How To Attract Ore Traffic On A Network With A Daoi (Orca) On A Gpa Network

Transcription

1 How Secure are Secure Interdoain Routing Protocols? Sharon Goldberg Microsoft Research Michael Schapira Yale & UC Berkeley Peter Huon AT&T Labs Jennifer Rexford Princeton ABSTRACT In response to high-profile Internet outages, BGP security ariants hae been proposed to preent the propagation of bogus routing inforation. To infor discussions of which ariant should be deployed in the Internet, we quantify the ability of the ain protocols (origin authentication, sobgp, S-BGP, and data-plane erification) to blunt traffic-attraction attacks; i.e., an attacker that deliberately attracts traffic to drop, taper, or eaesdrop on packets. Intuition suggests that an attacker can axiize the traffic he attracts by widely announcing a short path that is not flagged as bogus by the secure protocol. Through siulations on an epirically-deterined AS-leel topology, we show that this strategy is surprisingly effectie, een when the network uses an adanced security solution like S-BGP or data-plane erification. Worse yet, we show that these results underestiate the seerity of attacks. We proe that finding the ost daaging strategy is NP-hard, and show how counterintuitie strategies, like announcing longer paths, announcing to fewer neighbors, or triggering BGP loop-detection, can be used to attract een ore traffic than the strategy aboe. These counterintuitie exaples are not erely hypothetical; we searched the epirical AS topology to identify specific that can launch the. Finally, we find that a cleer export policy can often attract alost as uch traffic as a bogus path announceent. Thus, our work iplies that echaniss that police export policies (e.g., defensie filtering) are crucial, een if S-BGP is fully deployed. Categories and Subject Descriptors. C.2.2 Coputer Counication Networks: Network Protocols. General Ters. Security. 1. INTRODUCTION The Internet is notoriously ulnerable to traffic attraction attacks, where Autonoous Systes () anipulate BGP to attract traffic to, or through, their networks. Attracting extra traffic enables the AS to increase reenue Perission to ake digital or hard copies of all or part of this work for personal or classroo use is granted without fee proided that copies are not ade or distributed for profit or coercial adantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on serers or to redistribute to lists, requires prior specific perission and/or a fee. SIGCOMM 10, August 30 Septeber 3, 2010, New Delhi, India. Copyright 2010 ACM /10/08...$ fro custoers, or drop, taper, or snoop on the packets [2 4]. While the proposed extensions to BGP preent any attacks (see [5] for a surey), een these secure protocols are susceptible to a strategic anipulator who deliberately exploits their weaknesses to attract traffic to its network. Gien the difficulty of upgrading the Internet to a new secure routing protocol, it is crucial to understand how well these protocols blunt the ipact of traffic attraction attacks. 1.1 Quantifying the ipact of attacks. We ealuate the four ajor extensions to BGP, ordered fro weakest to strongest: origin authentication [6,7], sobgp [8], S-BGP [9], and data-plane erification [5, 10]. While the stronger protocols preent a strictly larger set of attacks than the weaker ones, these security gains often coe with significant ipleentation and deployent costs. To infor discussions about which of these secure protocols should be deployed, we would like to quantitatiely copare their ability to liit traffic attraction attacks. Thus, we siulate attacks on each protocol on an epirically-easured AS-leel topology [11 13], and deterine the percentage of that forward traffic to the anipulator. Perforing a quantitatie coparison requires soe care. It does not suffice to say that one protocol, say S-BGP, is four ties as effectie as another protocol, say origin authentication, at preenting a specific type of attack strategy; there ay be other attack strategies for which the quantitatie gap between the two protocols is significantly saller. Since these ore cleer attack strategies can just as easily occur in the wild, our coparison ust be in ters of the worst possible attack that the anipulator could launch on each protocol. To do this, we put ourseles in the ind of the anipulator, and look for the optial strategy he can use to attract traffic fro as any as possible. Howeer, before we can een begin thinking about optial strategies for traffic attraction, we first need a odel for the way traffic flows in the Internet. In practice, this depends on local routing policies used by each AS, which are not publicly known. Howeer, the BGP decision process breaks ties by selecting shorter routes oer longer ones, and it is widely belieed [14] that policies depend heaily on econoic considerations. Thus, conentional wisdo and prior work [14 16] suggests basing routing policies on business relationships and AS-path lengths. While this odel (used in any other studies, e.g., [2, 17]) does not capture all the intricacies of interdoain routing, it is still ery useful for gaining insight into traffic attraction attacks. All of our results are attained within this odel.

2 1.2 Thinking like a anipulator. If routing policies are based on AS path lengths, then intuition suggests that it is optial for the anipulator to announce the shortest path that the protocol does not reject as bogus, to as any neighbors as possible. Depending on the security protocol, this eans announcing a direct connection to the icti IP prefix, a fake edge to the legitiate destination AS, a short path that exists but was neer adertised, a short path that the anipulator learned but is not using, or een a legitiate path that deiates fro noral export policy. Indeed, we use siulations on a easured AS-leel topology to show that this sart attack strategy is quite effectie, een against adanced secure routing protocols like S-BGP and data-plane erification. Worse yet, we show that our siulations underestiate the aount of daage anipulator could cause. Through counterexaples, show that the sart attack is surprisingly not optial. In fact, the following bizarre strategies can soeties attract een ore traffic than the sart attack: announcing a longer path, exporting a route to fewer neighbors, or triggering BGP s loop-detection echanis. In fact, we show that prefix hijacking (i.e., originating a prefix you do not own) is not always the ost effectie attack against today s BGP! These counterexaples are not erely hypothetical we identify specific in the easured AS-leel topology that could launch the. Moreoer, we proe that it is NP-hard to find the anipulator s optial attack, suggesting that a coprehensie coparison across protocols ust reain elusie. 1.3 Our findings and recoendations. While we necessarily underestiate the aount of daage a anipulator could cause, we can ake a nuber of concrete stateents. Our ain finding is that secure routing protocols only deal with one half of the proble: while they do restrict the paths the anipulator can announce, they fail to restrict his export policies. Thus, our siulations show that, when copared to BGP and origin authentication, sobgp and S-BGP significantly liit the anipulator s ability to attract traffic by announcing bogus short paths to all its neighbors. Howeer, een in a network with S-BGP or data-plane erification, we found that a anipulator can still attract traffic by cleerly anipulating his export policies. Indeed, we found that announcing a short path is often less iportant than exporting that path to the right set of neighbors. Thus: Adanced security protocols like S-BGP and data-plane erification do not significantly outperfor sobgp for the sart attacks we ealuated. Defensie filtering of paths exported by stub (i.e., without custoers) proides a leel of protection that is at least coparable to that proided by sobgp, S-BGP and een data-plane erification. Tier 2 are in the position to attract the largest olues of traffic, een in the presence of data-plane erification and defensie filtering (of stubs). Interception attacks [2,3] where the anipulator both attracts traffic and deliers it to the destination are easy for any, especially large ones. p Figure 1: graph. T1a a1 a3 a2 Legend Peer Peer Custoer Proider Traffic Manipulator Victi Anonyized subgraph of CAIDA s AS We could quibble about whether or not anipulating export policies een constitutes an attack; after all, each AS has the right to decide where it announces paths. Howeer, our results indicate that a cleer export policy can attract alost as uch traffic as a bogus path announceent. Indeed, Section 6.1 presents an exaple where an AS in the easured topology gains alost as uch exporting a proider-learned path to another proider, as he would by a prefix hijack (announcing that he owns the IP prefix). Thus, our results suggest that addressing traffic attraction attacks requires both echaniss that preent bogus path announceents (e.g., sobgp or S-BGP) as well as echaniss that police export policies (e.g., defensie filtering). Full ersion. This paper is a copressed suary of our results; the full ersion [1] presents additional inforation, graphs, related work, and proofs of our theores. 