ABSTRACT
In this paper we describe a system that allows the real time creation of firewall rules in response to geographic and political changes in the control-plane. This allows an organization to mitigate data exfiltration threats by analyzing Border Gateway Protocol (BGP) updates and blocking packets from being routed through problematic jurisdictions. By inspecting the autonomous system paths and referencing external data sources about the autonomous systems, a BGP participant can infer the countries that traffic to a particular destination address will traverse. Based on this information, an organization can then define constraints on its egress traffic to prevent sensitive data from being sent via an untrusted region. In light of the many route leaks and BGP hijacks that occur today, this offers a new option to organizations willing to accept reduced availability over the risk to confidentiality. Similar to firewalls that allow organizations to block traffic originating from specific countries, our approach allows blocking outbound traffic from transiting specific jurisdictions. To illustrate the efficacy of this approach, we provide an analysis of paths to various financial services IP addresses over the course of a month from a single BGP vantage point that quantifies the frequency of path alterations resulting in the traversal of new countries. We conclude with an argument for the utility of country-based egress policies that do not require the cooperation of upstream providers.
- R. Anderson and C. Hall. Collaborating with the Enemy on Network Management (Transcript of Discussion), pages 163--171. Springer International Publishing, Cham, 2014.Google Scholar
- B. Andree Toonk. Massive route leak causes internet slowdown. http://www.bgpmon.net/massive-route-leak-cause-internet-slowdown/, 2015.Google Scholar
- W. Andy Greenberg. Hacker redirects traffic from 19 internet providers to steal bitcoins. http://www.wired.com/2014/08/isp-bitcoin-theft/, 2014.Google Scholar
- S. Bellovin, R. Bush, and D. Ward. Rfc 7353: Security requirements for bgp path validation. Technical report, 2014.Google Scholar
- J. Chang, K. K. Venkatasubramanian, A. G. West, S. Kannan, I. Lee, B. T. Loo, and O. Sokolsky. As-cred: Reputation and alert service for interdomain routing. Systems Journal, IEEE, 7(3):396--409, 2013.Google Scholar
- B. Eriksson, P. Barford, J. Sommers, and R. Nowak. A learning-based approach for ip geolocation. In Passive and Active Measurement, pages 171--180. Springer, 2010. Google ScholarDigital Library
- Exa-Networks. exabgp. https://github.com/Exa-Networks/exabgp, 2015.Google Scholar
- V. Garg and L. J. Camp. Macroeconomic analysis of malware. In NDSS, 2013.Google Scholar
- J. Gersch and D. Massey. Rover: Route origin verification using dns. In Computer Communications and Networks (ICCCN), 2013 22nd International Conference on, pages 1--9. IEEE, 2013.Google ScholarCross Ref
- M. S. Henry Tan and W. Zhou. Data-plane defenses against routing attacks on tor. Proceedings on Privacy Enhancing Technologies, 2016, 2016.Google Scholar
- R. Hiran, N. Carlsson, and N. Shahmehri. Crowd-based detection of routing anomalies on the internet. 2015.Google Scholar
- X. Hu and Z. M. Mao. Accurate real-time identification of ip prefix hijacking. In Security and Privacy, 2007. SP'07. IEEE Symposium on, pages 3--17. IEEE, 2007. Google ScholarDigital Library
- R. Jim Cowie. The new threat: Targeted internet traffic misdirection - dyn research. http://research.dyn.com/2013/11/mitm-internet-hijacking/, 2013.Google Scholar
- J. Karlin, S. Forrest, and J. Rexford. Pretty good bgp: Improving bgp by cautiously adopting routes. In Network Protocols, 2006. ICNP'06. Proceedings of the 2006 14th IEEE International Conference on, pages 290--299. IEEE, 2006. Google ScholarDigital Library
- E. Katz-Bassett, J. P. John, A. Krishnamurthy, D. Wetherall, T. Anderson, and Y. Chawathe. Towards ip geolocation using delay and topology measurements. In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, pages 71--84. ACM, 2006. Google ScholarDigital Library
