research-article

Automatic creation of VPN backup paths for improved resilience against BGP-attackers

Authors:

Michael Rossberg,

Guenter SchaeferAuthors Info & Claims

SAC '12: Proceedings of the 27th Annual ACM Symposium on Applied Computing

Pages 613 - 620

https://doi.org/10.1145/2245276.2245394

Published: 26 March 2012 Publication History

Abstract

Virtual private networks (VPNs) play an integral role in corporate and governmental communication systems nowadays. As such they are by definition an exposed target for attacks on the availability of whole communication infrastructures. A comparably effective way to disturb VPNs is the announcement of the involved IP address ranges by compromised BGP routers. Since in the foreseeable future criminals may focus on such attacks, this article discusses the intelligent creation of backup paths in the context of VPNs as a countermeasure. The proposed system is evaluated in simulations as well as in a prototypic environment.

References

[1]

The Cooperative Association for Internet Data Analysis (CAIDA), 2011.

[2]

D. Andersen, H. Balakrishnan, F. Kaashoek, and R. Morris. Resilient Overlay Networks. In SOSP '01: Proceedings of the eighteenth ACM symposium on Operating systems principles, pages 131--145, 2001.

Digital Library

[3]

D. Andersen, A. Snoeren, and H. Balakrishnan. Best-path vs. multi-path overlay routing. In Proceedings of the 3rd ACM SIGCOMM Conference on Internet Measurement, pages 91--100. ACM, 2003.

Digital Library

[4]

D. G. Andersen, H. Balakrishnan, M. F. Kaashoek, and R. Morris. The Case for Resilient Overlay Networks. In Proc. of the 8th Annual Workshop on Hot Topics in Operating Systems, pages 152--157, 2001.

Digital Library

[5]

A. Collins. The Detour Framework for Packet Rerouting. PhD thesis, University of Washington, 1998.

[6]

T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein. Introduction to algorithms, chapter 15.4 Longest Common Subsequence, pages 390--397. The MIT press, 3rd edition, 2009.

[7]

J. Cowie, A. Ogielski, B. Premore, and Y. Yuan. Internet worms and global routing instabilities. In Proceedings of SPIE, volume 4868, page 195, 2002.

[8]

D. Danchev. Coordinated Russia vs Georgia cyber attack in progress, Aug. 2008.

[9]

Forrester Consulting. The Trends And Changing Landscape Of DDoS Threats And Protection, July 2009.

[10]

P. B. Gentry. What is a VPN? Information Security Technical Report, 6(1): 15--22, 2001.

[11]

C. Labovitz, A. Ahuja, A. Bose, and F. Jahanian. Delayed Internet routing convergence. ACM SIGCOMM Computer Communication Review, 30(4): 175--187, 2000.

Digital Library

[12]

V. Levenshtein. Binary codes capable of correcting deletions, insertions, and reversals. Soviet Physics Doklady, 10: 707--710, 1966.

[13]

S. Mansfield-Devine. Anonymous: serious threat or mere annoyance? Network Security, 2011(1): 4--10, 2011.

Digital Library

[14]

R. Musunuri and J. A. Cobb. An overview of solutions to avoid persistent BGP divergence. IEEE Network, 19(6): 28--34, 2005.

Digital Library

[15]

A. Nakao, L. Peterson, and A. Bavier. A routing underlay for overlay networks. In Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, pages 11--18. ACM, 2003.

Digital Library

[16]

V. Paxson. End-to-end routing behavior in the internet. SIGCOMM Comput. Commun. Rev., 26(4): 25--38, August 1996.

Digital Library

[17]

V. Paxson. End-to-end internet packet dynamics. SIGCOMM Comput. Commun. Rev., 27(4): 139--152, October 1997.

Digital Library

[18]

M. Rossberg, G. Schaefer, and T. Strufe. Distributed Automatic Configuration of Complex IPsec-Infrastructures. Journal of Network and Systems Management, 18(3): 300--326, 2010.