2. MODEL AND METHODOLOGY We first present a odel of interdoain routing and routing policies, based on the standard odels in [18] and the Gao-Rexford conditions [15], followed by our threat odel for traffic attraction, and finally our experiental setup. 2.1 Modeling interdoain routing. The AS graph. The interdoain-routing syste is odeled with a labeled graph called an AS graph, as in Figure 1. Each AS is odeled as a single node and denoted by its AS nuber. Edges represent direct physical counication links between. Adjacent are called neighbors. Since changes in topology typically occur on a uch longer tiescale than the execution of the protocol, we follow [18] and assue the AS-graph topology is static. BGP coputes paths to each destination IP prefix separately, so we assue that there is a unique destination IP prefix to which all other nodes attept to establish a path. As shown in Figure 1, there is a single AS that rightfully owns the destination IP prefix under consideration. Establishing paths. In BGP, an AS first chooses an outgoing edge on which it forwards traffic based on a local ranking on outgoing paths, and then announces this path to soe subset of its neighbors. To odel this, we assue that each node n has a set of routing policies, consisting of (a) a ranking on outgoing paths fro n to the destination d, and (b) a set of export policies, a apping of each path P to the set of neighbors to which n is willing to announce the path P. We say that node n has an aailable path ap d if n s neighbor a announced the path ap d to n. If an aailable path ap d is ranked higher than the outgoing path that node n is currently using, then an noral node n will (a) forward

3 traffic to node a, and (b) announce the path nap d to all his neighbors as specified by his export policies. Business relationships. We annotate the AS graph with the standard odel for business relationships in the Internet [15]; while ore coplicated business relationships exist in practice, the following is widely belieed to capture the ajority of the econoic relationships in the Internet. As shown in Figure 1, there are two kinds of edges: custoer-proider (where the custoer pays the proider for connectiity, represented with an arrow fro custoer to proider), and peer-to-peer (where two owned by different organizations agree to transit each other s traffic at no cost, represented with an undirected edge). Because soe of our results are based on CAIDA s AS graph [11], we also consider sibling-to-sibling edges. Details about our treatent of siblings is in the full ersion [1]. Finally, our theoretical results soeties use [15] s assuption that an AS cannot be its own indirect custoer: GR1 The AS graph contains no custoer-proider cycles. 2.2 Modeling routing policies. In practice, the local routing policies used by each AS in the Internet are arbitrary and not publicly known. Howeer, because we want to understand how false routing inforation propagates through the Internet, we need to concretely odel routing policies. Since it is widely belieed that business relationships play a large role in deterining the routing policies of a gien AS [14, 15], and we hae reasonably accurate epirical aps of the business relationships between [11 13], we base our odel on these relationships. Rankings. BGP is first and foreost designed to preent loops. Thus, we assue that node a rejects an announceent fro its neighbor b if it contains a loop, i.e., if node a appears on the path that node b announces. Beyond that, we can think of the process use to select routes as follows; first applying local preferences, then choosing shortest AS paths, and finally applying a tie break. Since the local preferences of each AS are unknown, and are widely belieed to be based (ostly) on business relationships, we odel the three step process as follows: LP SP TB Local Preference. Prefer outgoing paths where the next hop is a custoer oer outgoing paths where the next hop is a peer oer paths where the next hop is a proider. Shortest Paths. Aong the paths with the highest local preference, chose the shortest ones. Tie Break. If there are ultiple such paths, choose the one whose next hop has the lowest AS nuber. 1 Our odel of local preferences is based on on Gao-Rexford condition GR3, and captures the idea that an AS has an econoic incentie to prefer forwarding traffic ia custoer (that pays hi) oer a peer (where no oney is exchanged) oer a proider (that he ust pay). Notice that this iplies that an AS can soeties prefer a longer path! (e.g., in Figure 1, AS prefers the fie-hop custoer path through a3 oer the four-hop proider path through Tier 1 T 1.) 1 We need a consistent way to break ties. In practice, this is done using the intradoain distance between routers and router IDs. Since our odel does not incorporate geographic distance or indiidual routers, we use AS nuber instead. Export Policies. Our odel of export policies is based on the Gao-Rexford condition GR2: GR2 AS b will only announce a path ia AS c to AS a if at least one of a and c are custoers of b. GR2 captures the idea that an AS should only be willing to load his own network with transit traffic if he gets paid to do so. Howeer, because GR2 does not fully specify the export policies of eery AS (for instance, an AS could decide to export paths to only a subset of his custoers), it does not suffice for our purposes. Thus, we odel noral export policies as follows: NE An AS will announce all paths to all neighbors except when GR2 forbids hi to do so. 2.3 Threat odel. One strategic anipulator. We assue that all in the AS graph behae norally, i.e., according to the policies in Section , except for a single anipulator (e.g., AS in Figure 1). We leae odels dealing with colluding for future work. Noral and noral paths. We assue that eery noral AS uses the routing policies in Section 2.2; thus, the noral path is the path an AS (een the anipulator) would choose if he used the noral rankings of Section 2.2, and noral export is defined analogously. (e.g., In Figure 1, the anipulator s noral path is through his custoer AS a3.) We shall assue that eery noral AS knows its business relationship with his neighbors, and also knows the next hop it chooses for forwarding traffic to a gien destination. In order to ealuate the effectieness of each secure routing protocol, we assue that beliee eerything they hear, except when the secure routing protocol tells the otherwise. As such, we do not assue that use auxiliary inforation to detect attacks, including knowledge of the network topology or business relationships between distant, etc., unless the secure routing protocol specifically proides this inforation. Attraction.s. Interception attacks. In an attraction attack, the anipulator s goal is to attract traffic, i.e., to conince the axiu nuber of in the graph to forward traffic that is destined to the icti IP prefix ia the anipulator s own network. To odel the idea that a anipulator ay want to eaesdrop or taper with traffic before forwarding it on to the legitiate destination, we also consider interception attacks. In an interception attack, the anipulator has the additional goal of ensuring that he has an aailable path to the icti. This is in contrast to an attraction attack, where the anipulator is allowed, but not required, to create a blackhole where he has no working path to the icti IP prefix (e.g., Figure 6). The fraction of attracted. In this paper, we easure the success of an attack strategy by counting the fraction of in the internetwork fro which that anipulator attracts traffic; this aounts to assuing that eery AS in the internetwork is of equal iportance to the anipulator. 2 Howeer, it is well known that the distribution 2 We acknowledge that a anipulator ay want to attract traffic fro a specific subset of. We aoid analyzing this, because we lack epirical data to quantify that subset of that a gien anipulator ay want to attract.

4 of traffic in the Internet is not unifor across the ; to address this, we also report the fraction of of arious sizes fro which the anipulator attracts traffic, where we easure size by the nuber of direct custoers the AS has. Attack strategies. To capture the idea that the anipulator is strategic, we allow hi to be ore cleer than the noral ; specifically, we allow hi to use knowledge of the global AS graph and its business relationships in order to launch his attacks. (Howeer, ost of the strategies we considered require only knowledge that is locally aailable at each AS.) An attack strategy is a set of routing announceents and forwarding choices that deiates fro the noral routing policies specified in Section 2.2. An attack strategy ay include, but is not liited to: Announcing an unaailable or non-existent path. Announcing a legitiate aailable path that is different fro the noral path. Exporting a path (een the legitiate noral path) to a neighbor to which no path should be announced to according to the noral export policies. Indeed, one ight argue that soe of these strategies do not constitute dishonest behaior. Howeer, it is iportant to consider these strategies in our study, since we shall find that they can soeties be used to attract as uch traffic as the traditional dishonest strategies (e.g., announcing nonexistent paths). Scope of this paper. This paper focuses on traffic attraction attacks; we do not consider other routing security issues, for instance, isatches between the controland data-plane [4, 10], or traffic deflection attacks, where a anipulator wants to diert traffic fro hiself or soe distant, innocent AS [5]. Moreoer, we do not coer issues related to the adoption of secure routing protocols, nor their effectieness under partial deployent [19]. See the full ersion [1] for ore discussion of related work. 2.4 Experients on epirical AS graphs. All the results and exaples we present are based on epirically-obtained snapshots of the Internet s AS graph annotated with business relationships between. Our experiental results were obtained ia algorithic siulations; details are in the full ersion [1]. Aerage case analysis. Since the influence of an attack strategy depends heaily on the locations of the anipulator and the icti in the AS graph, we run siulations across any (anipulator, icti) pairs. Rather than reporting aerage results, we plot the distribution of the fraction of that direct traffic to the anipulator. We by no eans beliee that a anipulator would select its icti at rando; howeer, reporting distributions allows us to easure the extent to which a secure protocol can blunt the power of the anipulator, deterine the fraction of ictis that a anipulator could effectiely target, and identify positions in the network that are effectie launching points for attacks. Ideally, to deterine how daaging a gien attack strategy can be, we would hae liked to run siulations oer eery (anipulator,icti) pair in the AS graph. Howeer, this would require (30K) 2 siulations per dataset, which would be prohibitie. Instead, we run experients on randoly-chosen (anipulator, icti) pairs. We found that 60K experients of each type were sufficient for our results to stabilize. Multiple datasets. Because the actual AS-leel topology of the Internet reains unknown, and inferring AS relationships is still an actie area of research, we run siulations on a nuber of different datasets: ultiple years of CAIDA data [11], and Cyclops data [12] augented with 21,000 peer-to-peer edges fro [13] s IXP dataset. Een though these datasets use different relationship-inference algoriths, the trends we obsered across datasets were rearkably consistent. Thus, all the results we present are fro CAIDA s Noeber 20, 2009 dataset (with slight odifications to the sibling relationships, see the full ersion); counterparts of these graphs, coputed fro Cyclops and IXP data [12, 13] are in the full ersion [1]. Realistic exaples. Rather than proiding contried counterexaples, we gie eidence that the attack strategies we discuss could succeed in wild by ensuring that eery exaple we present coes fro real data. All the exaples we present here were found in CAIDA s Noeber 20, 2009 dataset [11], and then anonyized by replacing AS nubers with sybols (e.g., in Figure 1, for anipulator, for icti, T 1 for a Tier 1 AS, etc.). We do this in order to aoid iplicating innocent with our exaple attacks, as well as to aoid reporting potentially erroneous AS-relationship inferences ade in the CAIDA dataset (see Section 6.4 for further discussion). 3. FOOLING BGP SECURITY PROTOCOLS This section oeriews the security protocols we consider, and presents the set of (possibly) bogus paths that a anipulator can announce to each neighbor without getting caught. We use the anonyized subgraph of CADIA s AS graph in Figure 1 to deonstrate the fraction of traffic a anipulator could attract by announcing one of these (possibly) bogus paths to all its neighbors. Our focus is on protocols with well-defined security guarantees. Thus, we consider the fie ajor BGP security ariants, ordered fro weakest to strongest security, as follows: (unodified) BGP, Origin Authentication, sobgp, S-BGP, and data-plane erification. Because we focus on security guarantees and not protocol ipleentation, we use these as an ubrella for any other proposals (see [5] for a surey) that proide siilar guarantees using alternate, often lower-cost, ipleentations. Furtherore, our ordering of protocols is strict: an attack that succeeds against a strong security protocol, will also succeed against the weaker security protocol. We also consider defensie filtering as an orthogonal security echanis. BGP. BGP does not include echaniss for alidating inforation in routing announceents. Thus, the anipulator can get away with announcing any path he wants, including (falsely) claiing that he is the owner of the icti s IP prefix. Indeed, when the anipulator in Figure 1 (an anonyized Canadian Tier 2 ISP) launches this attack on the s IP prefix (an anonyized Austrian AS), our siulations show that he attracts traffic fro 75% of the in the internetwork. 3 3 In fact, another strategy, called a subprefix hijack, is aailable to anipulator; by announcing a longer, ore specific subprefix of the icti s IP prefix, he can attract traffic fro 100% of the in the internetwork. This work does not

5 Origin Authentication. Origin authentication [6] uses a trusted database to guarantee that an AS cannot falsely clai to be the rightful owner for an IP prefix. Howeer, the anipulator can still get away with announcing any path that ends at the AS that rightfully owns the icti IP prefix. For instance, in Figure 1, the anipulator can attract traffic fro 25% of the in the internetwork by announcing the path (,, ), een though no such path physically exists. sobgp. Secure Origin BGP (sobgp) [8] proides origin authentication as well as a trusted database that guarantees that any announced path physically exists in the AS-leel topology of the internetwork. Howeer, a anipulator can still get away with announcing a path that exists but is not actually aailable. In Figure 1, the anipulator can attract traffic fro 10% of the in the internetwork by announcing the path (, p,, ). Notice that this path is unaailable; GR2 forbids the Swiss Tier 2 ISP p to announce a peer path to another peer. S-BGP. In addition to origin authentication, Secure BGP [9] also uses cryptographically-signed routing announceents to proides a property called path erification. Path erification guarantees that eery AS a can only announce a path abp to its neighbors if it has a neighbor b that announced the path bp to a. Thus, it effectiely liits a single anipulator to announcing aailable paths. For instance, in Figure 1, the anipulator s noral path (see Section 2.3) is the fiehop custoer path (, a3, a2, a1,, ); announcing that path allows hi to attract traffic fro 0.9% of the in the internetwork. Howeer, with S-BGP the anipulator could instead announce the shorter four-hop proider path (, T 1, a1,, ), thus doubling attracted traffic to 1.7%. Indeed, S-BGP does not preent the anipulator fro announcing the shorter, ore expensie, proider path, while actually forwarding traffic on the cheaper, longer custoer path. Data-plane erification. Data-plane erification [5, 10] preents an AS fro announcing one path, while forwarding on another. Thus, if the anipulator in Figure 1 wants to axiize his attracted traffic, he ust also forward traffic on the proider path. Defensie Filtering. Defensie filtering polices the BGP announceents ade by stubs. A stub is an AS with no custoers, and in our odel, GR2 iplies that a stub should neer announce a path to a prefix it does not own. Thus, our odel of defensie filtering has each proider keep a prefix list of the IP prefixes owned by its direct custoers that are stubs. If a stub announces a path to any IP prefix that it does not own, the proider drops/ignores the announceent, thus enforcing GR2. In ost of our analysis, we assue that eery proider in the internetwork correctly ipleents defensie filtering (see also the discussion in Section 8). As such, we assue that defensie filtering copletely eliinates all attacks by stubs. 4. SMART ATTRACTION ATTACKS We siulate attraction attacks on easured graphs of the Internet s AS-leel topology [11 13] to deterine how uch consider subprefix hijacks, ostly because these attacks are well understood, but also because they can be preented by the filtering practices discussed in [5] No Defensie Filtering Defensie Filtering BGP OrAuth sobgp SBGP Figure 2: Lower bounds on the probability of attracting at least 10% of in the internetwork. traffic a anipulator can attract in the aerage case. This section first presents the attack strategies we siulated, and then reports our results. 