Security and Resilience for the Internet Infrastructure Dan Massey USC/ISI.
Network Infrastructure Security Research at Colorado State University Dan Massey November 19, 2004.
-
date post
19-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Network Infrastructure Security Research at Colorado State University Dan Massey November 19, 2004.
Network Infrastructure Security Research at
Colorado State University
Network Infrastructure Security Research at
Colorado State University
Dan Massey
November 19, 2004
11/19/04USAFA Front Range Workshop for Information Security
2
Network InfrastructureNetwork Infrastructure
• Protocols and Components That Enable Communication
Routing protocols to deliver data from source to destination.
• Ex: Internet’s global BGP routing protocol
Naming protocols identify critical resources
• Ex: Internet’s DNS naming protocols
• Focus of This Talk is Internet BGP and DNS
But observations and research results apply to other systems
such as sensor networks, ad hoc wireles, etc.
11/19/04USAFA Front Range Workshop for Information Security
3
Original Infrastructure GoalsOriginal Infrastructure Goals
• The original designs assumed that: Hardware is unreliable: servers/routers will fail
Network links are unreliable: connections will fail
Data transport is unreliable: bit errors will occur
• The goal was to build protocols that : Provide functionality despite all of the above
Scale to extremely large size
• Tremendously successful in this respect: BGP routing protocol - 150K+ routes 20K+ systems
DNS naming protocol - 1G of records in 60M zones
• But fails to address configuration errors, attacks, etc.
11/19/04USAFA Front Range Workshop for Information Security
4
BGP Routing InfrastructureBGP Routing Infrastructure
• Internet’s Global Routing Protocol Connects Autonomous Systems
(AS)
• Path Vector Routing Protocol Announce the path of AS used to
reach destination
• Routes adapt to: Link changes & route polices Does not adapt to traffic load.
• Some Causes For Concern Today Selection of a single path Unexpected interactions with data Lack of any route authentication
AS 1
AS 2 AS 3
Prefix P
Prefix P
Path 2,1
Prefix P
Path 3,1
11/19/04USAFA Front Range Workshop for Information Security
5
Consequences of Global TrustConsequences of Global Trust
InternetInternet
BGP monitor
Owner of 192.26.92/24
(Incorrectly) decides it is the owner of 192.26.92/24
• BGP Provides No Authentication Faults and attacks can mis-direct traffic. One (of many) examples observed in BGP logs.
ISPs announced new pathfor 20 minutes to 3 hours
11/19/04USAFA Front Range Workshop for Information Security
6
Multiple Origin AS (MOAS) CasesMultiple Origin AS (MOAS) Cases
• Prefixes originate from Multiple Origin AS (MOAS) Lower curve likely due to valid operational needs
• Spikes are errors that disrupt routing to prefix Includes loss of routes to top level DNS servers
11/19/04USAFA Front Range Workshop for Information Security
7
Local or Global Impact?Local or Global Impact?
InternetInternet
BGP monitor
Owner of 192.26.92/24
False origin of 192.26.92/24
• Traffic to 192.26.92/24 routes to wrong site. Clearly a problem for that site, but do you care? Yes, if some essential service hosted there….
ISPs announced new pathfor 20 minutes to 3 hours
C gTLD DNSServer Here
11/19/04USAFA Front Range Workshop for Information Security
8
Interplay Between BGP and DNSInterplay Between BGP and DNS
Caching DNS Server
End-user
www.cisco.com A?
www.cisco.com A 128.92.1.3
Root DNS Server
Actually 128.92.1.3 is Colorado State, but how would you determine this?
com?? DNS Server
cisco.com DNS Server
Recall routing delivered this DNS query to the false com server.
11/19/04USAFA Front Range Workshop for Information Security
9
Cryptography is like magic fairy dust,we just sprinkle it on our protocols
and its makes everything secure
- See IEEE Security and Privacy Magazine, Jan 2003
11/19/04USAFA Front Range Workshop for Information Security
10
Authentication of DNS Responses
Authentication of DNS Responses
• Each DNS zone signs its data using a private key.
Recommend signing done offline in advance
• Query for a particular record returns:
The requested resource record set.
A signature (SIG) of the requested resource record set.
• Resolver authenticates response using public key.
Public key is pre-configured or learned via a sequence of
key records that follow the DNS heirarchy.
11/19/04USAFA Front Range Workshop for Information Security
11
Secure DNS Query and Response
Secure DNS Query and Response
Caching DNS Server
End-user
www.darpa.mil
www.darpa.mil = 192.5.18.195Plus (RSA) signature by darpa.mil
Attacker can not forge this answer without the darpa.mil private key.
