基于区块链的BGP前缀攻击防御研究

互联网在进行域间路由信息交互时域间路由器需要使用BGP协议完成路由交换,但是由于BGP设计上存在一些缺陷,导致出现前缀劫持、路由泄露以及TCP拒绝式服务连接等安全问题。为了解决BGP协议设计上的安全漏洞,利用区块链技术,设计了一种防御成本低、安全较高、无需变动BGP协议、安全机制容易部署、容易维护的、轻量级的BGP劫持防御机制。首先对原有的区块链数据结构进行改进,根据BGP协议特点设计出了交易索引表结构;其次利用区块链索引表进行IP前缀所有权的查询、更新,并有效防止了后续攻击;最后利用信用积分机制来赋予处理交易的队列优先级。     

基于互联网域间AS关系的BGP攻击与防御

介绍基本的Internet域间路由知识、AS(自治系统)关系的基本概念以及BGP(边界网关协议)安全问题,对BGP攻击进行分类,分析各个类型的攻击及在不同AS关系下应对这些攻击的策略,在非常熟悉其AS关系的前提下,如何有效地应对以及化解攻击的影响。     

浅议高级BGP路由协议

Internet是一个由多个自治系统相互连接构成的超大型网络，其中，BGP版本4（BGP version4，BGP4）是事实上的路由选择协议。BGP在网络中之所以具有如此重要的地位，关键是因为它具有以下这些特性：可靠性．稳定性、可扩展性、灵活性。BGP路径属性是一组描述BGP前缀特性的参数。由于BGP首先是一个路由选择策略工具，因此BGP在影响路径选择的时候，广泛地使用了这些属性。在设计一个有效率的BGP路由选择体系结构中，有效地利用这些属性是十分关键的。     

BGP协议研究及应用

BGP协议是一种用于互联网自治域系统间的动态路由协议,其主要功能是在各自治域 系统之间交换网络可达性信息。BGP协议是一种路径向量协议,使用TCP作为传送协议,保证了数据 传输的可靠性。BGP协议支持无类型的区域间路由CIDR;支持丰富的策略配置包括路由聚合、路由过 滤;支持多播路由、VPN路由,BGP协议还支持QoS等参数扩展。主要介绍了BGP协议的原理、协议软 件的工作过程及在工程中的应用。     

RPKI概览

作为支撑互联互通的互联网基础设施,域间路由系统对互联网的安全有着至关重要的影响。由于BGP协议缺乏对路由通告内容真实性的保证,黑客的蓄意攻击行为以及错误的网络参数配置都可以导致路由劫持现象的发生。作为继DNSSEC之后ICANN下一个重点部署的互联网安全基础设施,RPKI从IP地址资源管理的角度出发,构建了一个IP地址资源授权认证体系,用以验证AS针对特定IP地址前缀的路由通告是否合法,并为域间路由安全方案(例如S-BGP,BGPSEC)的实施提供了一个可信的信息源。围绕RPKI的部署和业务开展,本文首先回顾了RPKI的历史由来,然后从技术要素、运行机制和标准化工作等三个层面对RPKI的基本原理进行了介绍。     

RPKI概览

作为支撑互联互通的互联网基础设施,域间路由系统对互联网的安全有着至关重要的影响。由于BGP协议缺乏对路由通告内容真实性的保证,黑客的蓄意攻击行为以及错误的网络参数配置都可以导致路由劫持现象的发生。作为继DNSSEC之后ICANN下一个重点部署的互联网安全基础设施,RPKI从IP地址资源管理的角度出发,构建了一个IP地址资源授权认证体系,用以验证AS针对特定IP地址前缀的路由通告是否合法,并为域间路由安全方案(例如S-BGP,BGPSEC)的实施提供了一个可信的信息源。围绕RPKI的部署和业务开展,本文首先回顾了RPKI的历史由来,然后从技术要素、运行机制和标准化工作等三个层面对RPKI的基本原理进行了介绍。     

边界网关协议(BGP)有限状态机的探讨

BGP协议是目前因特网使用的网际协议,也是广电骨干数据平台与ISP运营商之间采用的路由协议,它在不同的自治域间起着网际路由选择,策略控制等重要作用.本文详细分析了BGP在各种状态下的转换机制,并对可能导致协议状态异常的情况做进一步的探讨.     

域间路由系统脆弱性及其应对措施

域间路由系统是互联网的关键基础设施,然而它却面临着严重的安全挑战.本文分析了域间路由协议BGP(边界网关协议)存在的脆弱性,构建了域间路由系统攻击模型,阐述了域间路由系统中基于链路和基于路由器节点的攻击模式,并指出这些攻击可能造成的危害,接着讨论了目前正在应用和研究的一些安全对策,并对路由过滤机制和协议扩展两种对策进行了性能比较.     

