Max Schuchard

Losing control of the internet: using the data plane to attack the control plane

In this work, we introduce the Coordinated Cross Plane Session Termination, or CXPST, attack, a distributed denial of service attack that attacks the control plane of the Internet. CXPST extends previous work that demonstrates a vulnerability in routers that allows an adversary to disconnect a pair of routers using only data plane traffic. By carefully choosing BGP sessions to terminate, CXPST generates a surge of BGP updates that are seen by nearly all core routers on the Internet. This surge of updates surpasses the computational capacity of affected routers, crippling their ability to make routing decisions

Balancing the shadows

In this paper, we examine the ShadowWalker peer-to-peer anonymity scheme. ShadowWalker attempts to provide anonymity via circuits built using random walks over a secured topology. ShadowWalkers topology is secured through the use of shadows, peers that certify another nodes routing information. We demonstrate two flaws in ShadowWalker. First, an attacker can compromise the underlying topology of ShadowWalker as a result of an insufficient numbers of shadows. We show that the failure of the underlying topology directly results in the failure of ShadowWalker to provide anonymity guarantees. Second, the dependence on untrusted nodes to certify other nodes allows an attacker to launch a selective denial of service attack. We show that there is an inherent tension between protecting against these two attacks: weakening the first attack strengthens the second attack and vice versa. We introduce a mechanism that generalizes ShadowWalkers lookup defense, and show that this mechanism can be tuned to simultaneously provide strong protection against both these attacks. Last, we implement ShadowWalker and provide performance measurements from a prototype deployment on PlanetLab.

Peer Pressure: Exerting Malicious Influence on Routers at a Distance

Both academic research and historical incidents have shown that unstable BGP speakers can have extreme, undesirable impacts on network performance and reliability. Large amounts of time and energy have been invested in improving router stability. In this paper, we show how an adversary in control of a BGP speaker in a transit AS can cause a victim router in an arbitrary location on the Internet to become unstable. Through experimentation with both hardware and software routers, we examine the behavior of routers under abnormal conditions and come to three conclusions. First, that unexpected but perfectly legal BGP messages can place routers into those states with troubling ease. Second, that an adversary can implement attacks using these messages to disrupt the function of victim routers in arbitrary locations in the network. And third, modern best practices do not blunt the force of these attacks sufficiently. These conclusions lead us to recommend more rigorous testing of BGP implementations, focusing as much on protocol correctness as on software correctness.

POSTER: Why Are You Going That Way? Measuring Unnecessary Exposure of Network Traffic to Nation States

In this work, we examine to what extent the Internets routing infrastructure needlessly exposes network traffic to nations geographically irrelevant to packet transmission. We quantify what countries are geographically logical to see on a network path traveling between two nations through the use of convex hulls circumscribing major population centers, and then compare that to the nation states observed in utilized paths. Our preliminary results show that the majority of paths, 52%, unnecessarily expose traffic to at least one nation. We also explore which nation states are disproportionately allowed to observe and manipulate a larger fraction of Internet traffic than they otherwise should.

The Cost of the Path Not Taken

We consider the problem of estimating the latency of a feasible but unused Autonomous System-level path on the Internet. This problem arises in evaluating the overhead incurred by censorship and surveillance circumvention schemes that alter the Internet routing infrastructure, and the cost of attacks against such schemes. Since these paths are not advertised by the current routing infrastructure, they cannot be directly measured by end hosts, leading researchers to estimate the costs indirectly. Using traceroute measurements of observed Internet paths, we measure the accuracy of the two methods used in the literature to date, finding that these methods have poor accuracy and correlation, explaining as low as 3% of the variation in observed AS path latencies, and at most 42%. We also describe an improved method that can balance accuracy and path coverage. At the high end our estimator can explain up to 83% of variation in observed AS path latencies, while still being able to achieve 56% when maximizing the number of paths able to be estimated.