Authoritative DNS Servers
11/19/04USAFA Front Range Workshop for Information Security
12
DNS Security ActivitiesDNS Security Activities
• Co-editor of the IETF specification [8]. Passed IETF Standards Process, waiting for RFC#. Code available in BIND 9.3.X DNS servers Encouraging sites to deploy secure DNS
• Operator tools and guidelines in progress
• Currently Investigating Resilient DNS Authentication can defend against false route
• Responses from the false server are ignored• But does not solve denial of service…..
Security is more than authentication. Ensure diverse availability of DNS servers and data
• SIGCOMM 04 DNS resilience paper
11/19/04USAFA Front Range Workshop for Information Security
13
Authentication of BGP Updates?Authentication of BGP Updates?
• Apply Same Public Key Cryptography to BGP Updates?
Existing proposals for Secure BGP (BBN) and Secure Origin BGP
(Cisco)
• But additional challenges in BGP/Routing
No clear hierarchy to overlay public key infrastructure (PKI)
No guarantee data follows the authenticated route
Need additional services to segregate and block data traffic
Routing faces other interactions and problems….
11/19/04USAFA Front Range Workshop for Information Security
14
There is no magic fairy dust
11/19/04USAFA Front Range Workshop for Information Security
15
The Internet Slammer WormThe Internet Slammer Worm
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Figure by CAIDAWorm Propagation After 30 Minutes
11/19/04USAFA Front Range Workshop for Information Security
16
BGP Updates During Nimda WormBGP Updates During Nimda Worm
Brittle BGP Sessions
Routing Changes
Total Attack
11/19/04USAFA Front Range Workshop for Information Security
17
Work on Improving Routing Security
Work on Improving Routing Security
• Worm Shows Some Complexity of BGP Dynamics
Need to stabilize the peer communication
• Proposed a fast bloom filter verification mechanism (FRTR)
Need to identify real source topology events
• Proposed Root Cause Tags and LinkRank Analysis Tools
Need to validate routing updates.
• Exploiting natural (non-crypt) consistency assertions
Need to better exploit redundant network paths.
• DARPA Control Plane (kickoff yesterday)
• But we must not forget that ultimate goal of routing is to
delivery packets.
11/19/04USAFA Front Range Workshop for Information Security
18
Open ChallengesOpen Challenges
• How to Build Next Generation Infrastructure (routing/naming) protocols that function in today’s network? Assume some compromised/malicious nodes
• Fact of life in large scale system or critical (DoD) system Assume malicious traffic (worms)
• Protect underlying infrastructure from data impact• Identify and block undesired traffic at infrastructure
Apply Cryptographic Authentication When Possible• But recognize authentication is not equivalent to security
• Much Interesting Work To Be Done… In Internet, DoD networks, new sensor networks, etc.
11/19/04USAFA Front Range Workshop for Information Security
19
AcknowledgementsAcknowledgements
• Funding Sources - Active NetPath: November 2004 - November 2005
• DARPA Control Plane Program Beyond BGP Project: October 2002 - September 2005
• NSF Special Projects in Networking
• Funding Sources - Recently Completed FMESHD Project: Concluded June 2004
• DARPA Fault Tolerant Networks FNIISC Project: Concluded June 2004
• DARPA Fault Tolerant Networks
• With Thanks to Collaborators DARPA: Col. Tim Gibson DHS: Dr. Doug Maughan UCLA: Lixia Zhang, Beichuan Zhang, Lan Wang, Dan Pei, Mohit Lad
Questions?Questions?
11/19/04USAFA Front Range Workshop for Information Security
21
FRTR: Improving Router Communication
FRTR: Improving Router Communication
• BGP Updates Are Not (Topology) Event Driven Session resets trigger high volume surges
• Govindan shows cascade failures can result.
• Lifetime of Invalid Routes is Unbounded Never recover (until reset) if update is somehow lost.
• Despite TCP, we found cases of “lost” withdrawals. Attacker can poison a route with one update.
• Soft-state (periodic re-announce) is too costly…
• FRTR Uses Periodic Bloom Filter Digests Digests quickly confirm state after session reset. Periodic digests bound lifetime of faults (w/ high prob). Co-Author Keyur Patel (Cisco) is exploring Cisco
development.
11/19/04USAFA Front Range Workshop for Information Security
22
FRTR PerformanceFRTR Performance
• For each route at receiver, check against the digest. Bloom filter results in no false
negatives.
• Compare total digests for missing route detection. False positive possible with
known rate. Add salts to reduce the chance
of repeated false positives.
• Overhead is a function of digest size and frequency.
• Work with Cisco suggests a 1.3% overhead increase.
• Complete Details to in [3] (DSN 2004)
11/19/04USAFA Front Range Workshop for Information Security
23
Link Rank BGP DynamicsLink Rank BGP Dynamics
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.