Internet Control Plane Security and Historical Botnet Creation Trends

internet control plane security n.w
1 / 39
Embed
Share

Explore the concept of Internet control plane security, the historical trends of botnet creation, misconfigurations and redirection incidents, a massive DDoS attack, and discussions on how to crash or save the Internet by prominent researchers. Learn about key events and challenges affecting the stability and security of the Internet.

  • Internet Security
  • Botnet Trends
  • DDoS Attacks
  • Control Plane
  • Cybersecurity
rayaanacharya
daci_131 Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Internet Control Plane Security Yongdae Kim KAIST

  2. Two Planes Data Plane: Actual data delivery Control Plane To support data delivery (efficiently, reliably, and etc.) Routing information exchange In some sense, every protocol except data delivery is considered to be control plane protocols Example network Peer-to-peer network, Cellular network, Internet, 2

  3. Historical List of Botnet Creation Creation 2004 2007 2008 2008 2008 2009? 2009? 2009 2010 Name Name Bagle Storm Mariposa Waledac Conficker Mega-D Zeus BredoLab TDL4 # # of Bots of Bots 230K > 1,000K 12,000K 80K >10,000K 4,500K >3,600K 30,000K 4,500K Spam Spam 5.7 B/day 3 B/day ? ? 10 B/day 10 B/day ? 3.6 B/day ? Control Control Centralized P2P Centralized Centralized Ctrlzd/P2P Centralized Centralized P2P

  4. Misconfigurations and Redirection 1997: AS7007 2008: Pakistan Youtube Claimed shortest path to the whole Internet decided to block Youtube One ISP advertised a small part of YouTube's (AS 36561) network Causing Internet Black hole 2004: TTNet (AS9121) 2010: China Claimed shortest path to the whole Internet 15% of whole Internet traffic was routed through China for 18 minutes Lasted for several hours including .mil and .gov domain 2006: AS27056 2011: China "stole" several important prefixes on the Internet All traffic from US iPhone to Facebook routed through China and Korea From Martha Stewart Living to The New York Daily News

  5. 3ooGbps DDoS 300 Gbps DDoS against Spamhous from Stophous Mitigation by CloudFlare using anycast Stophous turn targets to IX (Internet Exchange) Korea World IX Bandwidth KT: 560 Gbps, SKB: 235 Gbps, LGU+: 145 Gbps, SKT: 100 Gbps Total: 1 Tbps 5

  6. How to Crash (or Save) the Internet? Max Schuchard, Eugene Vasserman, Abedelaziz Mohaisen, Denis Foo Kune, Nicholas Hopper, Yongdae Kim

  7. crash the Internet the Internet ZDNet Losing Control of the Internet Losing Control of the Internet How to How to crash ZDNet crash the Internet the Internet Star Tribune - - Using the Data Plane Using the Data Plane to Attack the Control Plane to Attack the Control Plane His thesis: How to His thesis: How to crash Star Tribune The The cyberweapon cyberweapon that could take down the internet that could take down the internet New Scientist New Scientist Boffins Boffins devise ' Network and Distributed System Security (NDSS Network and Distributed System Security (NDSS) 2011 devise 'cyberweapon cyberweapon' to take down internet ' to take down internet The Register The Register ) 2011 Prof. Says New Prof. Says New Cyberweapon Cyberweapon Could Take Down the Internet Could Take Down the Internet CBS CBS

  8. Shutting Down the Internet Fast propagating worm CodeRed, Slammer Worm Router misconfiguration AS7007 2011 Egypt, Libya: Internet Kill Switch US government discussing Internet Kill Switch Bill in emergency situation

  9. Other Internet Control Plane News April 2008: Whole youtube traffic directed to Pakistan April 2010: 15% of whole Internet traffic was routed through China for 18 minutes (including .mil and .gov domain) March 2011: All traffic from US iPhone to Facebook was routed through China and Korea

  10. Losing Control Attack on the Internet's control plane Overwhelm routers with BGP updates Launched using only a botnet Defenses are non trivial Different from DDoS on web servers

  11. Attack Model No router compromise or misconfiguration BGPSEC or similar technologies Our attack model: Unprivileged adversary can generate only data plane events does not control any BGP speakers botnet of a reasonable size 50, 100, 250, 500k nodes 11

  12. Can we shut down the Internet only using data plane events? How much control plane events can be generated by data plane events caused by coordinated set of compromised computers?

  13. AS, BGP and the Internet AS (Autonomous System) Core AS: High degree of connectivity Fringe AS: very low degrees of connectivity, sitting at the outskirts of the Internet Transit AS: core ASes, which agree to forward traffic to and from other Ases BGP (Border Gateway Protocol) the de facto standard routing protocol spoken by routers connecting different ASes. BGP is a path vector routing algorithm, allowing routers to maintain a table of AS paths to every destination. uses policies to preferentially use certain AS paths in favor.