4.1 A sart-but-suboptial attack strategy. We assued that ake routing decisions based on business relationships and path length, and that a anipulator cannot lie to his neighbor a about their business relationship (i.e., between and a). Thus, intuition suggests that the anipulator s best strategy is to widely announce the shortest possible path: Shortest-Path Export-All attack strategy. Announce to eery neighbor, the shortest possible path that is not flagged as bogus by the secure routing protocol. Eery Shortest-Path Export-All attack strategy on S-BGP is also an attack on data-plane erification. The Shortest-Path Export-All attack strategy on S-BGP has the anipulator announce his shortest legitiate aailable path to the icti, instead of his noral path (see Sections 2.3 and 3). Notice that if the anipulator actually decides to forward his traffic oer the announced path, he has a successful attack on data-plane erification as well! Thus, the Shortest-Path Export-All attack strategy on data-plane erification is identical to the attack on S-BGP. (To reduce clutter, the following ostly refers to the attack on S-BGP.) We underestiate daage. Section 6 shows that the Shortest-Path Export-All attack strategy is not actually optial for the anipulator, and Section 7 shows that finding the optial attack strategy is NP-hard. Thus, we gie up on finding the optial attack strategy, and run siulations assuing that the anipulator uses this sart-butsuboptial attack. This eans that the results reported in this section underestiate the aount of daage a anipulator could cause, and we usually cannot use these results to directly copare different secure routing protocols. In spite of this, our siulations do proide both (a) useful lower bounds on the aount of daage a anipulator could cause, and (b) a nuber of surprising insights on the strategies a anipulator can use to attract traffic to his network. 4.2 Defensie filtering is crucial. Our first obseration is that defensie filtering is a crucial part of any Internet security solution: Figure 2: We show the probability that, for a randoly chosen (anipulator,icti) pair, the anipulator can attract traffic destined for the icti fro at least 10% of the in the internetwork. The anipulator uses the

6 Announce All Attacks fro dataset caida2009 anipany Nuber of saples: BGP OrAuth 0.8 sobgp SBGP Honest 0.6 BGP + DF Fraction of routing thru Manipulator Figure 3: CCDF for the Shortest-Path Export-All attack strategy. Shortest-Path Export-All attack strategy. The first four bars on the left assue that network does not use defensie filtering. We show the success of the anipulator s strategy on each of the four BGP security ariants, in a network with and without defensie filtering of stubs. The horizontal line in Figure 2 shows the fraction of attacks that are copletely eliinated by defensie filtering; since 85% of in the CAIDA graph are stubs, properly-ipleented defensie filtering guarantees that only 15% of anipulators can successfully attack any gien icti. Despite the fact that we used sub-optial strategies for the anipulator, we hae two concrete obserations: 1. Een if we assue the anipulator runs the sub-optial Shortest-Path Export-All attack strategy on a network that has S-BGP but not defensie filtering, he can still attract 10% of the in the internetwork with probability > 10%. Furtherore, ore cleer strategies for S-BGP (e.g., Figure 9 and 10) ight increase the anipulator s probability of success to the point where defensie filtering alone perfors een better than S-BGP alone. 2. Een if both S-BGP and defensie filtering are used, there is still a non-triial 2% probability that the anipulator can attract 10% of the in the internetwork. Better attack strategies could increase this probability een further. This is particularly striking when we copare with the noral case, where the anipulator anages to attract 10% of the in the internetwork with about 10 4 probability (not shown). 4.3 Attack strategy on different protocols. The reader ay wonder why we chose to focus specifically on the probability of attracting 10% of the in the internetwork in Figure 2. In the interest of full disclosure, we now present the full picture: Figure 3: We show the coplientary cuulatie distribution function (CCDF) of the probability that at least a x-fraction of the in the internetwork forward traffic to the anipulator when he uses the Shortest-Path Export- All attack strategy. Probability is taken oer the unifor rando choice of a icti and anipulator, and obsere that Figure 2 siply presents a crosssection of these results at the x-axis alue of x = 10%. We briefly highlight a few details about this figure: Announce All Attack. Pr[Manipulator finds a shorter path]caida Any AS 0.8 Non-Stub > 25 Custoers 0.6 > 250 Custoers sobgp SBGP Figure 4: Probability of finding a shorter path. BGP cure. Here, the anipulator originates, i.e., announces that he is directly connected to, the icti prefix. This cure looks alost like the CCDF of a unifor distribution, since the anipulator and the icti both announce one-hop paths to the prefix, and are thus are about equally likely to attract traffic. Origin Authentication cure. This tie the anipulator announces that he has a direct link to the AS that legitiately owns the icti prefix. Because the anipulator s path is now two hops long, the aount of traffic he can attract on aerage is reduced. sobgp and S-BGP cures. For the attack on sobgp, the anipulator announces the shortest path that exists in the AS graph. For the attack on S-BGP (and data-plane erification), the anipulator announces the shortest aailable path that he learned fro his neighbors. Oddly, the sobgp and S-BGP cures are alost identical, despite the fact that S-BGP proides stronger security guarantees than sobgp (see also Section 4.4). Honest cure. Here the anipulator behaes norally, i.e., using the ranking and export policies of Section 2.2. BGP+Defensie Filtering cure. Defensie filtering eliinates all Shortest-Path Export-All attack strategies on BGP by stubs, i.e., by 85% of. Thus, this is approxiately BGP cure scaled down to 15%. Different-sized are equally affected. This paper consistently easures the anipulator s success by counting the nuber of that route through hi as a result of his attack strategy. We also produced ersions of Figure 3 that count the fraction of of a gien size that route through the anipulator: (a) All, (b) with at least 25 custoers, and (c) with 250 custoers. We oit these graph as they were alost identical. 4.4 S-BGP forces long path announceents. Figures 2 and 3 show that S-BGP is not uch ore effectie in preenting Shortest-Path Export-All attack strategies than the less-secure sobgp. To understand why, let s copare the lengths of the path that the anipulator can announce with sobgp and S-BGP: Figure 4: We show the probability that the anipulator can announce a path that is shorter than the noral path, i.e., the path he would hae chosen if had used the rankings in Section 2.2. Probability is taken oer a randoly-chosen icti, and a anipulator that is randoly chosen fro one of the following four classes: (a) Any AS in the graph, (b) Non-stubs, or with at least one custoer (c) Mediusized with at least 25 custoers, and (d) Large with at least 250 custoers. If we focus on the results for

7 nnounce All Attacks fro dataset data.caida2009.anip250cust.cs Nuber of saples: 6 1 Shortest aailable path. Export all. 0.8 Noral path. Export All. Noral path. Noral export Fraction of routing through Manipulator Figure 5: Aggressie export policies. S-BGP, it is clear that larger are ore likely to find shorter paths through the network; this follows fro the fact that these are both ore richly connected (i.e., they hae large degree), as well ore central (i.e., they are closer to ost destinations in the internetwork). Furtherore, we can also see that (especially sall ) are ore likely to find short paths with sobgp than they are with S-BGP. Fro Figure 4, we can conclude that S-BGP is doing exactly what it is designed to do: it is liiting the set of paths the attacker can announce, thus forcing hi to announce longer paths. Howeer, in light of the results in Figures 2-3, we ust ask ourseles why forcing the anipulator to announce longer paths does not see to significantly liit the aount of traffic he attracts. We could explain by arguing that path lengths in the Internet are fairly short, (aeraging about 5 hops in our siulations); so the paths that the anipulator can get away with announcing in sobgp are only a few hops shorter than the paths he can announce with S- BGP. Indeed, as we show in the next section, the fact that AS paths are norally so short eans that the length of the anipulator s path often plays less of a role than the set of neighbors that he exports to. 4.5 Export policy atters as uch as length. We now show that the attacker s export policy is as iportant as the length of the path he announces: Figure 5: We show another CCDF of the probability that at least a x-fraction of the in the internetwork forward traffic to the anipulator; probability is taken oer a randoly-chosen icti, and a anipulator chosen randoly fro the class of that hae at least 25 custoers. We consider three different strategies: (a) Announce the shortest aailable path to all neighbors (equialent to the Shortest-Path Export-All attack strategy on S-BGP), (b) Announce the noral path to all neighbors, and (c) Announce the noral path using the noral (GR2 and NE) export policy. This figure shows that, on aerage, announcing a shorter path is uch less iportant than announcing a path to ore neighbors (i.e., the cures for (a) and (b) are ery close, while the cures for (b) and (c) are quite far apart). Indeed, when we considered saller anipulators (not shown), the cures for (a) and (b) are een closer together. One way to explain the sall gap between (a) and (b) is to note that the anipulator s noral path is ery often also his shortest path (this holds for 64% of (anipulator, icti) pairs fro this class); and een when it is not, his noral path tend to be quite short. To understand the large gap between (b) and (c), we note that by iolating the noral export policy, the anipulator can announce paths to his proiders, een when his noral path is not through a custoer. His proiders are ore likely to choose the custoer path through the anipulator, oer soe possibly shorter, non-custoer path. 4.6 Different sized anipulators and ictis. Next, we would like to deterine which in the Internet are likely to be the ost successful anipulators, or the ost ulnerable ictis. We consider fro four different classes: (a) All (b) Non-stubs ( with at least 1 custoer), (c) with at least 25 custoers, (roughly odeling Tier 2 ), and (d) Large with at least 250 custoers ( Tier 1 ). In the interest of space, we only suarize our findings here. Graphs and detailed results are in the full ersion [1]. Manipulators. We ake the surprising obseration that (c) Tier 2s tend to be the ost effectie anipulators, attracting ore traffic than een the (d) Tier 1s. In fact, we found that in any cases, een saller (b) non-stubs tend to attract ore traffic than the Tier 1s. Here we assue that the icti is chosen fro the set of all. Victis. We found that (c) Tier 2 tend to be the least ulnerable to attacks. Furtherore, when we considered attacks on sobgp or S-BGP, we ake the surprising obseration that the (d) Tier 1 are een ore ulnerable than (a) saller at the edge of the internetwork. Here the anipulator is chosen fro the set of all. One ight expect Tier 1 to attract ore traffic than other classes of, but these results indicate that this is not the case; instead, Tier 2s tend to attract the ost traffic. To see why, notice that while Tier 1s are ore central (and thus hae short paths to ost in the internetwork), they are also ore expensie. That is, a Tier 1 is always a proider/peer of its neighbors, so een if those neighbors learn a short path through the Tier 1, they will prefer to route oer a (potentially longer) path through one of their own custoers. On the other hand, Tier 2s tend to be both central as well as the custoer of large Tier 1, and therefore in the position to attract the axiu aount of traffic. Thus, these results again follow fro the fact that creating custoer paths is often ore iportant than creating short paths. 4.7 Suary. In soe sense, the results of this section suggest that secure routing protocols like S-BGP and sobgp are only dealing with one half of the proble: while they do restrict the path the anipulator can choose to announce, they fail to restrict his export policies. Indeed, because defensie filtering restricts both the export policies and the paths announced by stubs, we find that it proides a leel of protection that is at least coparable to that proided by S-BGP, and een data-plane erification, alone. Een if we eliinate attacks by stubs ia defensie filtering, we found that the internetwork is still ulnerable to non-stub that both (a) deiate fro noral routing policies by announcing shorter paths, and (b) deiate fro noral export policies by announcing non-custoer paths to all their neighbors. Furtherore, we hae seen that it is exactly these non-stub (and in particular, the Tier 2s) that are in the position to launch the ost deastating attacks. The success of these attack strategies can be liited with sobgp, S-BGP, or data-plane erification.

8 Blackhole counterexaple Manip loses both his proider paths by announcing to a proider Blackhole counterexaple Manip loses both his proider paths by announcing to a proider T1b p T1a T1c T1b p T1a T1c To presere a May announce to neighboring... path of type... Custoers Peers Proiders Custoer Peer X Proider X X Table 1: Guidelines for interception. Figure Honest 6: (a) Noral outcoe. Announce (b) all Blackhole. 5. SMART INTERCEPTION ATTACKS We now turn our attention to traffic interception attacks [2, 3, 5]. In an interception attack, the anipulator would like to attract as uch traffic as possible to his network (in order to eaesdrop or taper with traffic) before forwarding it on to the icti IP prefix. Thus, we require that an interception attack preseres an aailable path fro the anipulator to icti. 5.1 A stub that creates a blackhole. To proide soe intuition, we first show how a anipulator could lose a working path to a icti: Figure 6: For siplicity, let s consider an attack on BGP where the anipulator falsely originates the icti s prefix. The anipulator is a web-hosting copany in Illinois, and wants to attract traffic destined for the icti a web-hosting copany in France. The anipulator is a ulti-hoed stub with two proiders, a Tier 1 AS T 1a, and a Chicago-area teleco proider p. The left figure shows the noral outcoe, where the anipulator has a path to icti aailable through each of his proiders. The right figure shows what happens when the anipulator announces the icti s prefix to each of his proiders; since each of the prefer short custoer paths, they will forward their traffic through the anipulator. The anipulator has now created a blackhole; he has no aailable path to the icti through either of his proiders. 5.2 When do interception attacks succeed? The reader ay be surprised to learn that there are any situations in which blackholes are guaranteed not to occur. We can proe that, within our odel of routing policies, the anipulator can aggressiely announce paths to certain neighbors while still presering a path to the icti: Theore 5.1. Assue that GR1 holds, and that all use the routing policies in Section 2.2. Suppose the anipulator has an aailable path through a neighbor of a type x in the noral outcoe. If there is in entry (x, y) of Table 1, then a path through that neighbor will still be aailable, een if the anipulator announces any path to any neighbor of type y. The full ersion [1] presents the proofs. We also not that the results arked with hold een if the internetwork does not obey GR1. We also obsere that this theore is sharp ; if there is an X in entry (x, y) of Table 1, we show by counterexaple that the anipulator can soeties lose an aailable path of type x if he announces certain paths to a neighbor of type y. Indeed, Figure 6 is a counterexaple that proes the X in the lower-right entry of Table 1. Results of this for were presented in an earlier work [2]. Howeer, [2] clais that a peer-path cannot be lost by announcing to a proider (and ice ersa). In the full ersion [1] we present an exaple contradicting this, that proes the reaining X entries in Table 1. Tier 1s and Stubs. Theore 5.1 leads to a nuber of obserations, also noted by [2]. First, interception is easy for Tier 1s. Since Tier 1s hae no proiders, they need only concern theseles with the four upper-left entries in Table 1, which indicate that they can announce paths to all their neighbors. Secondly, interception is hard for stubs. A stub s neighbor is always a proider, putting it in the botto-right entry of Table 1, indicating that aggressie announceents could cause a blackhole (e.g., Figure 6). 5.3 When do Shortest-Path Export-All attack strategies cause a blackhole? The obserations of Section 5.2 are borne out by our experients. Recall that in the Shortest-Path Export-All attack strategy, the anipulator announces his shortest (nonrejected) to all of his neighbors. We now show that this siple attack strategy often allows the anipulator to intercept traffic without creating a blackhole: Figure 7: We show the probability that the anipulator has soe aailable path to the icti if he uses the Shortest- Path Export-All attack strategy for each of the four BGP security ariants. We present results for a randoly-chosen icti, and a anipulator chosen fro the usual four classes (see Figure 4). We assue that anipulator runs the Shortest- Path Export-All attack strategy on each BGP security ariant. We can ake a nuber of obserations: 1. Manipulators with the ost custoers are least likely to create a blackhole. As discussed in Section 5.2, these anipulators are ost likely to hae an aailable custoer path to the icti, and as shown in the first row of Table 1, can get away with announcing to all their neighbors without creating a blackhole. 2. The attack on BGP is ost likely to cause a blackhole (cf., the attack on origin authentication, or sobgp). Because the anipulator announces a ore attractie (i.e., short) path, he is ore likely to conince all of his neighbors to forward traffic to hi, and thus create a blackhole. 3. The Shortest-Path Export-All attack strategy on S- BGP, neer creates a blackhole (as long as the anipulator had a path to the icti in the noral outcoe). This obseration atches intuition; since S-BGP forces the anipulator to announce an aailable path, the anipulator ust of course hae an aailable path to the icti. 5.4 Two interception strategies. Figure 7 iediately suggests a siple interception strategy that sees to work eery tie: Shortest-Aailable-Path Export-All attack strategy: The anipulator should announces his shortest aailable path fro the noral outcoe to all his neighbors.

