Department of Computer Science | CSU ¢â‚¬â€œ Department of ......
Embed Size (px)
Transcript of Department of Computer Science | CSU ¢â‚¬â€œ Department of ......
adfh JISS ec 3 (2 ) 2007
Journal of Information System
A Framework to Facilitate Forensic Investigation of Falsely Advertised
Indrajit Ray Eunjong Kim
Daniel Massey Computer Science Department
Colorado State University Fort Collins, CO 80523
Nearly all network applications rely on the global Internet routing infrastructure to compute routes and deliver packets. Unfortunately, false Internet routes can be maliciously introduced with relative ease into the rout- ing infrastructure. This is because Border Gateway Protocol (BGP), the Internet's global routing protocol, lacks basic authentication and monitoring functionalities. If false routes are introduced, it can lead to total collapse of packet forwarding leading to denial of service or misdirected traffic. Currently, it is impossible to prevent such malicious injection of false traffic routes. We believe that an ability to identify false paths through efficient validation, proper recording and forensic analysis of routing data, will considerably help in the prosecution of the miscreant and will act as a strong deterrent. In this work we propose such a mechanism. We use ICMP (Internet Control Message Protocol) traceback message with AS-PATH information and link connectivity information for each path. Our path verification tech- nique is proportional to the amount of traffic carried on a path, uses efficient off-line verification technique with which each router independently and dynamically keeps track of local database, and allows a destination to
adfh monitor its routes, detect false paths used by remote sites, and record rout- ing data for later forensic analysis in the event of an attack. Last but not the least, our approach does not require modifications to the BGP protocol and hence can be easily deployed.
Keywords: Internet routing, security, routing forensics, Border Gateway Protocol, ICMP traceback
The Internet plays an increasingly important role in commerce, government, and personal communication. A large-scale attack or even an unintended operational error can seriously disrupt critical services and have a major impact on the economy. In response, a variety of end system security techniques such as encrypted connections and virtual private networks (VPNs) have evolved. However, almost all such systems rely on the un-secured Internet infrastructure to compute routes and deliver packets. If the Internet infrastructure fails to deliver data packets, there is very little the end systems can do to recover. In this paper, we examine techniques for detecting invalid routes in the Internet infrastructure and present an effective approach for gathering and extracting routing data from the network that can be used later for forensic analysis.
At the global infrastructure level, the Internet consists of thousands of AUTONOMOUS SYSTEMS (AS) (Braun 1989; Hawkinson and Bates 1996). An AS can be viewed as a group of links and routers that are under the same administrative control. Each AS is assigned a unique number. For example, Colorado State University is AS 12145 and AT&T is AS 7018. There are currently over 18,000 active Autonomous Systems on the Internet (Bates et al. 2006). The Autonomous Systems are ultimately responsible for routing traffic through the Internet. The BORDER GATEWAY PROTOCOL (BGP) (Rekhter and Li 1995) is the de facto inter-AS routing protocol; it is used to exchange reachability information between Autono- mous Systems. BGP is designed to cope with events that alter the structure of the Internet such as addition of new links and new Autonomous Systems, the failure (temporary or long lasting) of links, and changes in routing polices (Stewart 1999). However, BGP presents several interesting challenges for path validation and routing forensics.
BGP contains very limited security mechanism (Murphy 2004) and implicitly assume that routers advertise valid information. For example, suppose that AS 12145 (Colorado State University) incorrectly (maliciously) reports that it has direct connection to www.largecompany.com. Other BGP routers (at least those in AS 12145's neighborhood) will believe this route, and portions of the Internet will select this path as the best route to www.largecompany.com. When traffic arrives at AS 12145, the packets may simply be dropped or someone may attempt to imitate (spoof) the www.largecompany.com website. As a result of this false route www.largecompany.com may notice a significant drop in traffic. However, it
33Indrajit Ray, Eunjong Kim, Daniel Massey , JISSec
adfh will not be able to identify the reason for this lost traffic. If AS 12145 later ithdraws its false route, BGP routers at some point will simply switch back to the valid path. Unfortunately, it will take a considerably long time for the changes to propagate throughout the Internet. In addition, owing to the large number of BGP destinations and the large volume BGP routing changes, a particular BGP path change is unlikely to trigger any alarms at remote sites. Thus such false announcement of BGP paths (whether unintentionally or maliciously) has the potential to cause significant damage to the affected sites.