  14. 1.0.0.0/8 A DST: 1.0.0.0/8 Path: A DST: 1.0.0.0/8 Path: B, A DST: 1.0.0.0/8 Path: C, A C B DST: 1.0.0.0/8 Path: D, B, A DST: 1.0.0.0/8 Path: E, C, A E D

  15. 1.0.0.0/8 A DST: 1.0.0.0/8 Path: B, A Path: B, C, A DST: 1.0.0.0/8 Path: C, A DST: 1.0.0.0/8 C B DST: 1.0.0.0/8 Path: D, B, A Path: D, C, A DST: 1.0.0.0/8 Path: E, B, A Path: E, C, A DST: 1.0.0.0/8 DST: 1.0.0.0/8 E D

  16. 1.0.0.0/8 A DST: 1.0.0.0/8 Path: B, A Path: B, C, A DST: 1.0.0.0/8 Path: C, A DST: 1.0.0.0/8 C B DST: 1.0.0.0/8 Path: D, B, A Path: D, C, A DST: 1.0.0.0/8 Path: E, B, A Path: E, C, A DST: 1.0.0.0/8 DST: 1.0.0.0/8 E D

  17. How does the attacker pick links? How does the attacker direct traffic? UPDATE! UPDATE! UPDATE! UPDATE! C B E D UPDATE! UPDATE! UPDATE! UPDATE!

  18. {AB, AC, ABE, ABD} sst(e) sst CB(e) = CB(e) = pathst(e) s t V A s t V 4 4 8 8 {CA, CB, CD, CE} CB {BA, BC, BD, BE} BC 2 2 C B 7 7 11 7 7 11 E D {DB, DBA, DBAC, DBE} {EB, EBA, EBAC, EBD}

  19. {AB, AC, ABE, ABD} A 4 4 8 8 {CA, CB, CD, CE} {BA, BC, BD, BE} 2 2 C B 7 7 11 7 7 11 E D {DB, DBA, DBAC, DBE} {EB, EBA, EBAC, EBD}

  20. A Spread attack flows! Spread attack flows! E B C D

  21. A C B

  22. One Target per Attack One Target per Attack Flow! Flow! A C B

  23. Simulation Overview Simulator to model network dynamics Topology generated from the Internet Routers fully functional BGP speakers Bot distribution from Waledac Bandwidth model worst case for attacker

  24. Targeted link: Any link selected for disruption Last mile links: un-targeted links that connect fringe ASes to the rest of the network Transit link: Any link that does not fit the other two 100 90 Percent of failed links 80 70 60 50 40 30 20 10 0 Last mile Targeted Critical

  25. Factors of Normal Load 1.0 0.9 0.8 0.7 0.6 CDF 0.5 0.4 64k Nodes 125k Nodes 250k Nodes 500k Nodes 0.3 0.2 0.1 0.0 0 500 1000 1500 2000 2500 3000 Factors of normal load

  26. 90th percentile of of message loads experienced by routers under attack 1.0 0.9 0.8 0.7 0.6 CDF 0.5 0.4 64k Nodes 125k Nodes 250k Nodes 500k Nodes 0.3 0.2 0.1 0.0 0 200 1000 s of messages per 5-seconds 400 600 800 1000 1200

  27. Core Routers Update Time 200.0 64k bots 125k bots 250k bots 500k bots Average Time to Process 180.0 BGP Updates (mins) 160.0 140.0 120.0 100.0 80.0 60.0 40.0 20.0 0.0 0 200 400 600 800 1000 1200 Simulated Time (secs)

  28. Possible Defenses Short Term Hold Time = MaxInt Hold Time = MaxInt Long Term Perfect QOS Perfect QOS

  29. HoldTime = MaxInt 1.0 0.9 0.8 0.7 0.6 CDF 0.5 0.4 0% 10% 25% 50% 0.3 0.2 0.1 0.0 0 500 Factors of normal load 1000 1500 2000

  30. HoldTime = MaxInt 120.0 0% 10% Average Time to Process 100.0 BGP Updates (mins) 80.0 60.0 40.0 20.0 0.0 0 200 400 600 800 1000 1200 Simulated Time (secs)

  31. Perfect QoS Needs to guarantee control packets must be sent Does not guarantee they will be processed due to oversubscription Recommendation (Virtually) Separating control and data plane Sender sides QoS Receiving nodes must process packets in line speed

  32. Conclusion Adversarial route flapping on an Internet scale Implemented using only a modest botnet Defenses are non-trivial, but incrementally deployable

  33. Future Work (in progress) Cascaded failure Router failure modeling Attacks using remote compromised routers Targeted Attack: Internet Kill Switch Router Design for the Future Internet Software router? 33

  34. BGP Stress Test Routers placed in certain states fail to provide the functionality they should. Unexpected but perfectly legal BGP messages can place routers into those states Any assumptions about the likelyhood of encountering these messages do not apply under adversarial conditions. Peer Pressure: Exerting Malicious Influence on Routers at a Distance, Max Schuchard, Christopher Thompson, Nicholas Hopper and Yongdae Kim, ICDCS 2013

  35. Attacking Neighborhood (Memory) How many BGP updates needed to consume 1GB memory? About 2,000,000 BGP updates is needed to succeed this attack

  36. Attacking Neighborhood (Memory) Distinct/long length AS paths and community attribute 300,000 BGP updates is enough for this attack

  37. Attacking Neighborhood (CPU) Hash collision makes router spend more processing time

  38. Back Pressure

  39. Questions? Yongdae Kim email: yongdaek@kaist.ac.kr Home: http://syssec.kaist.ac.kr/~yongdaek Facebook: https://www.facebook.com/y0ngdaek Twitter: https://twitter.com/yongdaek Google Yongdae Kim 39

Related


No related presentations.

More Related Content