UMAIR BASHA INSTITUTE OF

INFORMATION TECHNOLOGY
(DCS)

Understanding the Challenges in Securing

SUBMITTED TO:
MR. SADIQ ALI KHAN

SUBMITTED BY:
1. Anum nawaz B07101015
2. Hareem Misbah B07101038
3. Javeria Khan B07101042
4. Maliha Azam B07101061
 5. Shafaq Toufiq B07101090
6. Zainab Irfan B07101117
Dated: 21st nov 2010

Group A Stuff:
ABSTRACT: system consists of two components -
interior routing and exterior routing.
This paper explains that the The concept of an Autonomous
security problems of the Internet System (AS), plays a key role in
largely are due to the design separating interior from an exterior
structure of the Internet; there is routing, as this concept allows to
no central hub to control deliniate the set of routers where a
information and thus no rules on change from interior to exterior
regulation. The author believes the routing occurs. An IP datagram may
government finds itself incapable of have to traverse the routers of two or
passing any sort of control more Autonomous Systems to reach
measures on the use of the its destination, and the Autonomous
Internet because the users have all Systems must provide each other with
the power to control or regulate topology information to allow such
user discipline. The paper stress forwarding. Interior gateway protocols
that, to find and assess Internet (IGPs) are used to distribute routing
security involving hackers and information within an AS (i.e., intra-
breakers-in, partnerships within the AS routing). Exterior gateway
concerned industry must be protocols are used to exchange
formed, whereby, each partner routing information among ASs (i.e.,
helps the other in case of a breach inter-AS routing).
in security.
A network under the administrative
INTRODUCTION: control of a single organization is called
The Internet is a global, decentralized an autonomous system (AS). The
network comprised of many smaller process of routing within an AS is called
interconnected networks. Networks intra-domain routing, and routing
are largely comprised of end systems, between ASes is called inter-domain
referred to as hosts, and intermediate routing. The dominant inter-domain
systems, called routers. Information routing protocol on the Internet is the
travels through a network on one of Border Gateway Protocol (BGP).
many paths, which are selected
BGP:
through a routing process. For
BGP has been deployed since the
technical, managerial, and sometimes
commercialization of the Internet and
political reasons, the Internet routing

Page 2
version 4 of the protocol has been in UPDATE messages. Each AS advertises
wide use for over a decade. BGP works the prefixes it is originating to its peers.
well in practice, and its simplicity and Additionally, all ASes update their routing
resilience have enabled it to play a tables based on their neighbors’ NLRI,
fundamental role within the global and forward the received information
Internet. However, BGP has historically information to each of their other
provided few performance or security neighbors. This flooding process ensures
guarantees. The limited guarantees that all ASes are informed of the
provided by BGP often contribute to reachability of all prefixes. For as long as
global instability and outages. While the session is active, peers use UPDATE
many routing failures have limited messages to inform each other of routing
impact and scope, others lead to table changes, which include the addition
significant and widespread damage. of new routes and withdrawal of old
Current research on BGP focuses on ones. BGP is a path vector protocol. ASes
exposing and resolving operational and establish a AS path for each advertised
security concerns. Operational concerns prefix during the flooding process. The
relating to BGP, such as scalability, paths are vectors of ASes that packets
convergence time (the time required for must traverse to reach the originating
all routers to have a consistent view of AS. Path vectors are stored in a routing
the network), route stability, and table and shared with neighbors via BGP.
performance, have been the subject of It is ultimately this information that is
much effort. Similarly, much of the used to forward individual packets
contemporary security research has toward their destination.
focused on the integrity, authentication, All address ownership is the result of
confidentiality, authorization, and prefix delegation between the Internet
validation of BGP data. Corporation for Assigned Names and
Numbers (ICANN), regional and national
BGP routing: registries, and organizations. ICANN and
There are currently more than 17,500 its predecessors2 originally delegated
ASes in the Internet. Each AS originates blocks of IP addresses directly to
one or more prefixes representing the organizations, but more recently began
addresses assigned to hosts and devices to delegate to address registries around
within its network. A PREFIX is a the world.
representation for a block of IP
addresses. Prefixes are expressed as Attacks Between Peers:
“prefix / # most significant bits”. For In order to take full stock of BGP’s
example, the prefix 192.68.0.0/16 has vulnerabilities, it is instructive to
16 significant bits and thus represents all consider a threat model. This provides an
of the IP addresses between 192.68.0.0 outline of the sort of attacks that are
and 192.68.255.255 inclusive. desirable to prevent, and characterizes
the ability of adversaries to attack the
BGP peers constantly exchange Network protocol. Consider the minimal case of
Layer Reachability Information (NLRI) via BGP operation; that is, there are two