- W. Kim Zetter. Someone's been siphoning data through a huge security hole in the internet. http://www.wired.com/2013/12/bgp-hijacking-belarus-iceland, 2013.Google Scholar
- M. Lepinski and S. Kent. Rfc 6480: an infrastructure to support secure internet routing. internet engineering task force (ietf), 2012.Google Scholar
- Q. Li, M. Xu, J. Wu, X. Zhang, P. P. Lee, and K. Xu. Enhancing the trust of internet routing with lightweight route attestation. Information Forensics and Security, IEEE Transactions on, 7(2):691--703, 2012. Google ScholarDigital Library
- R. Martin Brown. Pakistan hijacks youtube. http://research.dyn.com/2008/02/pakistan-hijacks-youtube-1/, 2008.Google Scholar
- C. McArthur and M. Guirguis. Stealthy ip prefix hijacking: don't bite off more than you can chew. In Global Telecommunications Conference, 2009. GLOBECOM 2009. IEEE, pages 1--6. IEEE, 2009. Google ScholarDigital Library
- U. of Oregon. Route views project. http://www.routeviews.org/, 2016.Google Scholar
- I. Poese, S. Uhlig, M. A. Kaafar, B. Donnet, and B. Gueye. Ip geolocation databases: Unreliable? ACM SIGCOMM Computer Communication Review, 41(2):53--56, 2011. Google ScholarDigital Library
- J. Qiu, L. Gao, S. Ranjan, and A. Nucci. Detecting bogus bgp route information: Going beyond prefix hijacking. In Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007. Third International Conference on, pages 381--390. IEEE, 2007.Google ScholarCross Ref
- T. Qiu, L. Ji, D. Pei, J. Wang, J. J. Xu, and H. Ballani. Locating prefix hijackers using lock. In USENIX Security Symposium, pages 135--150, 2009. Google ScholarDigital Library
- Y. Rekhter and T. Li. A Border Gateway Protocol 4 (BGP-4). RFC 1654, IETF, July 1995. Google ScholarDigital Library
- M. Van Eeten, J. M. Bauer, H. Asghari, S. Tabatabaie, and D. Rand. The role of internet service providers in botnet mitigation an empirical analysis based on spam data. TPRC, 2010.Google Scholar
- P.-A. Vervier, O. Thonnard, and M. Dacier. Mind your blocks: On the stealthiness of malicious bgp hijacks. In NDSS, 2015.Google ScholarCross Ref
- Yakov Rekhter, Tony Li, and S. Hares. A Border Gateway Protocol 4 (BGP-4). RFC 4271, IETF, January 2006.Google Scholar
- Z. Zhang, Y. Zhang, Y. C. Hu, and Z. M. Mao. Practical defenses against bgp prefix hijacking. In Proceedings of the 2007 ACM CoNEXT conference, page 3. ACM, 2007. Google ScholarDigital Library
- Z. Zhang, Y. Zhang, Y. C. Hu, Z. M. Mao, and R. Bush. Ispy: detecting ip prefix hijacking on my own. In ACM SIGCOMM Computer Communication Review, volume 38, pages 327--338. ACM, 2008. Google ScholarDigital Library
Index Terms
- Firewalling Scenic Routes: Preventing Data Exfiltration via Political and Geographic Routing Policies
Recommendations
Sign what you really care about --- secure BGP AS paths efficiently
IFIP'12: Proceedings of the 11th international IFIP TC 6 conference on Networking - Volume Part IThe inter-domain routing protocol, Border Gateway Protocol (BGP), plays a critical role in the reliability of the Internet routing system, but forged routes generated by malicious attacks or mis-configurations may devastate the system. The security ...
Inter-domain routing bottlenecks and their aggravation
AbstractAs autonomous systems tend to forward packets along the path with minimal routing cost, Internet routes are unevenly distributed on physical links. Links which a large number of routes go through are called routing bottlenecks. ...
Quantifying the BGP routes diversity inside a tier-1 network
NETWORKING'06: Proceedings of the 5th international IFIP-TC6 conference on Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications SystemsMany large ISP networks today rely on route-reflection [1] to allow their iBGP to scale. Route-reflection was officially introduced to limit the number of iBGP sessions, compared to the $\frac{n\times(n-1)}{2}$ sessions required by an iBGP full-mesh. ...
Comments