EAGER: USBRCCR: Researching Internet Routing Security in the Wild

EAGER：USBRCCR：野外研究互联网路由安全

• 批准号: 1740883
• 负责人: Ethan Katz-Bassett
• 金额: $ 30万
• 依托单位: Columbia University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-09-01 至 2021-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1740883&HistoricalAwards=false
• 关键词: EAGER; USBRCCR; Researching; Internet; Routing

The Internet provides a control plane to establish routes to destinations and a data plane to send traffic, and the protocols for both lack authentication. The lack of authentication allows networks to claim ownership of routes to other networks' addresses in order to siphon traffic (prefix hijacking), and allows devices to claim that their traffic came from a different source (source spoofing). These vulnerabilities form the basis for denial-of-service attacks, traffic interception and snooping, Bitcoin theft, and compromises of Tor's anonymity. Because of these vulnerabilities, routing research is a critical aspect of cybersecurity research. However, researchers lack experimental approaches that let them perform Internet routing experiments that are both realistic and controlled. This project aims to extend the public PEERING research testbed to enable classes of security-focused routing research that are beyond the reach of academic researchers today, and to subsequently develop techniques to identify which networks allow or are vulnerable to prefix hijacks and source spoofing. Results from this project will empower novel routing security research, help identify vulnerable networks, map bot populations, and serve as a step towards improved routing security in the Internet.The project will extend the PEERING research testbed with security-related functionality, including the ability to execute containers on routers, integrating PEERING prefixes with the RPKI (an infrastructure for securing aspects of Internet routing), and making the testbed more reliable. It will also develop algorithms to (1) locate the sources of spoofed attack traffic and to (2) track the adoption of RPKI-based protection against prefix hijacking and identify possible problems in its application. The algorithms will use PEERING's ability to manipulate routing and its extensions developed in this project to force route changes and observe the impact on the volume of spoofed traffic received from each peer and which vantage points do/do not use routes that violate the RPKI. The algorithms will need to address challenges related to limited visibility of Internet routes, lack of ground truth about routing policies, and lack of control of routing decisions of other networks. The researchers will investigate how the algorithms can systematically change routes in order to narrow the set of feasible explanations to those consistent with all observations, yielding more precise inferences. The project's extensions to the testbed will allow others to conduct novel routing security research, and the algorithms from the project will identify vulnerable networks, a key step forwards in addressing the Internet's lack of authentication for traffic and routing.

互联网提供了一个控制平面来建立到目的地的路由，并提供了一个数据平面来发送流量，而两者的协议都缺乏身份验证。 由于缺乏身份验证，网络可以声称拥有通往其他网络地址的路由所有权，以便窃取流量（前缀劫持），并允许设备声称其流量来自不同的来源（源欺骗）。 这些漏洞构成了拒绝服务攻击、流量拦截和窥探、比特币盗窃以及 Tor 匿名性受损的基础。 由于这些漏洞，路由研究是网络安全研究的一个重要方面。 然而，研究人员缺乏实验方法来让他们进行既现实又受控的互联网路由实验。 该项目旨在扩展公共 PEERING 研究测试平台，以实现当今学术研究人员无法进行的以安全为重点的路由研究，并随后开发技术来识别哪些网络允许或容易受到前缀劫持和源欺骗的攻击。该项目的结果将支持新颖的路由安全研究，帮助识别易受攻击的网络，映射机器人群体，并作为提高互联网路由安全性的一步。该项目将扩展 PEERING 研究测试台与安全相关的功能，包括在路由器上执行容器，将 PEERING 前缀与 RPKI（用于保护互联网路由方面的基础设施）集成，并使测试台更加可靠。它还将开发算法来 (1) 定位欺骗攻击流量的来源，并 (2) 跟踪基于 RPKI 的前缀劫持保护的采用情况，并识别其应用中可能存在的问题。这些算法将利用 PEERING 的能力来操纵路由及其在本项目中开发的扩展，以强制路由更改并观察对从每个对等点接收的欺骗流量的影响，以及哪些有利点使用/不使用违反 RPKI 的路由。 这些算法需要解决与互联网路由可见性有限、缺乏路由策略的基本事实以及缺乏对其他网络路由决策的控制等相关的挑战。 研究人员将研究算法如何系统地改变路线，以将可行的解释范围缩小到与所有观察结果一致的范围，从而产生更精确的推论。 该项目对测试平台的扩展将允许其他人进行新颖的路由安全研究，并且该项目的算法将识别易受攻击的网络，这是解决互联网缺乏流量和路由身份验证问题的关键一步。

项目成果

Tracking Down Sources of Spoofed IP Packets

追踪欺骗性 IP 数据包的来源

• DOI: 10.1145/3360468.3368175
• 发表时间: 2020-01
• 期刊: 2020 IFIP Networking Conference (Networking
• 作者: Fonseca, Osvaldo;Cunha, Ítalo;Fazzion, Elverton;Meira, Wagner;Junior, Brivaldo;Ferreira, Ronaldo A.;Katz
• 通讯作者: Katz

Automatic Inference of BGP Location Communities

BGP 位置社区的自动推断

• 发表时间: 2022-01
• 期刊: ACM SIGMETRICS/IFIP Performance
• 作者: Da Silva Jr., B. A;Mol, P.;Fonseca, O.;Cunha, I.;Ferreira, R. A;Katz
• 通讯作者: Katz

Cloud Provider Connectivity in the Flat Internet

扁平互联网中的云提供商连接

• DOI: 10.1145/3419394.3423613
• 发表时间: 2020-01
• 期刊: Proceedings of the ACM Internet Measurement Conference
• 作者: Arnold, Todd;He, Jia;Jiang, Weifan;Calder, Matt;Cunha, Italo;Giotsas, Vasileios;Katz
• 通讯作者: Katz

PEERING: virtualizing BGP at the edge for research

对等：在边缘虚拟化 BGP 以进行研究

• DOI: 10.1145/3359989.3365414
• 发表时间: 2019-12
• 期刊: CoNEXT '19: Proceedings of the 15th International Conference on Emerging Networking Experiments And Technologies
• 作者: Schlinker, Brandon;Arnold, Todd;Cunha, Italo;Katz
• 通讯作者: Katz

On the Deployment of Default Routes in Inter-domain Routing

浅谈域间路由中默认路由的部署

• DOI: 10.1145/3472951.3473505
• 发表时间: 2021-08
• 期刊: and Uses of a Responsible Internet
• 作者: Rodday, Nils;Kaltenbach, Lukas;Cunha, Italo;Bush, Randy;Katz;Rodosek, Gabi Dreo;Schmidt, Thomas C.;Wählisch, Matthias
• 通讯作者: Wählisch, Matthias