BGP实现网络流量负载分担

BGP是一种自治系统间的动态路由协议,广泛应用于各大电信运营商的核心IP网,它的基本功能是在自治系统间自动交换无环路的路由信息。目前,BGP不仅仅在国家网、省网中使用,许多大型城域网也使用BGP接入省网。众所周知,在自治系统网络内部,通过静态路由或者OSPF等IGP动态路由协议,只要路由器拥有等Metric的多条到达同一网段的路由,路由器就会对到达该网段的流量按照路由链路进行负载分担。在运行BGP的对等自治系统的网络中,如果边界路由器接收到多条到达同一目标网络的BGP路由,BGP最佳路径算法将会选出一条最佳路由,并仅用此路由来…     

AS路径环路的研究

AS（自治域）路径环路是指在一个AS路径中出现相同的AS号且这2个或多个AS号是不相邻的。通过对RouteViews中统计的全球路由数据进行处理分析,统计了从2011年6月1日到2013年5月31日AS路径环路在IPv4和IPv6中每天发生的数量以及其在总路由条目中所占的比例。另外,统计了AS路径环路的持续时间分布以及前缀长度的分布。根据统计的数据,分析了AS路径环路发生的原因：路由信息不一致、跨国企业、有意或无意的错误配置,并为BGP的配置提供了建议。     

Network reachability‐based IP prefix hijacking detection

IP prefix hijacking is a major threat to the security of the Internet routing system owing to the lack of authoritative prefix ownership information. Despite many efforts to design IP prefix hijack detection schemes, no existing design satisfies all the critical requirements of a truly effective system, i.e. to be real‐time, deployable, and robust. In this paper, we present a novel approach that detects IP prefix hijacking in the current Internet environment. The focus of this work is on maintaining the Border Gateway Protocol routing infrastructure and not relying on mutual cooperation to ensure ease of deployment. In addition, we look at fingerprinting two autonomous systems that have the same IP prefix to distinguish hijacking events from legitimate routing updates. This paper proposes a practical and deployable IP prefix hijacking detection algorithm with live hosts on the Internet. Copyright © 2012 John Wiley & Sons, Ltd.     

基于路径标识的多路径域间路由的开发与实现

针对现有网络架构中路由扩展性方面的问题日益严重,目前提出一种基于路径标识的多路径域间路由方案,可提高域间路由可扩展性和可靠性,但该研究只停留在理论阶段。现对基于路径标识的多路径路由协议进行了开发与实现,针对域间路由协议BGP的控制层和基于Linux内核的转发层进行了具体模块的结构分析和开发,并进行了功能性测试。结果显示,开发系统可以实现路径标识路由和多路径路由的功能。     

Reducing packet loss with protection tunnel based rerouting

It is well-known that today’s inter-domain routing protocol, Border Gateway Protocol (BGP), converges slowly during network failures. During the convergence period, widespread temporary burst packet loss happens that may be caused by route loops or blackholes. In this paper, we present a Protection Tunnel based Rerouting (PTR)mechanism-a novel scheme for delivering packet continuously during period of convergence. PTR scheme pre-establishes protection tunnel among routers. Once the inter-domain link failed, routers could redirect those influenced packets along protection tunnel to a router that has a valid path to destination. Therefore, packets could be forwarded continuously even encountering fault links. The performances of PTR scheme are simulated. The results demonstrate that PTR scheme is more resilient to link failures than BGP. The cost caused by PTR scheme is very little and acceptable.     

On inferring autonomous system relationships in the Internet

The Internet consists of rapidly increasing number of hosts interconnected by constantly evolving networks of links and routers. Interdomain routing in the Internet is coordinated by the Border Gateway Protocol (BGP). The BGP allows each autonomous system (AS) to choose its own administrative policy in selecting routes and propagating reachability information to others. These routing policies are constrained by the contractual commercial agreements between administrative domains. For example, an AS sets its policy so that it does not provide transit services between its providers. Such policies imply that AS relationships are an important aspect of the Internet structure. We propose an augmented AS graph representation that classifies AS relationships into customer-provider, peering, and sibling relationships. We classify the types of routes that can appear in BGP routing tables based on the relationships between the ASs in the path and present heuristic algorithms that infer AS relationships from BGP routing tables. The algorithms are tested on publicly available BGP routing tables. We verify our inference results with AT&T internal information on its relationship with neighboring ASs. As much as 99.1% of our inference results are confirmed by the AT&T internal information. We also verify our inferred sibling relationships with the information acquired from the WHOIS lookup service. More than half of our inferred sibling-to-sibling relationships are confirmed by the WHOIS lookup service. To the best of our knowledge, there has been no publicly available information about AS relationships and this is the first attempt in understanding and inferring AS relationships in the Internet. We show evidence that some routing table entries stem from router misconfigurations     

