security proposals have been presented in the literature; however, none has been adopted so far and, as a result, securing BGP remains an unsolved problem to this day. Among existing BGP security proposals, Secure BGP (S-BGP) is considered most comprehensive. However, it presents significant challenges in terms of number of signature verifications and deployment considerations. For it to provide comprehensive security guarantees, it requires that all Autonomous Systems (ASes) in the Internet to adopt the scheme and participate in signature additions and verifications in BGP messages. Among others, these challenges have prevented S-BGP from being deployed today. In this thesis, we present two novel lightweight security protocols, called Credible BGP (C-BGP) and Hybrid Cryptosystem BGP (HC-BGP), which rely on security mechanisms in S-BGP but are designed to address signature verification overhead and deployment challenges associated with S-BGP. We develop original and detailed analytical and simulation models to study performance of our proposals and demonstrate that the proposed schemes promise significant savings in terms of computational overhead and security performance in presence of malicious ASes in the network. We also study the impact of IP prefix hijacking on control plane as well as data plane. Specifically, we analyze the impact of bogus routing information on Inter-Domain Packet Filters and propose novel and simple extensions to existing BGP route selection algorithm to combat bogus routing information.

BGP

security

RPKI

IP spoofing

S-BGP

C-BGP

Beware of IPs in Sheep's Clothing: Measurement and Disclosure of IP Spoofing Vulnerabilities

Hilton, Alden Douglas

25 October 2021

Networks not employing destination-side source address validation (DSAV) expose themselves to a class of pernicious attacks which could be prevented by filtering inbound traffic purporting to originate from within the network. In this work, we survey the pervasiveness of networks vulnerable to infiltration using spoofed addresses internal to the network. We issue recursive Domain Name System (DNS) queries to a large set of known DNS servers world-wide using various spoofed-source addresses. In late 2019, we found that 49% of the autonomous systems we tested lacked DSAV. After a large-scale notification campaign run in late 2020, we repeated our measurements in early 2021 and found that 44% of ASes lacked DSAV--though importantly, as this is an observational study, we cannot conclude causality. As case studies illustrating the dangers of a lack of DSAV, we measure susceptibility of DNS resolvers to cache poisoning attacks and the NXNS attack, two attacks whose attack surface is significantly reduced when DSAV in place. We discover 309K resolvers vulnerable to the NXNS attack and 4K resolvers vulnerable to cache poisoning attacks, 70% and 59% of which would have been protected had DSAV been in place.

IP Spoofing

DNS Security

Large-scale Vulnerability Disclosure

Network Measurement

Computer Sciences

Physical Sciences and Mathematics

Securing SDN Data Plane:Investigating the effects of IP SpoofingAttacks on SDN Switches and its Mitigation : Simulation of IP spoofing using Mininet

JABBU, SHIVAKUMAR YADAV, MADIRAJU, ANIRUDH SAI

January 2023

Background:Software-Defined Networking (SDN) represents a network architecture that offers a separate control and data layer, facilitating its rapid deployment and utilization for diverse purposes. However, despite its ease of implementation, SDN is susceptible to numerous security attacks, primarily stemming from its centralized nature. Among these threats, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks pose the most substantial risks. In the event of a successful attack on the SDNcontroller, the entire network may suffer significant disruption. Hence, safe guarding the controller becomes crucial to ensure the integrity and availability of the SDN network. Objectives:This thesis focuses on examining the IP spoofing attack and its impact on the Data Plane, particularly concerning the metrics of an SDN switch. The investigation centers around attacks that manipulate flow-rules to amplify the number of rules and deplete the resources of a switch within the Data Plane of an SDN network. To conduct the study, a software-defined network architecture was constructed using Mininet, with a Ryu controller employed for managing network operations. Various experiments were carried out to observe the response of the SDN system when subjected to an IP spoofing attack, aiming to identify potential mitigation strategies against such threats. Method and Results: To simulate the resource exhaustion scenario on the SDN network’s Data Plane,we deliberately triggered an escalation in the number of flow-rules installed in the switch. This was achieved by sending packets with spoofed IP addresses, there by exploiting the switch’s limited resources. Specifically, we focused on monitoring the impact on CPU utilization, storage memory, latency, and throughput within the switch. Detailed findings were presented in the form of tables, accompanied by graphical representations to visually illustrate the effects of increasing flow rules on the switches. Furthermore, we explored potential mitigation measures by developing an application that actively monitors the flow rules on the Ryu controller, aiming to detect and counteract such resource-exhausting effects.

Software Defined Networking

IP Spoofing

Flooding

DDoS Attacks

Data Plane

Mininet

Telecommunications

Telekommunikation

A Prevention Technique for DDoS Attacks in SDN using Ryu Controller Application

Adabala, Yashwanth Venkata Sai Kumar, Devanaboina, Lakshmi Venkata Raghava Sudheer

January 2024

Software Defined Networking (SDN) modernizes network control, offering streamlined management. However, its centralized structure makes it more vulnerable to distributed Denial of Service (DDoS) attacks, posing serious threats to network stability. This thesis explores the development of a DDoS attack prevention technique in SDN environments using the Ryu controller application. The research aims to address the vulnerabilities in SDN, particularly focusing on flooding and Internet Protocol (IP) spoofing attacks, which are a significant threat to network security. The study employs an experimental approach, utilizing tools like Mininet-VM (VirtualMachine), Oracle VM VirtualBox, and hping3 to simulate a virtual SDN environment and conduct DDoS attack scenarios. Key methodologies include packet sniffing and rule-based detection by integrating Snort IDS (Intrusion Detection System), which is critical for identifying and mitigating such attacks. The experiments demonstrate the effectiveness of the proposed prevention technique, highlighting the importance of proper configuration and integration of network security tools in SDN. This work contributes to enhancing the resilience of SDN architectures against DDoS attacks, offering insights into future developments in network security.

Software Defined Networking

SDN

IP Spoofing

Flooding

DDoS Attacks

Mininet

Snort IDS

Network Security

Telecommunications

Telekommunikation