Page 3
routers communicating information to considerable computational burden on
each other over a shared channel. the router, and delays processing of
normal trafic. If the router is continually
Larger Scale Attacks: knocked ofine, the routes it advertises
BGP is a distributed protocol run by will disappear and reappear in peer
hundreds of thousands of routers. Hence, routing tables. This is called route
there are many points at which an flapping and is detrimental to all routers,
adversary can mount an attack. as extra computation and reconfiguration
Moreover, each autonomous system is of routes becomes necessary if this
indirectly connected to every other AS in happens often. In order to lower the
the Internet. Adversaries can affect burden, unstable routes are often
routers and networks far removed from penalized through a process called route
their peers by exploiting this scale and dampening. Neighboring routers will
interconnectedness. ignore advertisements from the router
for an increasing amount of time,
A) Protecting Critical Elements: depending on how often the route
Denial of Service: flapping occurs. Suppression of these
Many of the attacks above can be routes can be a highly effective denial of
considered denial of service attacks. service attack.
Black holing a route, for example, causes
denial of service for that prefix, and Protecting the Router from DoS
subverting the path can also lead to Attacks:
service delays or denials. For example, a Internet service providers (ISPs) and
suffciently long route can cause the time- other Cisco customers face increasing
to-live (TTL) of a packet to be exceeded. Denial of Service (DoS) attacks
In the two peer case, denial of service associated with IP options set in the IP
has also been considered by a remote header of packets. Cisco IOS routers use
attacker using erroneous or false BGP the Route Processor (RP) to process IP
messages to shut down a connection. options packets, which can become
Since BGP uses TCP as a transport problematic during a DoS attack. To
protocol, it is subject to TCP attacks as protect the router, the Cisco 10000
well. These attacks are harmful enough series router supports the dropping of
to the individual routers, but become packets with IP options.
even more consequential when the
distributed case is considered. If a router IP Options Selective Drop
goes fine, then when it comes back The IP Options Selective Drop feature
online, its routing table will need to be enables you to protect your network
recreated, and it re-announces all of the routers in the event of a denial of service
prefixes it is originating, a process known (DoS) attack. Hackers who initiate such
as a table reset. The neighboring routers attacks commonly send large streams of
dump their BGP tables to the peer that packets with IP options. By dropping the
has just come online so that it has full packets with IP options, you can reduce
data for making its routing decisions. the load of IP options packets on the
Sifting through this information places a router. The end result is a reduction in

Page 4
the effects of the DoS attack on the the RP and reduced RP processing
router and on downstream routers. requirements.
Internet service providers (ISPs) and
other Cisco customers face increasing Protecting the BGP Session
DoS attacks associated with IP options This is the main concern of many
set in the IP header. Cisco IOS routers operators that the vulnerabilities of BGP
are susceptible to DoS attacks because may cause large disruptions of service
of the way in which the routers process under possible attacks. Besides,
IP options. The hardware-based exploiting these vulnerabilities to conduct
forwarding engine of Cisco IOS routers attacks, measurement studies have
cannot handle IP options; therefore, the shown that miscofigurations of BGP
forwarding engine forwards the IP routers are common events. The first
options packets to the route processor solution to improve the security of BGP
(RP). Similarly, most of the line cards has been proposed in S-BGP. However,
forward IP option packets to the RP. The the main problems of S-BGP are the cost
software-based RP processes the packets (CPU, memory and bandwidth) of
and performs the extra processing that producing, storing and distributing
the IP options packets require. attestations, and the need to bootstrap
the public key infrastructure (PKI).
Processing IP options packets in the RP Several alternate solutions have been
can become problematic. Software- proposed to get around this problem.
switching of IP options packets can lead
to a serious security problem if a Cisco B) Protecting the critical routing
IOS router comes under a DoS attack by content
a hacker sending large streams of It has been long recognized that prefix
packets with IP options. The RP can hijacking can be a serious security threat
easily become overloaded and drop high to the Internet. Several hijack prevention
priority or routing protocol packets. solutions have been proposed, such as
Switching packets in software slows SBGP], so-BGP, and more recently the
down the switching speed of the router effort in the IETF Senectivity and the
and increases the router’s vulnerability to potential vulnerability in face of prefix
resource saturation. Some types of IP hijacks.
options, such as the Router Alert option,
can be especially harmful to the router Previous efforts on prefix hijacking can
when forwarded to the RP. be broadly sorted into two categories:
hijack prevention and hijack detection.
By default, Cisco IOS software processes
Generally speaking, prefix hijack
packets with IP options, as required by
prevention solutions are based on
RFC 1812, Requirements for IP Version 4
cryptographic authentications where BGP
Routers. The IP Options Selective Drop
routers sign and verify the origin AS and
feature provides the ability to drop
AS path of each prefix. In addition to
packets with IP options in the forwarding
added router workload, these solutions
engine so that they are not forwarded to
require changes to all router
the RP. This result in a minimized load on
implementations, and some of them also

