Stealth Probing: Efficient DataPlane Security for IP Routing
Ioannis Avramopoulos
Princeton University
Joint work with Jennifer Rexford
Hosts vis-à-vis Routers
(Attacks against Availability)
Routing Fabric
(Routing Protocols)
Routing Fabric
(Data Forwarding)
Attacks against the Routing Fabric
(Breaking Perimeter Defense)
AS1
Perimeters can be
broken because of:
AS: Autonomous
System
AS2
Disgruntled network
operators
Password guessing
AS0
Exploits of the OS
AS4
AS3
Attacks against the Routing Fabric
(Routing Protocol Attacks and Defenses)
• These attacks game the routing state by
falsifying routing protocol messages
• Falsifications come in two flavors:
– Modification of en-route protocol messages
– Collusion (or wormhole) attacks
• Secure routing protocols protect from the
modification of protocols messages
– They do not protect from wormholes
– They do not verify forwarding behavior
Limitation of Secure Routing Protocols
(Data-Plane Adversary)
DATA
DATA
DATA
Attacks against the Routing Fabric
(Data-Plane Attacks)
• Link layer disruption
– Physical layer attacks
– Medium access control layer attacks
• Network layer disruption
–
–
–
–
Packet loss
Packet modification
Packet delay
Packet deflection
• Transport layer disruption
– Attacks against the congestion control mechanism
Securing the Routing Fabric
(Defending against Data-Plane Attacks)
• Availability monitoring
– Easy for the traffic source
– Difficult from within the network
• Fault localization
– Beaconing and traceroute egregiously fail in
adversarial networks
– In adversarial networks, fault localization is
difficult but necessary
Overview
• Introduction
• Stealth Probing
• Intradomain Deployment -- Byzantine
Tomography
• Interdomain Deployment -- Secure Route
Control
• Related Work
• Conclusion
Availability Monitoring
(Problem Formulation)
Naïve Solutions
• Probing (e.g., ping)
• Cumulative network-layer ACKs
• Transport-layer ACKs
ingress
egress
Stealth Probing
(Approach)
•
•
Prevent the adversary from preferentially
treating probing traffic by making data
and probing traffic indistinguishable
Three steps
1. Create an encrypted tunnel and divert both data
and probing traffic in the tunnel
2. Match the size of probing traffic with that of the
data traffic
3. Obscure the timing of probes
Stealth Probing
(Approach---continued)
ingress router
egress router
Stealth Probing
(Approach---continued)
ingress router
egress router
Stealth Probing
(Primary Benefits)
• Non-intrusive (low overhead)
• Detects “delay attacks” (by measuring the
round-trip-times of probing traffic)
• Prevents selective low-rate attacks that
target individual IP addresses (by hiding
the source and destination IP addresses of
data traffic)
• Mitigates attacks that exploit TCP (by
making the TCP mechanism “opaque”)
Stealth Probing
(Secondary Benefits)
• Encryption protects unencrypted host-tohost communications
• Fate-sharing between data traffic and
probes is broadly useful in network
troubleshooting
• Tunnels are useful in traffic engineering
Overview
• Introduction
• Stealth Probing
• Intradomain Deployment -- Byzantine
Tomography
• Interdomain Deployment -- Secure Route
Control
• Related Work
• Conclusion
Basic idea
• Fault localization without overburdening
the data plane:
– Terminal nodes monitor path availability
– Terminal nodes disclose faulty paths to a
designated network entity
– This entity “triangulates” adversarial nodes
and links from the collection of faulty paths
Byzantine Tomography
(Model)
Byzantine Tomography
Solves
Minimum
Hitting Set
(Approach)
Byzantine Tomography
(Basic Property)
• Output from Byzantine tomography is not
always accurate
• However, accuracy increases as fault
knowledge expands
• Therefore, the higher the adversary’s
impact, the more likely it is that the
adversary will be correctly detected
Overview
• Introduction
• Stealth Probing
• Intradomain Deployment -- Byzantine
Tomography
• Interdomain Deployment -- Secure
Route Control
• Related Work
• Conclusion
Secure Route Control
AS B (Stub)
Provider
Provider
Provider
Provider
Provider
AS A (Stub)
Secure Route Control (cont.)
AS B (Stub)
Provider
Provider
Provider
Provider
Provider
AS A (Stub)
Overview
• Introduction
• Stealth Probing
• Intradomain Deployment -- Byzantine
Tomography
• Interdomain Deployment -- Secure Route
Control
• Related Work
• Conclusion
Related Work
• Perlman proposed encryption to make data and control
traffic indistinguishable
– Perlman proposed encryption at network links
– We extend this idea to network paths
• Mizrak et al. proposed Fatih as a secure data-plane
availability monitor
– Fatih requires clock synchronization
– Stealth probing does not rely on clock synchronization
• Several researchers have proposed data-plane
mechanisms for secure fault localization
– Byzantine tomography is a management-plane technique
Conclusion (1)
• Resilience was a top priority in the design of the
operational Internet but the threat model was
naïve (vis-à-vis today’s attacks)
• In future networks, we should expect to see
– better perimeter defense and
– in-depth defense
• secure routing protocols
• secure data forwarding
• Stealth probing is a secure availability monitor
that works by concealing probing traffic
Conclusion (2)
• We presented deployment scenarios of this
monitor in
– Intradomain routing and
– Interdomain routing
• Our ongoing work focuses on … :
– Intradomain case: … improving the accuracy of
Byzantine tomography
– Interdomain case: … investigating the benefits of
more flexible interdomain path selection schemes
Thank you
Questions