Impact of Hot-Potato Routing Changes in IP Networks

Despite the architectural separation between intradomain and interdomain routing in the Internet, intradomain protocols do influence the path-selection process in the Border Gateway Protocol (BGP). When choosing between multiple equally-good BGP routes, a router selects the one with the closest egress point, based on the intradomain path cost. Under such hot-potato routing, an intradomain event can trigger BGP routing changes. To characterize the influence of hot-potato routing, we propose a technique for associating BGP routing changes with events visible in the intradomain protocol, and apply our algorithm to a tier-1 ISP backbone network. We show that (i) BGP updates can lag 60 seconds or more behind the intradomain event; (ii) the number of BGP path changes triggered by hot-potato routing has a nearly uniform distribution across destination prefixes; and (iii) the fraction of BGP messages triggered by intradomain changes varies significantly across time and router locations. We show that hot-potato routing changes lead to longer delays in forwarding-plane convergence, shifts in the flow of traffic to neighboring domains, extra externally-visible BGP update messages, and inaccuracies in Internet performance measurements.      

分层PCE架构下为解决多域路径计算的链路-节点拓扑聚合方式

Inter-domain path computing is one big issue in multi-domain networks . The Hierarchical Path Computing Element (H-PCE) is a semi-central architecture for computing inter-domain path. To facilitate H-PCE in inter-domain path computing, this paper proposed a topology aggregation scheme to abstract the edge nodes and their connected inter-domain link as one vertex to achieve more optimal paths and confidentiality guarantee. The effectiveness of the scheme has been demonstrated on solving wavelength routing in multi-domain Wavelength Division Multiplexing (WDM ) network via simulation. Simulation results show that this scheme reduces at least 10% inter-domain blocking probability, compared with the traditional Domain-to-the-Node (DtN) scheme.     

基于分治策略的BGP安全机制

研究了SE-BGP的安全性,通过分析发现该机制存在安全漏洞,无法抵御合法用户发起的主动攻击.为了克服SE-BGP存在的安全漏洞,基于AS联盟的思想,使用基于RSA的聚合签名算法设计了一种新的BGP安全机制:SA-BGP,该机制具有更高的安全性,可以有效地验证AS宣告的网络层可达信息(NLRI)的正确性和AS宣告的路径属性的真实性,还可以大规模地减少网络证书规模和单个节点存储的证书数量,通过仿真实验得到SA-BGP和同级别的安全机制相比对网络的影响较小,收敛速度更快.     

基于SDN的互联网域间路由研究

互联网流量的爆发式增长,叠加互联网流量固有的突发性特点,使得网络流量不均衡现象日益加剧。传统BGP协议由于缺乏全网拓扑和全局流量观,只能遵循标准BGP选路原则,在解决流量调度和负载均衡方面存在不足。针对BGP协议存在的局限性,研发了基于RR+的互联网骨干网流量调度系统,并应用于ChinaNet骨干网的网内中继、网间互联出口、IDC出口等多个流量优化场景。更进一步地,提出了一种基于SDN的互联网域间路由架构,通过在域间控制器之间交换BGP路由,无需在域内和域间运行BGP协议,极大地简化了网络协议,并能够实现灵活的流量调度和负载均衡。     

SRDPV: secure route discovery and privacy-preserving verification in MANETs

In the routing discovery phase of the Mobile Ad hoc Networks (MANETs), the source node tries to find a fast and secure path to transmit data. However, the adversaries attempt to get the rights of routing during this phase ,then the networks can easily be paralyzed during the data transmission phase. During the routing discovery phase, finding a good path is already a challenge and verifying the security of the established path without revealing any privacy of the nodes adds a new dimension to the problem. In this paper, we present SRDPV, an approach that helps the source find the benign destination dynamically and conducts privacy-preserving verification of the path. Our approach first finds the benign destination. Then, it spreads the verification tasks across multiple nodes and verifies the log entries without revealing private data of the nodes. Unlike the traditional debugging system to detect the faults or misbehaviors of the nodes after the attacks, SRDPV can guarantee the source to avoid transmitting data through malicious nodes at the beginning and perform the verification without introducing a third party. We demonstrate the effectiveness of the approach by applying SRDPV in two scenarios: resisting the collaborative black-hole attack of the AODV protocol and detecting injected malicious intermediated routers which commit active and passive attacks in MANETs. We compared our approach with the existing secure routing algorithms and the results show that our approach can detect the malicious nodes, and the overhead of SRDPV is moderate.