“Securing Internet Applications from Routing Attacks”
Communications of the ACM, June 2021, Vol. 64 No. 6, Pages 86-96
By Yixin Sun, Maria Apostolaki, Henry Birge-Lee, Laurent Vanbever, Jennifer Rexford, Mung Chiang, Prateek Mittal
“The ability to divert targeted traffic via routing attacks is an emerging threat to Internet applications.”
The Internet is a “network of networks” that interconnects tens of thousands of separately administered networks. The Border Gateway Protocol (BGP) is the glue that holds the Internet together by propagating information about how to reach destinations in remote networks. However, BGP is notoriously vulnerable to misconfiguration and attack. The consequences range from making destinations unreachable (for example, Google’s routing incident caused widespread Internet outage in Japana), to misdirecting traffic through unexpected intermediaries (for example, European mobile traffic routed through China Telecom due to improper routing announcements from a Swiss datacenter), to impersonating legitimate services (for example, traffic to an Amazon DNS server rerouted to attackers who answered DNS queries with fraudulent IP addresses). Efforts to secure the Internet routing system have been underway for many years, but the pace of progress is slow since many parties must agree on solutions and co-operate in their deployment.
In the meantime, more users rely on the Internet to access a wide range of services, including applications with security and privacy concerns of their own. Applications such as Tor (The Onion Routing) allow users to browse anonymously, certificate authorities provide certificates for secure access to Web services, and blockchain supports secure crypto-currencies. However, the privacy and security properties of these applications depend on the network to deliver traffic; Figure 1 illustrates the cross-layer interaction between Tor and the underlying network. Application developers abstract away the details of Internet routing, but BGP does not provide a sufficiently secure scaffolding for these applications. This gap leaves the vulnerabilities due to routing insecurity significantly underestimated. While routing attacks are well known, they have been viewed primarily as affecting availability (when misdirected traffic is dropped) and confidentiality (when data is not encrypted). This article provides a new perspective by showing that routing attacks on Internet applications can have even more devastating consequences for users—including uncovering users (such as political dissidents) trying to communicate anonymously, impersonating websites even if the traffic uses HTTPS, and stealing cryptocurrency.
This article argues that the security of Internet applications and the network infrastructure should be considered together, as vulnerabilities in one layer led to broken assumptions (and new vectors for attacks) in the other. We first give an overview of routing security. Then, we discuss how cross-layer interactions enable routing attacks to compromise popular applications like Tor, certificate authorities, and the bitcoin network. Given the slow adoption of secure routing solutions, we discuss how applications can take into account the underlying routing properties and employ application-layer defenses to mitigate routing attacks. We believe that application-layer and network-layer solutions are interconnected, and both are essential to secure Internet applications. While application-layer defenses are more easily deployable, we hope to motivate the community to redouble efforts on secure routing solutions and tackle BGP’s many security problems once and for all.
Routing attacks occur in the wild and are getting increasingly prevalent and more sophisticated. We dissect routing attacks from the perspective of an attacker and review existing defenses. In particular, the ability to divert targeted traffic via routing attacks is an emerging threat to Internet applications. We further demonstrate how routing attacks compromise three applications.
How BGP works. The Internet consists of around 67,000 Autonomous Systems (ASes), each with an AS number (ASN) and a set of IP prefixes. Neighboring ASes exchange traffic in a variety of bilateral relationships that specify which traffic should be sent and how it is paid for. Such agreements can generally be classified into two types: a customer-provider relationship, where the customer pays the provider to send and receive traffic to and from the rest of the Internet, and a peer-to-peer relationship, where no money is exchanged but traffic must be destined for the peer or its customers.
Routing among the ASes is governed by the Border Gateway Protocol (BGP), which computes paths to destination prefixes. ASes choose one “best” route to a prefix based on a list of factors, with the top two generally being: Local Preference: a path via a customer is preferred over path via a peer, which is preferred over a provider; Shortest Path: a path with the fewest AS hops is preferred. The AS will then add the route into its local Routing Information Base, and further propagate the route to its neighbors based on routing policies after prepending itself in the path.
ASes forward packets using the path to the longest matching prefix of the destination IP. In Figure 2, AS1 announces 220.127.116.11/22 via neighbor AS2, and 18.104.22.168/24 via neighbor AS3. AS4 forwards packets to 22.214.171.124/24 via AS3 based on the longest prefix match. Note that, in general, the longest prefix that can be successfully propagated is /24; many ASes filter prefixes that are longer than /24 by default.
Goals of routing attacks. By default, ASes trust routing announcements from other ASes. Routing attacks happen when an AS announces an incorrect path to a prefix, causing packets to traverse through and/or arrive at the attacker AS. We discuss the goals of the attacker from two perspectives: whom to affect and what to achieve.
About the Authors:
Yixin Sun is an assistant professor at University of Virginia, Charlottesville, VA, USA.
Maria Apostolaki is a Ph.D. student at ETH Zurich.
Henry Birge-Lee is a student at Princeton University, Princeton, NJ, USA.
Laurent Vanbever is an associate professor at ETH Zurich.
Jennifer Rexford is a professor at Princeton University, Princeton, NJ, USA.
Mung Chiang is a Dean at Purdue University, West Lafayette, IN, USA.
Prateek Mittal is an associate professor at Princeton University, Princeton, NJ, USA.