Page 5
require a public key infrastructure. Due potentially bypassing nodes affected by
to these obstacles, none of the proposed hijack attacks.
prevention schemes is expected to see
deployment in near future. A number of Attacking Techniques:
prefix hijack detection schemes have • Hijack a complete prefix
been developed recently. A commonality • Hijack a sub-net of a prefix
among these solutions is that they do not • Stealthy IP Prefix Hijacking
use cryptographic-based mechanisms. In • Hijacking by intercepting
PGBGP, each router monitors the origin
AS nodes in BGP announcements for Types of Attacks
each prefix over time; any newly • Black-holing:
occurred origin AS of a prefix is The attacker announces a false
considered anomalous, and the router route to a machine that simply
avoids using anomalous routes if the drops all packets intended for the
previously existing route to the same victim or the announcement is an
prefix is still available. Different from the invalid IP address and all packets
above en route detection schemes, are going nowhere.
MyASN is an offline prefix hijack alert • Imposture:
service provided by RIPE. A prefix owner The attacker announces a false
registers the valid origin set for a prefix, route to a machine that acts like
and MyASN sends an alarm via regular the original server. That could be
email when any invalid origin AS is the cherry on the icing for a
observed in BGP routing updates. PHAS Phishing attack, because the URL
is also an off-path prefix hijack detection would be the original one, so no
system which uses BGP routing data client could distinguish the
collected by RouteViews and RIPE. malicious server from the original
Instead of asking prefix owners to one. In addition the original server
register valid origin AS sets as is done by is cut off from the traffic too, as in
MyASN, PHAS keeps track of the origin Black-holing.
AS set for each announced prefix, and • Interception:
sends hijack alerts via multiple path The attacker announces a false
email delivery to the true origin. Unlike route to a machine that forwards
the prevention schemes, a hijack the traffic to the original server.
detection mechanism provides only half This enables the classical man-in-
of the solution: after a prefix hijack is the-middle scenario where the
detected, correction steps must follow. A traffic could be intercepted, logged
recent proposal called MIRO gives end and modified and then forwarded
users the ability to perform correction to the original server.
after detecting a problem. MIRO is a new This kind of attack is much more
inter-domain routing architecture that difficult to detect than the other
utilizes multiple path routing. In MIRO, two, because the victim does not
AS nodes can negotiate alternative recognise any change in its amount
routes to reach a given destination, of incoming traffic.

Page 6
Solution to prefix hijack: Many ISPs and end-user firewalls
• To prevent prefix hijacks, one filter and block bogons, because
solution is for an ISP to validate they have no legitimate use, and
the routing announcements from usually are the result of accidental
its customers by comparing them or malicious misconfiguration.
against a preconfigured customer Bogons can be filtered by using
prefix list. router ACLs, or by BGP blackholing.
• Other security mechanisms include IP addresses that are bogon today
using abogon list to filter out false may not be bogon tomorrow. IANA
routing announcements. and other registries frequently
Bogon filtering assign new address space to ISPs.
Bogon is a bogus IP address and an Announcements of new
informal name for an IP packet on assignments are often published on
the public Internet that claims to be network operators' mailing lists
from an area of the IP address (such as NANOG) to ensure that
space reserved, but not yet operators have a chance to remove
allocated or delegated by the bogon filtering for addresses that
Internet Assigned Numbers have become legitimate.
Authority (IANA) or a delegated
Regional Internet Registry (RIR). For example, addresses 49.0.0.0 -
The areas of unallocated address 49.255.255.255 were not allocated
space are called the bogon space. prior to August 2010, but are now
used by APNIC.[2] As time goes on,
Bogons are not the same as the IPv4 address exhaustion will
reserved private address ranges, mean there are fewer and fewer
such as 10.x.x.x and 192.168.x.x, IPv4 bogons.
which are reserved for private
networks.