9 Announce All Attack. Pr[isAnyDataPlanePathAailable== TRUE] Any Non-stubs > 25 custoers > 250 custoers BGP OrAuth sobgp SBGP Figure 7: Probability that the Shortest-Path Export-All attack strategy does not create a blackhole. Recall that this is exactly the Shortest-Path Export-All attack strategy on S-BGP. Figure 3, shown that this strategy attracts ore traffic than the noral strategy, but also suggests that when the network does not use S-BGP, there ay be better interception attack strategies. Indeed, Figure 7 shows that there is a non-triial probability that the anipulator has an aailable path to the icti, een if he launches the Shortest-Path Export-All attack strategy on the BGP. This suggests the following two-phase strategy: Hybrid Interception attack strategy: First, run the Shortest-Path Export-All attack strategy on the secure routing protocol, and check if there is an aailable path to the icti. If no such path is aailable, announce the shortest path that was aailable in the noral outcoe to all neighbors. 4 By no eans do we beliee that these two strategies are optial; indeed, while we ealuated ore cleer attack strategies, we oitted the here in the interest of breity and siplicity. What is surprising is that een these triial strategies can be quite effectie for certain anipulators. 5.5 Ealuating interception strategies. Fro the discussion aboe (Figures 6 and 7, Section 5.2), it is clear that with ery few custoers are unlikely to attract large olues of traffic without blackholing theseles. For this reason, we focus our ealuation on anipulators with at least 25 custoers, and for breity only present attacks on BGP: Figure 8: This is a CCDF of the probability that at least a x-fraction of the in the internetwork forward traffic to the anipulator, under the assuption that the network uses BGP. We copare the (a) Shortest-Path Export-All attack strategy where the anipulator is allowed to create a blackhole (and thus tends to attract ore traffic than the interception strategies aboe), with (b) the two interception strategies aboe, as well as (c) the noral strategy. Our key obseration is that the Hybrid Interception attack strategy intercepts a large fraction of traffic; e.g., at least 10% of the in the internetwork with probability oer 50%! 4 We note that while this strategy will attract at least as uch traffic as the Shortest-Aailable-Path Export-All attack strategy, the anipulator stands a higher chance of getting caught if he creates a blackhole in the first phase of the strategy. BGP fro dataset.caida2009.anip25cust. Nuber of saples: Announce All Hybrid Interception Shortest Aailable Path Announce All Honest Fraction of routing thru Manipulator Figure 8: Interception attacks on BGP. 6. SMART ATTACKS ARE NOT OPTIMAL We now proe that the Shortest-Path Export-All attack strategy is not optial for the anipulator. We present three surprising counterexaples 5, found in CAIDA s AS graph and then anonyized, that show that (a) announcing longer paths can be better than announcing shorter ones, (b) announcing to fewer neighbors can be better than to announcing to ore, and (c) the identity of the on the announced path atters, since it can be used to strategically trigger BGP loop detection. In fact, (c) also proes that announcing a longer path can be better than a prefix hijack (where the anipulator originates a prefix he does not own)! 6.1 Attract ore by announcing longer paths! Our first exaple is for a network with sobgp, S-BGP or data-plane erification. We show a anipulator that triples his attracted traffic by announcing a legitiate path to the icti, that is not his shortest path. (This contradicts the optiality of the Shortest-Path Export-All attack strategy, which requires announcing shortest paths.) In fact, this strategy is so effectie, that it attracts alost as uch traffic as an aggressie prefix hijack on unodified BGP! Figure 9: The anipulator is a sall stub AS in Basel, Switzerland, that has one large proider a1 that has alost 500 custoers and 50 peers, and one sall proider AS a2 in Basel that has degree only four. The icti is European broadband proider with oer 100 custoers and 26 peers. hijack. In a network with (unodified) BGP, the anipulator could run a siple prefix hijack, announcing, to both his proiders, and attract traffic fro 62% of the in the internetwork (20550 ), including 73% of with at least 25 custoers, and 88% of with at least 250 custoers. Howeer, this strategy both creates a blackhole at the anipulator, and fails against sobgp or S-BGP. Naie strategy. The upper (green) figure shows the Shortest-Path Export-All attack strategy, where the anipulator naiely announces a three-hop aailable path, (, a1,, ) to his proider a2. Since a2 and a3 prefer the custoer path that leads to the anipulator, oer their existing peer paths, both will forward traffic to the anipulator. He intercepts traffic fro 16% of the in 5 Each exaple was chosen to contradict the optiality of one aspect of the Shortest-Path Export-All attack strategy.

