Border Gateway Protocol(BGP)is a standard inter-domain routing protocol for the Internet that conveys network layer reachability information and establishes routes to different destinations.The BGP protocol exhibits s...Border Gateway Protocol(BGP)is a standard inter-domain routing protocol for the Internet that conveys network layer reachability information and establishes routes to different destinations.The BGP protocol exhibits security design defects,such as an unconditional trust mechanism and the default acceptance of BGP route announcements from peers by BGP neighboring nodes,easily triggering prefix hijacking,path forgery,route leakage,and other BGP security threats.Meanwhile,the traditional BGP security mechanism,relying on a public key infrastructure,faces issues like a single point of failure and a single point of trust.The decentralization,anti-tampering,and traceability advantages of blockchain offer new solution ideas for constructing secure and trusted inter-domain routing mechanisms.In this paper,we summarize the characteristics of BGP protocol in detail,sort out the BGP security threats and their causes.Additionally,we analyze the shortcomings of the traditional BGP security mechanism and comprehensively evaluate existing blockchain-based solutions to address the above problems and validate the reliability and effectiveness of blockchain-based BGP security methods in mitigating BGP security threats.Finally,we discuss the challenges posed by BGP security problems and outline prospects for future research.展开更多
中间人攻击是网络攻击的一种常用手段,其中超文本传输安全(Hypertext Transfer Protocol Secure,HTTPS)协议的中间人攻击危害较大,已有检测方法主要面向单客户端,以证书匹配验证为主要手段,部署成本和性能开销较高。通过分析SSL(Secure ...中间人攻击是网络攻击的一种常用手段,其中超文本传输安全(Hypertext Transfer Protocol Secure,HTTPS)协议的中间人攻击危害较大,已有检测方法主要面向单客户端,以证书匹配验证为主要手段,部署成本和性能开销较高。通过分析SSL(Secure Sockets Layer)握手阶段的密钥协商、证书验证等关键报文,提出基于时间特征的HTTPS中间人攻击检测方法,从流量角度提供了一种检测思路,具有更广泛的适用场景。实验结果表明,该方法在互联网环境测试数据集下具有较高的准确率。展开更多
The border gateway protocol (BGP) is the default inter domain routing protocol used on the internet for exchanging information between autonomous systems. Available literature suggests that BGP is vulnerable to sessio...The border gateway protocol (BGP) is the default inter domain routing protocol used on the internet for exchanging information between autonomous systems. Available literature suggests that BGP is vulnerable to session hijacking attacks. There are a number of proposals aimed at improving BGP security which have not been fully implemented. This paper examines a number of approaches for securing BGP through a comparative study and identifies the reasons why these proposals have not been implemented commercially. This paper analyses the architecture of internet routing and the design of BGP while focusing on the problem of BGP session hijacking attacks. Using Graphical Network Simulator 3 (GNS-3), a session hijack is demonstrated and a solution which involves the implementation of route filtering, policy-maps and route-maps on CISCO routers representing ASes is carried out. In the end, a workable industry standard framework for securing and protecting BGP sessions and border routers from exploitation with little or no modification to the existing routing infrastructure is demonstrated.展开更多
Traffic hijacking is a common attack perpetrated on networked systems, where attackers eavesdrop on user transactions, manipulate packet data, and divert traffic to illegitimate locations. Similar attacks can also be ...Traffic hijacking is a common attack perpetrated on networked systems, where attackers eavesdrop on user transactions, manipulate packet data, and divert traffic to illegitimate locations. Similar attacks can also be unleashed in a NoC (Network on Chip) based system where the NoC comes from a third-party vendor and can be engrafted with hardware Trojans. Unlike the attackers on a traditional network, those Trojans are usually small and have limited capacity. This paper targets such a hardware Trojan;Specifically, the Trojan aims to divert traffic packets to unauthorized locations on the NoC. To detect this kind of traffic hijacking, we propose an authentication scheme in which the source and destination addresses are tagged. We develop a custom design for the packet tagging and authentication such that the implementation costs can be greatly reduced. Our experiments on a set of applications show that on average the detection circuitry incurs about 3.37% overhead in area, 2.61% in power, and 0.097% in performance when compared to the baseline design.展开更多
The gradual deployment of Low-Earth Orbit(LEO)mega constellations with inter-satellite links(ISLs)promises ubiquitous,low-latency,and high-throughput satellite network services.However,networked LEO satellites with IS...The gradual deployment of Low-Earth Orbit(LEO)mega constellations with inter-satellite links(ISLs)promises ubiquitous,low-latency,and high-throughput satellite network services.However,networked LEO satellites with ISLs are also at risk of routing attacks such as hijacking.Existing defenses against route hijacking in terrestrial networks can hardly work for the LEO satellite network due to its high spatiotemporal dynamics.To deal with it,we propose RPD,a high-risk routing path detection method for LEO mega-constellation networks.RPD detects abnormal high-risk LEO network paths by checking the consistency between the path delay and the geographical distance.This is efficiently achieved by combining in-band measurements and out-of-band statistical processing to detect the anomaly of the clustering feature in the reference delay matrix.RPD avoids the recalculation of the header cryptographic marks when the handover occurs,thus greatly reducing the cost and improving the performance of highrisk path detection.Experiments showed that the proposed RPD mechanism achieves an average detection accuracy of 91.64%under normal network conditions,and maintain about 89%even when congestion occurs in multiple areas of the network and measurement noise is considered.In addition,RPD does not require any cryptographic operation on the intermediate node,only minimal communication cost with excellent scalability and deployability.展开更多
基金the National Natural Science Foundation of China,GrantNumbers(62272007,62001007)the Natural Science Foundation of Beijing,GrantNumbers(4234083,4212018)The authors also acknowledge the support from King Khalid University for funding this research through the Large Group Project under Grant Number RGP.2/373/45.
