ROV++: Improved Deployable Defense against BGP Hijacking

Reynaldo Morillo, Justin Furuness, Amir Herzberg, Cameron Morris, James Breslin, Bing Wang

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

9 Scopus citations

Abstract

We study and extend Route Origin Validation (ROV), the basis for the IETF defenses of interdomain routing. We focus on two important hijack attacks: subprefix hijacks and non-routed prefix hijacks. For both attacks, we show that, with partial deployment, ROV provides disappointing security benefits. We also present a new attack, superprefix hijacks, which completely circumvent ROV's defense for non-routed prefix hijacks. We then present ROV++, a novel extension of ROV, with significantly improved security benefits even with partial adoption. For example, with uniform 5% adoption for edge ASes (ASes with no customers or peers), ROV prevents less than 5% of subprefix hijacks, while ROV++ prevents more than 90% of subprefix hijacks. ROV++ also defends well against non-routed prefix attacks and the novel superprefix attacks. We evaluated several ROV++ variants, all sharing the improvements in defense; this includes “Lite”, software-only variants, deployable with existing routers. Our evaluation is based on extensive simulations over the Internet topology. We also expose an obscure yet important aspect of BGP, much amplified by ROV: inconsistencies between the observable BGP path (control-plane) and the actual traffic flows (data-plane). These inconsistencies are highly relevant for security, and often lead to a challenge we refer to as hidden hijacks.

Original languageEnglish
Title of host publication28th Annual Network and Distributed System Security Symposium, NDSS 2021
PublisherThe Internet Society
ISBN (Electronic)1891562665, 9781891562662
DOIs
StatePublished - 2021
Externally publishedYes
Event28th Annual Network and Distributed System Security Symposium, NDSS 2021 - Virtual, Online
Duration: 21 Feb 202125 Feb 2021

Publication series

Name28th Annual Network and Distributed System Security Symposium, NDSS 2021

Conference

Conference28th Annual Network and Distributed System Security Symposium, NDSS 2021
CityVirtual, Online
Period21/02/2125/02/21

Bibliographical note

Publisher Copyright:
© 2021 28th Annual Network and Distributed System Security Symposium, NDSS 2021. All Rights Reserved.

Funding

We would like to thank the anonymous reviewers for their insightful and constructive feedback, and our shepherd Dr. Samuel Jero for his helpful guidance. We also thank Joel Halpern, Shuai Hao, John Kristoff, Louis Poinsignon, Lars Prehn, Kotikalapudi Sriram, Celia Testart, and Russ White for their comments and suggestions on earlier drafts of the paper. Our collaborating partners, Connecticut Education Network (Rick Cheung, Ryan Kocsondy, and Michael Pennington) and UConn IT Services (Robert Kent, Michael Mundrane, and Michael Williams) provided us valuable feedback on deployment and operation aspects of this project. We are grateful for the great work by the project team at UConn, including Jack Aaron, Abhinna Adhikari, Matthew Jaccino, Sam Kasbawala, Shariq Khan, Pablo Rodriguez, Sam Secondo, Nicholas Shpetner, and Tony Zheng. This work was partially supported by NSF under award OAC-1840041 and by the Comcast Corporation. The opinions expressed in the paper are those of the researchers and not of their university or funding sources.

FundersFunder number
Connecticut Education Network
UConn IT Services
National Science FoundationOAC-1840041
Comcast
Neurosciences Foundation

    Fingerprint

    Dive into the research topics of 'ROV++: Improved Deployable Defense against BGP Hijacking'. Together they form a unique fingerprint.

    Cite this