Securing Domain Control with BGP Attacks and Digital Certificates

Slide Note
Embed
Share

Exploring the vulnerabilities of domain control verification in the context of BGP attacks and the role of digital certificates in ensuring security. The process of domain control verification, issuance of digital certificates by Certificate Authorities (CAs), and the significance of Public Key Infrastructure (PKI) are discussed. Learn how organizations can maintain secure connections through proper domain ownership verification.

kingst
kingst Follow

Uploaded on Oct 01, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Bamboozling Certificate Authorities with BGP 20174489 SEUNGHAN HONG

  2. Introduction USENIX Security 18 Author : Henry Birge-Lee, Yixin Sun, Anne Edmundson, Jennifer Rexford, Prateek Mittal

  3. Introduction

  4. Overview Domain Control Verification BGP Attacks Quantifying Vulnerability Countermeasures Conclusion

  5. Digital Certificate How we can sure that the domain is KAIST?

  6. Digital Certificate How we can sure that the domain is KAIST? This is the mark which the domain has digital certificate.

  7. Digital Certificate How we can sure that the domain is KAIST? This is the mark which the domain has digital certificate.

  8. Domain Control Verification A process to verify the domain owner before signing certificate Certificate Authority (CA) is an organization which signs the certificate CA helps us to create secure connection to a server using Public Key Infrastructure (PKIs)

  9. Domain Control Verification Owner of the domain request a certificate to CA

  10. Domain Control Verification CA gives Domain Control Verification Challenge

  11. Domain Control Verification Owner modifies the server

  12. Domain Control Verification CA check whether the domain has correct answer

  13. Domain Control Verification If it is correct, CA gives digital certificate to owner

  14. Domain Control Verification If it is correct, CA gives digital certificate to owner

  15. Overview Domain Control Verification BGP Attacks Quantifying Vulnerability Countermeasures Conclusion

  16. Border Gateway Protocol (BGP) BGP is a standardized exterior gateway protocol designed to exchange routing and reachability information among Autonomous System (AS) on the Internet

  17. Border Gateway Protocol (BGP) For example the AS containing 2.2.2.0/23 announce that he owns 2.2.2.0/23. Then AS1 announce that it can reach to 2.2.2.0/23 by 1 hop

  18. High Level Idea: BGP Attack Man in the middle attack Attacks when CA calls HTTP GET example.com/verify.html

  19. BGP Attack Normal procedure CA reach to correct server

  20. BGP Attack Simplest Attack (sub-prefix attack) Use the same IP address to capture the victim s traffic

  21. BGP Attack Routers prefer more specific announcement Broken connectivity Highly viable Not stealthy

  22. BGP Attack A local (equally-specific prefix) attack Aim to increase stealthiness

  23. BGP Attack Equally specific announcement compete for traffic Announcement localized Local broken connectivity Potentially stealthy

  24. BGP Attack Can not hijack in this case (unaffected portion)

  25. BGP Attack AS Path poisoning To maintain a valid route to the victim s domain

  26. BGP Attack Almost any AS can perform Connectivity preserved Very stealthy

  27. The stealthy and viability of BGP attacks Effective against /24 prefixes Evades origin change detection Internet topology location required Sub-prefix hijack No No Any location Equally-specific prefix hijack Yes No Many location As-path poisoning attack No Yes Many location

  28. BGP Attack in real worlds Need some Ethical framework for launching real-world attacks Hijack only our own prefixes Domains run on our own prefixes No real users attacked Approached trusted CAs for certificates

  29. BGP Attack in real worlds: Summary Let s Encrypt GoDaddy Comodo Symantec GlobalSign Time to issue certificate 35s <10min 51s 6min 4min Human Interaction No No No No No Multiple Vantage Points No No No No No Validation Method Attacked HTTP HTTP Email Email Email

  30. Additional Attacks More targets Authoritative DNS servers Mail servers Reverse (victim domain -> CA) traffic is also vulnerable

  31. Overview Domain Control Verification BGP Attacks Quantifying Vulnerability Countermeasures Conclusion

  32. Quantifying Vulnerability How many domains are vulnerable? How many adversaries can launch attacks?

  33. Vulnerability of domains: sub-prefix attacks

  34. Vulnerability of domains: sub-prefix attacks Any AS can launch Only prefix lengths less than /24 vulnerable

  35. Vulnerability of domains: sub-prefix attacks Any AS can launch Only prefix lengths less than /24 vulnerable

  36. Resilience to equally-specific prefix attacks

  37. Resilience to equally-specific prefix attacks

  38. Resilience of domains assuming random CA

  39. Choosing affected CA

  40. Vulnerability of Domains: Equally-specific attacks

  41. Vulnerability of Domains: Equally-specific attacks

  42. Overview Domain Control Verification BGP Attacks Quantifying Vulnerability Countermeasures Conclusion

  43. Countermeasures CA Vantage Point BGP Monitoring CA prefix length Domains CAA DNS Records DNSSEC

  44. Multiple Vantage Points

  45. Multiple Vantage Points

  46. Multiple Vantage Points CA sign certificate only if all vantage points and CA agree average resilience of domains attack chance of success One vantage point 61% 39% two vantage points 85% 15% Three vantage points >90% <10%

  47. BGP Monitoring Monitoring suspicious route CA computes each route s age CA signs a certificate for routes which have sufficient age. Then network operator have time to react (tradeoff) false positive <-> minimum time

  48. Related Work Using BGP attack is effective at deanonymizing TOR users Sun el al. Raptor: Routing attacks on privacy in Tor, USENIX Security Symposium (2015) Using BGP attack on hijacking bitcoin Apostolaki et al. Hijacking bitcoin: Routing attacks on cryptocurrencies, In IEEE Symposium on Security and Privacy (SP) (May 2017) Using BGP attack to bypass US surveillance laws Arnbak et al. Loopholes for circumventing the constitution: Unrestricted bulk surveillance on americans by collecting network traffic abroad, Mich. Telecomm. & Tech. L. Rev. 21 (2014)

  49. Related Work Using BGP attacks with strategically poisoned AS paths Pilosov and Kapela, Stealing the Internet: An Internet-scale man in the middle attack, NANOG-44, Los Angeles, October (2008) Using BGP attacks on peering links Madory, Use protection if peering promiscuously. https://dyn.com/blog/use-protection-if- peering-promiscuously/, Nov 2014.

  50. Related Work outline a well-known system to detect traditional BGP attacks Lad et al, PHAS: A prefix hijack alert system, In USENIX Security Symposium (2006) generate route filters to prevent BGP attacks Bush et al, The resource public key infrastructure (RPKI) to router protocol, RFC 6810, RFC Editor, January 2013 BGPsec cryptographically assures the validity of BGP paths Lepinski et al, BGPsec protocol specification, RFC 8205, RFC Editor, September 2017 SCION presents a clean slate architecture that would prevent BGP hijacks Zhang et al, An analysis of BGP multiple origin AS (MOAS) conflicts. In ACM SIGCOMM Workshop on Internet Measurement (New York, NY, USA, 2001)

Related


Understanding BGP and DNS Worms in Network Security

Understanding BGP and DNS Worms in Network Security

euey175
Gradual Fine-Tuning for Low-Resource Domain Adaptation: Methods and Experiments

Gradual Fine-Tuning for Low-Resource Domain Adaptation: Methods and Experiments

shania
Understanding BGP Basics and Routing Security

Understanding BGP Basics and Routing Security

cobe_53
Evolution of BGP: Expectations vs. Reality in Protocol Development

Evolution of BGP: Expectations vs. Reality in Protocol Development

fhess
Understanding Network Security Vulnerabilities and Attacks

Understanding Network Security Vulnerabilities and Attacks

leyo_5
Types Cyber Attacks: Cyber Security Training Workshop

Types Cyber Attacks: Cyber Security Training Workshop

anara
Safety Verification Using Barrier Certificates in Autonomous Cyber-Physical Systems

Safety Verification Using Barrier Certificates in Autonomous Cyber-Physical Systems