文摘Border Gateway Protocol(BGP)is a standard inter-domain routing protocol for the Internet that conveys network layer reachability information and establishes routes to different destinations.The BGP protocol exhibits security design defects,such as an unconditional trust mechanism and the default acceptance of BGP route announcements from peers by BGP neighboring nodes,easily triggering prefix hijacking,path forgery,route leakage,and other BGP security threats.Meanwhile,the traditional BGP security mechanism,relying on a public key infrastructure,faces issues like a single point of failure and a single point of trust.The decentralization,anti-tampering,and traceability advantages of blockchain offer new solution ideas for constructing secure and trusted inter-domain routing mechanisms.In this paper,we summarize the characteristics of BGP protocol in detail,sort out the BGP security threats and their causes.Additionally,we analyze the shortcomings of the traditional BGP security mechanism and comprehensively evaluate existing blockchain-based solutions to address the above problems and validate the reliability and effectiveness of blockchain-based BGP security methods in mitigating BGP security threats.Finally,we discuss the challenges posed by BGP security problems and outline prospects for future research.
文摘The border gateway protocol (BGP) is the default inter domain routing protocol used on the internet for exchanging information between autonomous systems. Available literature suggests that BGP is vulnerable to session hijacking attacks. There are a number of proposals aimed at improving BGP security which have not been fully implemented. This paper examines a number of approaches for securing BGP through a comparative study and identifies the reasons why these proposals have not been implemented commercially. This paper analyses the architecture of internet routing and the design of BGP while focusing on the problem of BGP session hijacking attacks. Using Graphical Network Simulator 3 (GNS-3), a session hijack is demonstrated and a solution which involves the implementation of route filtering, policy-maps and route-maps on CISCO routers representing ASes is carried out. In the end, a workable industry standard framework for securing and protecting BGP sessions and border routers from exploitation with little or no modification to the existing routing infrastructure is demonstrated.
文摘Traffic hijacking is a common attack perpetrated on networked systems, where attackers eavesdrop on user transactions, manipulate packet data, and divert traffic to illegitimate locations. Similar attacks can also be unleashed in a NoC (Network on Chip) based system where the NoC comes from a third-party vendor and can be engrafted with hardware Trojans. Unlike the attackers on a traditional network, those Trojans are usually small and have limited capacity. This paper targets such a hardware Trojan;Specifically, the Trojan aims to divert traffic packets to unauthorized locations on the NoC. To detect this kind of traffic hijacking, we propose an authentication scheme in which the source and destination addresses are tagged. We develop a custom design for the packet tagging and authentication such that the implementation costs can be greatly reduced. Our experiments on a set of applications show that on average the detection circuitry incurs about 3.37% overhead in area, 2.61% in power, and 0.097% in performance when compared to the baseline design.
基金supported by National Key Research and Development Plan of China under Grant 2022YFB3105203National Natural Science Foundation of China(62132009)+2 种基金key fund of National Natural Science Foundation of China(62272266)Tsinghua University-China Mobile Communications Group Co.,Ltd.Joint InstituteZhongguancun Laboratory。
文摘The gradual deployment of Low-Earth Orbit(LEO)mega constellations with inter-satellite links(ISLs)promises ubiquitous,low-latency,and high-throughput satellite network services.However,networked LEO satellites with ISLs are also at risk of routing attacks such as hijacking.Existing defenses against route hijacking in terrestrial networks can hardly work for the LEO satellite network due to its high spatiotemporal dynamics.To deal with it,we propose RPD,a high-risk routing path detection method for LEO mega-constellation networks.RPD detects abnormal high-risk LEO network paths by checking the consistency between the path delay and the geographical distance.This is efficiently achieved by combining in-band measurements and out-of-band statistical processing to detect the anomaly of the clustering feature in the reference delay matrix.RPD avoids the recalculation of the header cryptographic marks when the handover occurs,thus greatly reducing the cost and improving the performance of highrisk path detection.Experiments showed that the proposed RPD mechanism achieves an average detection accuracy of 91.64%under normal network conditions,and maintain about 89%even when congestion occurs in multiple areas of the network and measurement noise is considered.In addition,RPD does not require any cryptographic operation on the intermediate node,only minimal communication cost with excellent scalability and deployability.