EAGER: USBRCCR: Researching Internet Routing Security in the Wild

EAGER：USBRCCR：野外研究互联网路由安全

• 批准号: 1740883
• 负责人: Ethan Katz-Bassett
• 金额: $ 30万
• 依托单位: Columbia University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-09-01 至 2021-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1740883&HistoricalAwards=false
• 关键词: EAGER; USBRCCR; Researching; Internet; Routing

The Internet provides a control plane to establish routes to destinations and a data plane to send traffic, and the protocols for both lack authentication. The lack of authentication allows networks to claim ownership of routes to other networks' addresses in order to siphon traffic (prefix hijacking), and allows devices to claim that their traffic came from a different source (source spoofing). These vulnerabilities form the basis for denial-of-service attacks, traffic interception and snooping, Bitcoin theft, and compromises of Tor's anonymity. Because of these vulnerabilities, routing research is a critical aspect of cybersecurity research. However, researchers lack experimental approaches that let them perform Internet routing experiments that are both realistic and controlled. This project aims to extend the public PEERING research testbed to enable classes of security-focused routing research that are beyond the reach of academic researchers today, and to subsequently develop techniques to identify which networks allow or are vulnerable to prefix hijacks and source spoofing. Results from this project will empower novel routing security research, help identify vulnerable networks, map bot populations, and serve as a step towards improved routing security in the Internet.The project will extend the PEERING research testbed with security-related functionality, including the ability to execute containers on routers, integrating PEERING prefixes with the RPKI (an infrastructure for securing aspects of Internet routing), and making the testbed more reliable. It will also develop algorithms to (1) locate the sources of spoofed attack traffic and to (2) track the adoption of RPKI-based protection against prefix hijacking and identify possible problems in its application. The algorithms will use PEERING's ability to manipulate routing and its extensions developed in this project to force route changes and observe the impact on the volume of spoofed traffic received from each peer and which vantage points do/do not use routes that violate the RPKI. The algorithms will need to address challenges related to limited visibility of Internet routes, lack of ground truth about routing policies, and lack of control of routing decisions of other networks. The researchers will investigate how the algorithms can systematically change routes in order to narrow the set of feasible explanations to those consistent with all observations, yielding more precise inferences. The project's extensions to the testbed will allow others to conduct novel routing security research, and the algorithms from the project will identify vulnerable networks, a key step forwards in addressing the Internet's lack of authentication for traffic and routing.

Internet提供了一个控制平面，以建立通往目的地的路由和一个数据平面以发送流量，并且两者都缺乏身份验证的协议。 缺乏身份验证允许网络声称对其他网络地址的路线所有权，以卷入流量（前缀劫持），并允许设备声称其流量来自其他源（来源欺骗）。 这些漏洞构成了拒绝服务攻击，交通拦截和窥探，比特币盗窃以及对Tor匿名的妥协的基础。 由于这些漏洞，路由研究是网络安全研究的关键方面。 但是，研究人员缺乏实验方法，使他们可以执行既现实又受控的互联网路由实验。 该项目旨在扩展公众对等研究的测试台，以使以安全为中心的路由研究能够超出当今学术研究人员的范围，并随后开发技术以确定哪些网络允许或容易受到前缀劫持和源头欺骗的影响。该项目的结果将赋予新颖的路线安全性研究，有助于确定弱势网络，MAP机器人群体，并作为改善Internet中的路由安全性的一步。该项目将扩展与安全性相关功能的对等研究的测试，包括在路由器上执行集装箱的能力，将与RPKI的互联网相结合，并将互联网置于互联网方面，并将互联网的重新分配为互联网，并使得互联网的进度和互联网的范围内的互联网以及互联网的进度。它还将开发算法以（1）定位欺骗攻击流量的来源，并（2）跟踪基于RPKI的保护措施，以防止前缀劫持，并确定其应用程序中可能的问题。该算法将利用Peering操纵路由的能力及其在该项目中开发的扩展，以迫使路线发生变化，并观察对从每个同伴收到的欺骗流量的影响，并且哪些有利位置不使用/不使用违反RPKKI的路由。 该算法将需要解决与互联网路线可见度有限的挑战，缺乏有关路由政策的基础真相以及对其他网络的路由决策的控制。 研究人员将研究算法如何系统地更改途径，以将可行的解释范围缩小到与所有观察结果一致的人的范围，从而产生更精确的推论。 该项目对测试台的扩展将使其他人可以进行新颖的路由安全研究，并且该项目的算法将确定脆弱的网络，这是解决互联网缺乏流量和路由身份验证的关键一步。

项目成果

Tracking Down Sources of Spoofed IP Packets

追踪欺骗性 IP 数据包的来源

• DOI: 10.1145/3360468.3368175
• 发表时间: 2020
• 期刊: 2020 IFIP Networking Conference (Networking
• 作者: Fonseca, Osvaldo;Cunha, Ítalo;Fazzion, Elverton;Meira, Wagner;Junior, Brivaldo;Ferreira, Ronaldo A.;Katz-Bassett, Ethan
• 通讯作者: Katz-Bassett, Ethan

Cloud Provider Connectivity in the Flat Internet

扁平互联网中的云提供商连接

• DOI: 10.1145/3419394.3423613
• 发表时间: 2020
• 期刊: Proceedings of the ACM Internet Measurement Conference
• 作者: Arnold, Todd;He, Jia;Jiang, Weifan;Calder, Matt;Cunha, Italo;Giotsas, Vasileios;Katz-Bassett, Ethan
• 通讯作者: Katz-Bassett, Ethan

PEERING: virtualizing BGP at the edge for research

对等：在边缘虚拟化 BGP 以进行研究

• DOI: 10.1145/3359989.3365414
• 发表时间: 2019
• 期刊: CoNEXT '19: Proceedings of the 15th International Conference on Emerging Networking Experiments And Technologies
• 作者: Schlinker, Brandon;Arnold, Todd;Cunha, Italo;Katz-Bassett, Ethan
• 通讯作者: Katz-Bassett, Ethan

On the Deployment of Default Routes in Inter-domain Routing

浅谈域间路由中默认路由的部署

• DOI: 10.1145/3472951.3473505
• 发表时间: 2021
• 期刊: and Uses of a Responsible Internet
• 作者: Rodday, Nils;Kaltenbach, Lukas;Cunha, Italo;Bush, Randy;Katz-Bassett, Ethan;Rodosek, Gabi Dreo;Schmidt, Thomas C.;Wählisch, Matthias
• 通讯作者: Wählisch, Matthias

DISCO: Sidestepping RPKI's Deployment Barriers

• DOI: 10.14722/ndss.2020.24355
• 发表时间: 2020
• 期刊: Proceedings 2020 Network and Distributed System Security Symposium
• 作者: Tom Hlavacek;Ítalo F. S. Cunha;Y. Gilad;A. Herzberg;Ethan Katz-Bassett;Michael Schapira;Haya Schulmann