10 scriptctrexlongpaths.txt NAÏVE (green) : 5569 nodes routing thru anip CLEVER (purple) : nodes routing thru anip scriptctrexfilter.txt NAÏVE (green) : nodes thru anip CLEVER (purple) : nodes thru anip p2 p3 p T1a T1b Tier 1 T1a T1b 7 proiders a1 464 custoers 46 peers scriptctrexlongpaths.txt NAÏVE (green) : 5569 nodes routing thru anip CLEVER (purple) : nodes routing thru anip a3 a2 3 proiders 960 custoers 106 peers 3 proiders T1c p1 T2 T1c p1 T2 X 3236 p3 Figure 10: Exporting less. p2 7 proiders 464 custoers 46 peers 1682 peer & custoer p1 a1 a3 a2 3 proiders 960 custoers 106 peers 3 proiders Figure 9: Announcing a longer path. the internetwork (5569 ), including 25% of with at least 25 custoers, and 41% of with at least 250 custoers. Cleer strategy. The lower (purple) figure shows the anipulator cleerly announcing a four-hop aailable path (, a2, a3,, ) to his proider a1. The large ISP a1 will prefer the longer custoer path through the anipulator oer his shorter peer connection to icti, but this tie, the anipulator triples the aount of traffic he attracts, intercepting traffic fro a total of 56% of the in the internetwork (18664 ), including 69% of with at least 25 custoers, and 85% of with at least 250 custoers. In fact, by announcing a longer path, the anipulator earns alost as uch traffic as the aggressie prefix hijack. Why it works. Notice that the anipulator s large proider a1 has hundreds ore neighbors then his sall proider, a2, and that the cleer strategy attracts large ISP a1 s traffic while the naie strategy attracts sall AS a2. Attracting traffic fro the larger AS is crucial to the anipulator s success; in fact, it is ore iportant than announcing short paths. When it works. This strategy only inoles deiating fro noral export policy, rather than lying about paths. Thus, it succeeds against any secure routing protocol (except when it is launched by stubs in a network with defensie filtering). 6.2 Attract ore by exporting less! This exaple is for a network with origin authentication, sobgp, S-BGP, data-plane erification, and/or defensie filtering. We show a anipulator that intercepts traffic fro 25% ore of the in the internetwork by exporting to fewer neighbors. (This contradicts the optiality of the Shortest-Path Export-All attack strategy, which requires exporting to as any neighbors as possible.) Figure 10: The icti is a stub sering a liberal arts college in Illinois. The anipulator is a large ISP, and is copeting with the icti s other proider p1, a local ISP in Illinois, to attract traffic destined for. Naie strategy. The Shortest-Path Export-All attack strategy requires the anipulator to announce his path to all his neighbors. On the left, when the anipulator announces a path to his Tier 2 proider T 2, both T 2 and its two Tier 1 proiders T 1a and T 1b will route through the anipulator. As a result, T 1a and T 1b use four-hop paths to the icti, and the anipulator attracts traffic fro 40% of the in the internetwork, (13463 ), including 44% of the with at least 25 custoers, and 32% of with at least 250 custoers. Cleer strategy. On the right, the anipulator increases his traffic olue by alost 25%, by not exporting to his Tier 2 proider T 2. Because T 2 no longer has a custoer path to the icti, he is forced to use a peer path through T 1c. Because T 2 now uses a peer path, he will not export a path to to the two Tier 1 T 1a and T 1b. The Tier 1s T 1a and T 1b are now forced to choose shorter three-hop peer paths to the icti through the anipulator. Because the T 1a and T 1b now announce shorter paths to their custoers, they becoe ore attractie to the rest of the internetwork, the olue of traffic they send to the anipulator quadruples. Thus, the anipulator attracts 50% of the in the internetwork (16658 ), including 59% of the with at least 25 custoers, and 29% of with at least 250 custoers. Why it works. The anipulator s strategy forces influential (i.e., Tier 1s) to choose shorter peer paths oer longer custoer paths. He does this by suppressing announceents to certain proiders, thus eliinating certain custoer paths fro the internetwork. When it works. This strategy only inoles using a cleer export policy, rather than lying about paths, and therefore succeeds against any protocol, including data-plane erification. 6.3 Attract ore by gaing loop detection! To show that the identity of the on the announced path can affect the aount of attracted traffic, our last exaple inoles gaing BGP loop detection. (This contradicts the optiality of the Shortest-Path Export-All attack strategy, which suggests announcing any shortest path, regardless of the identity of the on that short path.) While gaing loop detection was explored in other works, e.g., [3 5], what is rearkable about this exaple is that it

11 NAÏVE Hijack (green) : nodes FILTER Break link to (red) : nodes CLEVER False Loop Hijack (purple): nodes NAÏVE Hijack (green) : nodes FILTER Break link to (red) : nodes CLEVER False Loop Hijack (purple): nodes T1b b3 b2 b1 T1a a1 a3 a2 T1b b3 b2 b1 T1a Figure 11: False loop prefix hijack. a1 a3 a2, a2, proes that this attack strategy can attract ore traffic than an aggressie prefix hijack. Figure 11: The anipulator is a stub in Clifton, NJ with two proiders. This figure only depicts his NJ-area proider, a1. The anipulator wants to blackhole traffic destined for a prefix owned by the icti, a stub in Alabaa. Standard prefix hijack. The anipulator announces the path (, ) and attracts traffic fro ost of the in the internetwork, exactly Notice also that because Tier 1 T 1a prefers custoer paths, he will choose to forward his traffic along the fie-hop custoer path through the anipulator. False loop prefix hijack. The anipulator clais that innocent AS a2 originates the prefix, announcing (, a2, ) to his proider a1. Howeer, when this false loop is announced to AS a2, BGP loop detection will cause a2 to reject the path through the anipulator s proider a1. As a result, the Tier 1 T 1a has no custoer path to the prefix, and instead chooses the shorter peer path. Now, T 1a announces a shorter, four-hop path to his neighbors (T 1a, a1,, a2, ), aking hi ore attractie to the rest of the internetwork, and attracting ore traffic to the anipulator. For this, and other reasons that are discussed in the full ersion [1], the anipulator attracts 360 ore than standard prefix hijack, i.e., Why it works. The anipulator gaes BGP loop detection, effectiely reoing edges fro the network (i.e., the edge between a1 and a2), to force large ISPs to choose shorter peer paths oer longer custoer paths. When it works. This strategy inoles lying about the path announced by an innocent AS (i.e., AS a2). Because S- BGP and data-plane erification preent lying about paths, this strategy only works with BGP, origin authentication, or sobgp. 6.4 How realistic are these exaples? While all the counterexaples we presented were found in CAIDA s AS graph, we encourage the reader to iew these exaples as saple attack strategies that could succeed in the wild, rather than predictions of what would occur if a specific AS was to launch a gien attack strategy. Indeed, any issing edge or wrongly inferred business relationship in CAIDA s dataset introduces a gap between what happens between the actual depicted in each counterexaple, and what would really happen if these attack strategies were launch by these specific in practice on the Internet. How coon are these exaples? Each of our counterexaples is induced by a ery particular AS graph topology. Our objectie in this section is not to argue that these exaples are coon; indeed, we had to work hard to find the. Instead, our goal is to contradict the optiality of the Shortest-Path Export-All attack strategy, and to argue that the attack strategies to contradict its optiality could realistically occur in the wild. Peering with indirect custoers. Both Figures rely on the existence a pair of (p, c), such that c is both a peer of p, and also an indirect custoer of p (i.e., (T 1a, ) and (T 1b, ) in Figure 10 and (T 1a, a1) in Figure 11). While this topology ay initially see strange, since it requires an AS p near the top of the custoerproider hierarchy to peer with a saller AS c lower down in the hierarchy, this topology could occur in practice as a result of business relationships that eole oer tie, or due to open peering policies facilitated by Internet Exchange Points (IXPs) [13]. Indeed, we found about 2K instances of this topologies in each of our datasets. More discussion is in the full ersion [1]. 