Note that the above problem is not at all hypothetical. One such failure occurred on April 25, 1997 (Barrett, Haar and Whitestone 1997). A small Internet service provider (ISP) in Virginia, USA, had a misconfigured BGP router that injected incorrect routing information into the Internet. The injected information claimed that the particular ISP had the optimal connectivity to all other Internet destinations. As a result a major portion of the Internet traffic was delivered to this ISP. It overwhelmed the ISP's router and a number of intermediate ones that forwarded packets to the misconfigured router and effectively crippled the Internet for almost two hours.
In this paper, we present an approach for monitoring, gathering and validating the route information to a destination. Our technique enables each AS to determine if an advertised route to itself is a valid one. The technique works briefly as follows. Suppose AS1 has incorrect path information for des- tination AS2. This can be owing to one of several causes like malicious adver- tisement of wrong path information by a neighboring AS of AS1, or mis-con- figuration at AS1 and so on. With our approach, AS2 will know within a short amount of time that AS1 has incorrect path information about AS2. In addition, AS2 has the potential to know what other Autonomous Systems have invalid path information about itself. If AS1 (or the other Autonomous Systems) is reachable from AS2, then AS2 can alert these ASes about the incorrect infor- mation (via some protocol which is, however, outside the scope of the current work).
Our approach is based on exploiting the ICMP (Internet Control Message Protocol) traceback message (Bellovin 2000). As data packets flow through routers, occasional packets triggers the generation of an ICMP traceback message. These traceback messages allow a destination to reconstruct the path used to reach the destination. Unlike other approaches that attempt to monitor or validate all paths, we focus on paths that are ac- tively carrying data traffic. There are almost 18,000 different ASes that have some path to a particular AS (based on the current number of ASes (Bates, Smith and Huston 2006)), but relatively few of these sites may be actively sending data traffic. (If a host within a particular AS is not communicating with another host in a different AS at a particular instance, then there is no packet flowing between these two ASes.) By exploiting the ICMP traceback mecha- nism, we only send monitoring and validation messages for paths that are actively in use. We enhance the ICMP traceback message with AS-PATH1
34 Indrajit Ray, Eunjong Kim, Daniel Massey , JISSec
adfh information, and link connectivity information. Since there can be malicious ASes along the AS-PATH that can potentially modify this information, we also send a copy of each traceback message dispersed into fragments along somen (ideally disjoint) paths. The dispersal process is such that if any m of the n fragments reach the destination, the entire traceback message can be reconstructed. This reduces the probability that packets are unavailable be- cause they were (maliciously or otherwise) dropped or corrupted. The net result allows a router to dynamically keep track of paths used to reach the destination, monitor routing changes for the actively used paths to this destination, and provide a log that can be used to reconstruct routes in the event of a suspected attack.
Our goal in this paper is to develop a protocol that allows forensic investigation of falsely advertised BGP routes. Automatically extracting enough routing information from the network so as to be able to identify the reason for lost traffic (namely, that it has been triggered by some AS announcing an invalid path information) is quite challenging with current techniques. Nonetheless, such a facility is extremely useful. Our approach is one step in this direction. It can form the basis of an alarm triggering mechanism that significantly increases the effectiveness of infrastructure administration. As a side effect our approach provides a more fault-tolerant, fault-resilient, reliable and secure BGP routing protocol for the entire Internet infrastructure.
The rest of the paper is organized as follows. In the next section, we provide a brief overview of the BGP threat model. Section 3 reviews some of the better-known solutions proposed by other groups. Section 4 describes our approach, and in Section 5 we summari