Digital Library

[19]

S. Savage, T. Anderson, A. Aggarwal, D. Becker, N. Cardwell, A. Collins, E. Hoffman, J. Snell, A. Vahdat, G. Voelker, et al. Detour: Informed Internet Routing and Transport. IEEE Micro, 19(1): 50--59, 1999.

Digital Library

[20]

S. Savage, A. Collins, E. Hoffman, J. Snell, and T. Anderson. The End-to-End Effects of Internet Path Selection. Computer Communication Review, 29(4): 289--299, 1999.

Digital Library

[21]

D. Sontag, Y. Zhang, A. Phanishayee, D. G. Andersen, and D. Karger. Scaling All-Pairs Overlay Routing. In Proceedings of the 5th international conference on Emerging networking experiments and technologies (CoNEXT), pages 145--156, 2009.

Digital Library

Cited By

Wubbeling MMeier M(2016)Improved Calculation of aS Resilience against IP Prefix Hijacking2016 IEEE 41st Conference on Local Computer Networks Workshops (LCN Workshops)10.1109/LCN.2016.037(121-128)Online publication date: Nov-2016
https://doi.org/10.1109/LCN.2016.037
Backhaus MSchafer G(2016)Backup paths for multiple demands in overlay networks2016 Global Information Infrastructure and Networking Symposium (GIIS)10.1109/GIIS.2016.7814941(1-8)Online publication date: Oct-2016
https://doi.org/10.1109/GIIS.2016.7814941

Index Terms

Automatic creation of VPN backup paths for improved resilience against BGP-attackers

Recommendations

Towards a denial-of-service resilient design of complex IPsec overlays
ICC'09: Proceedings of the 2009 IEEE international conference on Communications

By monitoring the exchanged IPsec traffic an adversary can usually easily discover the layout of virtual private networks (VPNs). Of even worse extend is the disclosure if compromised IPsec gateways are considered, for example in remote environments. ...
A First Joint Look at DoS Attacks and BGP Blackholing in the Wild
IMC '18: Proceedings of the Internet Measurement Conference 2018

BGP blackholing is an operational countermeasure that builds upon the capabilities of BGP to achieve DoS mitigation. Although empirical evidence of blackholing activities are documented in literature, a clear understanding of how blackholing is used in ...
Region-based BGP announcement filtering for improved BGP security
ASIACCS '10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security

BGP prefix hijacking is a serious security threat on the Internet. In this paper we propose a region-based BGP announcement filtering scheme (RBF) to improve the BGP security. In contrast to existing solutions that indifferently prevent or detect prefix ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '12: Proceedings of the 27th Annual ACM Symposium on Applied Computing

March 2012

2179 pages

ISBN:9781450308571

DOI:10.1145/2245276

Conference Chairs:
Sascha Ossowski
University Rey Juan Carlos, Spain
,
Paola Lecca
The Microsoft Research - University of Trento COSBI, Italy

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 March 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SAC 2012

Sponsor:

SIGAPP

SAC 2012: ACM Symposium on Applied Computing

March 26 - 30, 2012

Trento, Italy

Acceptance Rates

SAC '12 Paper Acceptance Rate 270 of 1,056 submissions, 26%;

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
225
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)1

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wubbeling MMeier M(2016)Improved Calculation of aS Resilience against IP Prefix Hijacking2016 IEEE 41st Conference on Local Computer Networks Workshops (LCN Workshops)10.1109/LCN.2016.037(121-128)Online publication date: Nov-2016
https://doi.org/10.1109/LCN.2016.037
Backhaus MSchafer G(2016)Backup paths for multiple demands in overlay networks2016 Global Information Infrastructure and Networking Symposium (GIIS)10.1109/GIIS.2016.7814941(1-8)Online publication date: Oct-2016
https://doi.org/10.1109/GIIS.2016.7814941

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents