Max Schuchard

Tyler McDaniel, Jared M. Smith, Max Schuchard

We present the Maestro attack, a novel Link Flooding Attack (LFA) that leverages control-plane traffic engineering techniques to concentrate botnet-sourced Distributed Denial of Service flows on transit links. Executed from a compromised or malicious Autonomous System (AS), Maestro advertises specific-prefix routes poisoned for selected ASes to collapse inbound traffic paths onto a single target link. A greedy heuristic fed by publicly available AS relationship data iteratively builds the set of ASes to poison. Given a compromised BGP speaker with advantageous positioning relative to the target link in the Internet topology, an adversary can expect to enhance total flow density by more than 30%. For a large botnet (e.g., Mirai), that translates to augmenting a DDoS by more than a million additional infected hosts. Interestingly, the size of the adversary-controlled AS plays little role in this amplification effect. Devastating attacks on core links can be executed by small, resource-limited ASes. To understand the scope of the attack, we evaluate widespread Internet link vulnerability across several metrics, including BGP betweenness and botnet flow density. We then assess where an adversary must be positioned to execute the attack most successfully. Finally, we present effective mitigations for network operators seeking to insulate themselves from this attack.

Jordan Holland, Jared Smith, Max Schuchard

We examine the extent of needless traffic exposure by the routing infrastructure to nations geographically irrelevant to packet transmission. We quantify what countries are geographically logical to observe on a network path traveling between two nations through the use of convex hulls circumscribing major population centers. We then compare that to the nation states observed in over 2.5 billion measured paths. We examine both the entire geographic topology of the Internet and a subset of the topology that a Tor user would typically interact with. We find that 44% of paths across the entire geographic topology of the Internet and 33% of paths in the user experience subset unnecessarily expose traffic to one or more nations. Finally, we consider the scenario where countries exercise both legal and physical control over autonomous systems, gaining access to traffic outside of their geographic borders, but carried by organizations that fall under the AS's registered country's legal jurisdiction. At least 49% of paths in both measurements expose traffic to a geographically irrelevant country when considering both the physical and legal countries that a path traverses.

Jared M. Smith, Kyle Birkeland, Tyler McDaniel et al.

The security of the Internet's routing infrastructure has underpinned much of the past two decades of distributed systems security research. However, the converse is increasingly true. Routing and path decisions are now important for the security properties of systems built on top of the Internet. In particular, BGP poisoning leverages the de facto routing protocol between Autonomous Systems (ASes) to maneuver the return paths of upstream networks onto previously unusable, new paths. These new paths can be used to avoid congestion, censors, geo-political boundaries, or any feature of the topology which can be expressed at an AS-level. Given the increase in BGP poisoning usage as a security primitive, we set out to evaluate poisoning feasibility in practice beyond simulation. To that end, using an Internet-scale measurement infrastructure, we capture and analyze over 1,400 instances of BGP poisoning across thousands of ASes as a mechanism to maneuver return paths of traffic. We analyze in detail the performance of steering paths, the graph-theoretic aspects of available paths, and re-evaluate simulated systems with this data. We find that the real-world evidence does not completely support the findings from simulated systems published in the literature. We also analyze filtering of BGP poisoning across types of ASes and ISP working groups. We explore the connectivity concerns when poisoning by reproducing a decade old experiment to uncover the current state of an Internet triple the size. We build predictive models for understanding an ASes' vulnerability to poisoning. Finally, an exhaustive measurement of an upper bound on the maximum path length of the Internet is presented, detailing how security research should react to ASes leveraging poisoned long paths. In total, our results and analysis expose the real-world impact of BGP poisoning on past and future security research.

Max Schuchard, Nicholas Hopper

An increasing number of systems have been proposed or deployed to the transit core of the Internet with the goal of observing and manipulating traffic in flight, systems we term Traffic Manipulating Boxes. Examples of these include: decoy routing systems, surveillance infrastructure like the NSA's alleged QUANTUM project, and traffic shaping middleboxes. In this work, we examine a new approach that a routing capable adversary might take to resisting these systems: the use of economic pressure to incentivize ISPs to remove them. Rather than directly attacking the availability of these systems, our attack inflicts economic losses, in the form of reduced transit revenue, on ISPs that deploy them, while at the same time incentivizing ISPs that do not. We alter and expand upon previous routing around decoys attack of Schuchard et al., by adjusting the priority given to avoiding TMBs. This reduces or eliminates the key costs faced by routing capable adversary while maintaining the effectiveness of the attack. Additionally, we show that since the flow of traffic on the Internet is directly related to the flow of cash between ISPs, a routing capable adversary is actually a powerful economic adversary. Our findings show that by preferentially using routes which are free of TMBs, some routing capable adversaries can inflict in excess of a billion dollars in annual revenue losses.