Source Address Validation Implementation by Using BGP
نویسندگان
چکیده
The persistent evolution of the Internet continues to transform the way individuals, as well as businesses, educational institutions, and government organizations access, share, and communicate information. Convergence of digital voice, video, and data, is further consolidating the Internet as a critical infrastructure. One of the main routing protocols in the Internet and current de facto standard is the Border Gateway Protocol (BGP). Presently ubiquitous, BGP is a critical component of the exponentially growing network of routers that constitutes our contemporary Internet. Carrier networks, as well as most large enterprise organizations with multiple links to one or more service providers use BGP. The Distributed Denial-of-Service (DDoS) attack is a serious threat to the legitimate use of the Internet. Prevention mechanisms are thwarted by the ability of attackers to forge or spoof the source addresses in IP packets. By employing IP spoofing, attackers can evade detection and put a substantial burden on the destination network for policing attack packets. In this paper, we propose Source Address Validation Implementation (SAVI) that can mitigate the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information. SAVIs are constructed from the information implicit in Border Gateway Protocol (BGP) route updates and are deployed in network border routers. We establish the conditions under which the SAVI correctly works in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that, even with partial deployment on the Internet, SAVIs can proactively limit the spoofing capability of attackers. In addition, they can help localize the origin of an attack packet to a small number of candidate networks.
منابع مشابه
Measures of Self-similarity of BGP Updates and Implications for Securing BGP
Techniques for authenticating BGP protocol objects entail the inspection of additional information in the form of authentication credentials that can be used to validate the contents of the BGP update message. The additional task of validation of these credentials when processing BGP messages will entail significant additional processing overheads. If the BGP validation process is prepared to a...
متن کاملUpdates from the Internet Backbone: An RPKI/RTR Router Implementation, Measurements, and Analysis
A fundamental change in the Internet backbone routing started in January 2011: The Resource Public Key Infrastructure (RPKI) has officially been deployed by the Regional Internet Registries. It leverages the validation of BGP prefix updates based on cryptographically verified data and may lead to secure inter-domain routing at last. In this talk, we present RTRlib, a highly efficient reference ...
متن کاملAccelerated Processing of Historical BGP Events for Testing New BGP Heuristics
This paper describes a technique for artificially accelerating ‘real time’ when testing new BGP protocol enhancements using historical real-world data. We show how months of BGP advertisement data may be processed in hours, yet generate outputs that appear to reflect months of actual operation by a network of fully featured BGP speakers. Using Quagga (an operational open-source implementation o...
متن کاملRFC 6811 BGP Prefix Origin Validation
To help reduce well-known threats against BGP including prefix misannouncing and monkey-in-the-middle attacks, one of the security requirements is the ability to validate the origination Autonomous System (AS) of BGP routes. More specifically, one needs to validate that the AS number claiming to originate an address prefix (as derived from the AS_PATH attribute of the BGP route) is in fact auth...
متن کاملImplementation of Bgp in a Network Simulator
Border Gateway Protocol (BGP) is the inter-domain routing protocol currently employed in Internet. Internet growth imposes increased requirements on BGP performance. Recent studies revealed that performance degradations in BGP are due to the highly dynamic nature of the Internet. In this paper, we describe the design of the nsBGP model and its implementation in the ns-2 network simulator. We de...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2014