7. FINDING OPTIMAL ATTACKS IS HARD After all the bizarre attack strategies in Section 6, the reader ight not be surprised by the following: Theore 7.1. If use the routing policies of Section 2.2, then finding a anipulator s optial traffic attraction attack strategy on a general AS graph is NP-hard. This theore holds for (a) any of the secure protocols ariants and (b) also coers interception attacks; our proof uses a reduction to the standard NP-hard proble of finding the axiu independent set of nodes in a graph. We also show that it is hard to approxiate the optial attack within a constant factor i.e., we cannot een design an algorith that gets close to the optial attack on a general AS graph. This suggests that a full characterization the anipulator s optial attack strategy will reain elusie. See the full ersion [1] for details. 8. IMPLEMENTATION ISSUES Many of our results copare the efficacy of defensie filtering to that of sobgp and S-BGP. Howeer, these echaniss differ greatly in (a) the nuber of that use the on the Internet today, as well as (b) the trust odel for which they were designed. Origin authentication with RPKI/ROA. The operations counity is currently working towards deploying origin authentication, by deeloping a Resource Public Key Infrastructure (RPKI) to issue cryptographic public keys to and routers, and Route Origin Authorizations (ROAs) to ap the IP address space to owner [7]. This infrastructure is a first step towards deploying sobgp or S-BGP. Defensie filtering in practice. While defensie filtering is considered a best coon practice on the Internet today, and is anecdotally known to be used by seeral large ISPs, its ipleentation is far fro perfect. First, the incenties to ipleent defensie filtering are lopsided; in soe sense, the proider deries little local benefit for itself or its custoers, and is instead altruistically protecting the rest of the Internet fro attacks. Secondly, the proider has to anually aintain up-to-date prefix lists of the IP addresses owned by each of its stub custoers. To address the second issue, we suggest that RPKI and ROAs are used by each proider to autoatically derie prefix lists for their

12 stub custoers. (Moreoer, because it ay not be realistic to assue that eery proider ipleents defensie filtering, the full ersion [1] we considers what happens when only the large filter.) Trust odels. Moreoer, we caution that defensie filtering operates in a probleatic trust odel. Because it is a purely local echanis at each proider, there is no known way for an AS to alidate that another AS has ipleented defensie filtering properly. This trust odel essentially aounts to assuing that eery proider is honest. This is in contrast to the trust odel used in S-BGP and sobgp; S-BGP, for instance, ensures than een a alicious AS ay only announce aailable paths (as long as it does not collude with, or coprise the keys of, soe other AS), and also allows any AS to alidate the paths announced by any other AS. 9. CONCLUSIONS Because we work within a odel of routing policies, we caution against interpreting our results as hard nubers that easure the ipact of an attack launched by a specific anipulator in the wild. Howeer, the trends uncoered by our quantitatie analysis do allow us to arrie at a nuber of useful insights; indeed, any of these insights are obtained by aeraging oer ultiple possible (anipulator, icti) pairs, and we suspect that they hold up een if soe deiate fro the policies in our odel. Furtherore, the trends we identified were rearkably consistent across ultiple AS topology datasets [11 13]. That said, future work ight look into how our results hold up under different routing policy odels; e.g., assuing that soe fraction of in the network use siple shortest path policies, while the rest use those of Section 2.2, or assuing that soe equally rank peer- and proider-paths. While secure routing protocols can blunt traffic attraction attacks, we found that export policies are a ery effectie attack ector that these protocols do not address. Thus, we suggest that secure routing protocols (e.g., sobgp and S- BGP) should be deployed in cobination with echaniss that police export policies (e.g., defensie filtering). We beliee both are needed; defensie filtering to eliinate attacks by stub, and secure routing protocols to blunt attacks launched by larger, (especially since we found that large can launch the ost daaging attacks). We note, howeer, that policing export policies is a significant challenge in practice. Defensie filtering of stubs requires oluntarily copliance fro each proider, and it is difficult to check for proper ipleentation (as eidenced by recent eents [20]). Moreoer, gien the coplexity of routing policies used in practice on the Internet, we lack een a definition of what it eans to deiate fro noral export policies. Thus, while anoaly-detection techniques that flag suspicious routes [17, 21] could help, understanding these issues reains an iportant aenue for future research. Acknowledgents The authors thank Jeff Lupien and Paul Oka for outstanding research assistance, and Boaz Barak, Randy Bush, Kein Butler, Nick Feaster, Ainatan Hassidi, Elliott Karpiloky, Arind Krishnaurthy, Dae Ward, Dan Wendlandt, the ebers of the MSR-New England Lab, and the anonyous SIGCOMM reiewers for coents and discussions. 10. REFERENCES [1] S. Goldberg, M. Schapira, P. Huon, and J. Rexford, How secure are secure interdoain routing protocols? Full ersion, tech. rep., Microsoft Research MSR-TR , June [2] H. Ballani, P. Francis, and X. Zhang, A study of prefix hijacking and interception in the Internet, in ACM SIGCOMM, [3] A. Piloso and T. Kapela, Stealing the Internet: An Internet-scale an in the iddle attack, Aug Presentation at DefCon 16, [4] S. Goldberg, S. Halei, A. D. Jaggard, V. Raachandran, and R. N. Wright, Rationality and traffic attraction: Incenties for honest path announceents in BGP, in ACM SIGCOMM, [5] K. Butler, T. Farley, P. McDaniel, and J. Rexford, A surey of BGP security issues and solutions, Proceedings of the IEEE, January [6] P. McDaniel, W. Aiello, K. Butler, and J. Ioannidis, Origin authentication in interdoain routing, Coputer Networks, No [7] IETF, Secure interdoain routing (SIDR) working group. [8] R. White, Deployent considerations for secure origin BGP (sobgp). draft-white-sobgp-bgp-deployent-01.txt, June 2003, expired. [9] S. Kent, C. Lynn, and K. Seo, Secure border gateway protocol (S-BGP), J. Selected Areas in Counications, ol. 18, pp , April [10] E. L. Wong, P. Balasubraanian, L. Alisi, M. G. Gouda, and V. Shatiko, Truth in adertising: Lightweight erification of route integrity, in PODC, [11] X. Diitropoulos, D. Kriouko, M. Foenko, B. Huffaker, Y. Hyun, and kc claffy, AS relationships: Inference and alidation, ACM SIGCOMM Coputer Counication Reiew, Jan [12] Y.-J. Chi, R. Olieira, and L. Zhang, Cyclops: The Internet AS-leel obseratory, ACM SIGCOMM Coputer Counication Reiew, Oct [13] B. Augustin, B. Krishnaurthy, and W. Willinger, IXPs: Mapped?, in Proc. Internet Measureent Conference, No [14] G. Huston, Interconnection, peering, and settleents, in Internet Global Suit (INET), June [15] L. Gao and J. Rexford, Stable Internet routing without global coordination, IEEE/ACM Transactions on Networking, [16] L. Gao, On inferring autoonous syste relationships in the Internet, IEEE/ACM Transactions on Networking, ol. 9, pp , Dec [17] J. Karlin, S. Forrest, and J. Rexford, Autonoous security for autonoous systes, Coputer Networks, Oct [18] T. Griffin, F. B. Shepherd, and G. Wilfong, The stable paths proble and interdoain routing, IEEE/ACM Transactions on Networking, Apr [19] H. Chang, D. Dash, A. Perrig, and H. Zhang, Modeling adoptability of secure BGP protocol, in ACM SIGCOMM, Sept [20] Rensys Blog, Pakistan hijacks YouTube. hijacks_youtube_1.shtl. [21] M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang, PHAS: A prefix hijack alert syste, in Proc. USENIX Security Syposiu, 2006.