Group B Stuff
Page 7
SECURITY attestation. SBGP design requires that
each prefix owner has an a symmetric
To secure the global routing system, private key for each prefix, so each
the system developed can be divided AS uses the corresponding public key
into three engineering solutions: to verify the prefix origin authenticity.
1. Prevention To protect a route each AS also signs
the updates with its own private key.
2. Mitigation
The second phase of generating
3. Detect and react /verifying the route attestation has
been improved by some other
PREVENTION:
cryptographic-based secure BGP
This category on securing the global work, example; SPV, KC-BGP. So the
routing system, which is heavily overhead of route verification has
based on BGP, provides solutions been reduced.
based on cryptographic
SBGP could be the ideal solution to
authentication. All solutions presented
the routing system security problems,
in this category share the three same
as they could block the attacks from
deployment difficulties as:
getting into the system. But
• No global PKI infrastructure in unfortunately the deployment hurdles
today’s internet. are the great obstacles to implement
these systems in today internet
• High computational overhead system.
during verifying BGP update
signatures.
MITIGATION:
• It requires to update the all
routers models to deploy these Solutions proposed in this area of
solutions effectively. global routing systems security do not
rely on cryptographic authentication
One of major problem of SBGP(secure
to verify received routes. One solution
BGP) is that it requires two PKIs, one
as proposed by Wang at el is that,
for address ownership attestation, and
each router observes the origin Ases
other for route announcement

Page 8
and AS paths of the routes to top Detect and react based solutions to
level DNS servers on time by time, global routing security problems have
and routers do not adopt any route been presented are in used.
changes until these changes are not Technique is based on:
verified by some other sources. Delay
1. Monitoring infrastructure: that
before adopting legitimate routes has
collects BGP routing update
a little impact on system
information.
performance. Also a great ease in
deploying the solution is that they do 2. A user profile: that provides the
not require any change in routing confirmation of parameters of
protocols. the networks been used.
The function of PGBGP is that it The user profile of a network consists
generalizes its approach to all prefixes on prefix announced by network, the
used in today’s routing systems. origin ASNs, the neighbour Ases of
PGBGP works that each router network and other BGP related
monitors the origin AS nodes in BGP information. Having many other
announcement for each prefix over advantages the user profile may be
time. The origin of route is verified for used in comparing updated BGP
any newly occured <origin AS, prefix> announcement to detect the potential
pair, before adoption. Routes within faults and to filter faults alerts. PHAS,
an AS are also assigned a local- IAR, MyASN, and Cyclops are example
preference for to prevent it from being of detect and react systems. These
used until any alternate route is systems send alerts whenever a
available. suspicious BGP announcement are
advertised due to prefix hijack or mis-
Another scheme of lifesaver ASes is
configuration.
introduced to mitigate the attack by
withdrawing the routes and PHAS and Cyclops are most
announcing an AS-SET for the entire successfull due to the ease of
path to promote the real path. deployment, alarm generation,
expandibility of monitoring
Mitigation uses anycast routing, by
infrastructure and fast response time.
announcing the same prefix from
The factors make Cyclops
multiple locations. These schemes do
distinguishable to other solutions are:
not provide the solution for all
(i) Cyclops stores the network
prefixes, but it has been used to
configuration of users and uses it to
protect DNS root servers.
filter the alerts. (ii) Cyclops allows
DETECT AND REACT: users to easily change configuration

Page 9
and use feedback from users to Monitoring systems in detect and
reduce the false positives. react systems are needed to be
prevent from malicious attacks, as it
Detect and react systems are easily
remains an open challenge. Also
deployable. As these solutions are
detection do not prevent damages
built in parallel to the systems instead
automatically, it requires the network
of within the system. They do not
operators to manage it manually.
need to change any rouitng system as
it is required to change in
cryptographic solutions.

Page 10