dpar
Targeted Deanonymization via the Cache Side Channel: Attacks and Defenses

Targeted Deanonymization via the Cache Side Channel: Attacks and Defenses

jmora
Understanding Network Denial of Service (DoS) Attacks

Understanding Network Denial of Service (DoS) Attacks

zahra
Understanding Injective and Surjective Functions

Understanding Injective and Surjective Functions

dinah
Understanding Low-Intensity DoS Attacks on BGP Infrastructure

Understanding Low-Intensity DoS Attacks on BGP Infrastructure

serg_6
Managing Covid-19 Cyber and Data Protection Risks

Managing Covid-19 Cyber and Data Protection Risks

kaisen
Understanding Control Hijacking Attacks in Software Systems

Understanding Control Hijacking Attacks in Software Systems

kit_631
Understanding Network Security Fundamentals

Understanding Network Security Fundamentals

chae_220
Understanding Denial-of-Service Attacks and Defense Strategies

Understanding Denial-of-Service Attacks and Defense Strategies

delphi
Automated Signature Extraction for High Volume Attacks in Cybersecurity

Automated Signature Extraction for High Volume Attacks in Cybersecurity

klos_k
Preventing Active Timing Attacks in Low-Latency Anonymous Communication

Preventing Active Timing Attacks in Low-Latency Anonymous Communication

kmike
Strategies to Protect School Systems from Cyber Attacks

Strategies to Protect School Systems from Cyber Attacks

alins
Evolution of Networking: Embracing Software-Defined Networks

Evolution of Networking: Embracing Software-Defined Networks

stalling_r
Mitigation of DMA-based Rowhammer Attacks on ARM

Mitigation of DMA-based Rowhammer Attacks on ARM

baylee
Understanding Cross-Domain Policies in Web Application Security

Understanding Cross-Domain Policies in Web Application Security

jayelyn
Understanding Domain Adaptation in Machine Learning

Understanding Domain Adaptation in Machine Learning

demetria
Country Names in the Domain Name System (DNS)

Country Names in the Domain Name System (DNS)

tup_o
Understanding BGP Protocol and Configuration for Routing Policy Filtering

Understanding BGP Protocol and Configuration for Routing Policy Filtering

kenzelkr

More Related Content

Network Security Breakout: Science DMZ, BGP, Data Movement, Measurement & Monitoring Tools
Network Security Breakout: Science DMZ, BGP, Data Movement, Measurement & Monitoring Tools
Understanding Non-Optimal Routing and 32-Bit ASN Compatibility
Understanding Non-Optimal Routing and 32-Bit ASN Compatibility
Understanding Operating System Protection Principles
Understanding Operating System Protection Principles
Understanding Control Hijacking Attacks and Defenses
Understanding Control Hijacking Attacks and Defenses
Understanding Malicious Attacks, Threats, and Vulnerabilities in IT Security
Understanding Malicious Attacks, Threats, and Vulnerabilities in IT Security
Adversarial Machine Learning
Adversarial Machine Learning
Cybersecurity Challenges: Attacks on Web Applications and Cost of Security Breaches
Cybersecurity Challenges: Attacks on Web Applications and Cost of Security Breaches
Principles of Cyber Security
Principles of Cyber Security
Overview of Identification Protocols in CS255 by Dan Boneh
Overview of Identification Protocols in CS255 by Dan Boneh
Developing MPI Programs with Domain Decomposition
Developing MPI Programs with Domain Decomposition
Wyoming Eminent Domain Laws - Legal Updates and Negotiations
Wyoming Eminent Domain Laws - Legal Updates and Negotiations
Hierarchical Attention Transfer Network for Cross-domain Sentiment Classification
Hierarchical Attention Transfer Network for Cross-domain Sentiment Classification
Understanding Domain Names for Authoritative DNS Servers
Understanding Domain Names for Authoritative DNS Servers
Understanding Functions: Definitions and Arrow Diagrams
Understanding Functions: Definitions and Arrow Diagrams
Exploring the Classic Blocks World Domain
Exploring the Classic Blocks World Domain
Understanding the Domain Name System (DNS) Structure
Understanding the Domain Name System (DNS) Structure
Understanding Marketing Control and Its Importance in Business
Understanding Marketing Control and Its Importance in Business
Understanding Unlabeled Certificates in Decision Tree Model
Understanding Unlabeled Certificates in Decision Tree Model
Customizable Recognition Certificates for End of Season Player Awards
Customizable Recognition Certificates for End of Season Player Awards
Reduced Fee Birth Certificates Initiative in Oakland County
Reduced Fee Birth Certificates Initiative in Oakland County
Digital Competency Maturity Model 2.0 for Accounting Firms - Overview and Implementation
Digital Competency Maturity Model 2.0 for Accounting Firms - Overview and Implementation
Impact of Digital Communication on Social Inequality
Impact of Digital Communication on Social Inequality
Understanding Control Plans in Process Management
Understanding Control Plans in Process Management
Understanding Authentication Mechanisms and Security Vulnerabilities
Understanding Authentication Mechanisms and Security Vulnerabilities