Sharon Goldberg

Attacking NTP’s Authenticated Broadcast Mode

By: 
Aanchal Malhotra, Sharon Goldberg
Appears in: 
CCR April 2016

We identify two attacks on the Network Time Protocol (NTP)’s cryptographically-authenticated broadcast mode. First, we present a replay attack that allows an on-path attacker to indefinitely stick a broadcast client to a specific time. Second, we present a denial-of-service (DoS) attack that allows an off-path attacker to prevent a broadcast client from ever updating its system clock; to do this, the attacker sends the client a single malformed broadcast packet per query interval.

Public Review By: 
Alberto Dainotti

Besides the recently famous gravitational waves, there is another phenomenon affecting the spacetime continuum, at least in the Internet universe: the Network Time Protocol (NTP, RFC5905), used for decades by Internet attached hosts to establish and maintain synchronization of their clocks. In this paper, Aanchal and Sharon show how an attacker can alter a system’s perception of time when it relies on NTP. System time has an immense effect on host activities: cached data expiration, scheduled jobs, public-key certificate expiration, backups, cryptographic protocols, time-outs in general, etc. Therefore, manipulation of the system clock can open the path to several attacks.The authors identify two vulnerabilities affecting NTP protocol’s cryptographically-authenticated broadcast mode. The first allows an on-path attacker to stick an NTP broadcast client to a specific time indefinitely. The second vulnerability exposes a client to a denial-of-service attack, in which an off-path attacker prevents the client from updating its system clock. The authors also perform a survey of the IPv4 address space, identifying several hosts using NTP broadcast mode.Reviewers found the contribution of this work relevant, not only because it pertains to more secure protocol design, but also because the authors explain solutions and collaborated with industry, developers and standardization groups to improve the security of the protocol and its implementations. The reviewers also discussed the potentially limited nature of these vulnerabilities given that NTP’s cryptographically-authenticated broadcast mode does not seem to be widely adopted. However, as the authors explain, it is difficult to establish figures on the popularity of this mode, since (i) it is most common in clients behind NAT, and (ii) several firewalls filter queries that may reveal such information. Finally, we believe this paper is a good match for CCR also because the two vulnerabilities discussed have just been disclosed and assigned a CVE-ID, which makes the paper even more... timely! ACM SIGCOMM Computer Communication Review

RPKI vs ROVER: comparing the risks of BGP security solutions

By: 
Aanchal Malhotra, Sharon Goldberg
Appears in: 
CCR August 2014

BGP, the Internet’s interdomain routing protocol, is highly vulnerable to routing failures that result from unintentional misconfigurations or deliberate attacks. To defend against these failures, recent years have seen the adoption of the Resource Public Key Infrastructure (RPKI), which currently authorizes 4% of the Internet’s routes. The RPKI is a completely new security infrastructure (requiring new servers, caches, and the design of new protocols), a fact that has given rise to some controversy [1].

From the consent of the routed: improving the transparency of the RPKI

By: 
Ethan Heilman, Danny Cooper, Leonid Reyzin, Sharon Goldberg
Appears in: 
CCR August 2014

The Resource Public Key Infrastructure (RPKI) is a new infrastructure that prevents some of the most devastating attacks on interdomain routing. However, the security benefits provided by the RPKI are accomplished via an architecture that empowers centralized authorities to unilaterally revoke any IP prefixes under their control. We propose mechanisms to improve the transparency of the RPKI, in order to mitigate the risk that it will be used for IP address takedowns. First, we present tools that detect and visualize changes to the RPKI that can potentially take down an IP prefix.

A survey of interdomain routing policies

By: 
Phillipa Gill, Michael Schapira, Sharon Goldberg
Appears in: 
CCR January 2014
Researchers studying the inter-domain routing system typically rely on models to ll in the gaps created by the lack of information about the business relationships and routing policies used by individual autonomous systems. To shed light on this unknown information, we asked  100 network
operators about their routing policies, billing models, and thoughts on routing security. This short paper reports the survey's results and discusses their implications.
Public Review By: 
Jia Wang

Interdomain routing has been extensively studied over the past decade by both research and industrial communities. While tremendous knowledge and understanding have been gained on various aspects of the Interdomain routing (including routing policies), there are some gaps that remain to be filled. What make this paper interesting and distinguish itself from many other paper on interdomain routing policies is that this paper intended to bridge one of these knowledge gaps by conducting a survey on business relationships and routing policies used by individual autonomous systems in practice. About 100 network operators responded to the survey and answered questions about their routing policies, billing models, and thoughts on routing security. The paper presented survey results and discussed their implications. While most of results provided a systematic view of interdomain routing policies used in practice and on the extent to which common modeling assumptions about routing policies actually hold on the Internet, some of the findings are quite interesting and require deeper understanding on their implications. For example, the survey results showed that 90% of operators disabled MRAI timer which is used to rate limit update messages between neighboring BGP-speaking routers. This paper provided a good starting point on some of these findings. Follow up studies that look deeper into these findings would be of great interest to the research community and can potentially impact network operators for setting their policies in the future. One limitation of this paper is that survey results only represented a somewhat bias view from the 100 operators who were questioned and responded. Having said that, I believe these results provided very useful information on the operational reality of interdomain routing policies. Researchers and students who work on the interdomain routing area would find this survey beneficial.

Modeling on quicksand: dealing with the scarcity of ground truth in interdomain routing data

By: 
Phillipa Gill, Michael Schapira, Sharon Goldberg
Appears in: 
CCR January 2012

Researchers studying the interdomain routing system, its properties and new protocols, face many challenges in performing realistic evaluations and simulations. Modeling decisions with respect to AS-level topology, routing policies and traffic matrices are complicated by a scarcity of ground truth for each of these components. Moreover, scalability issues arise when attempting to simulate over large (although still incomplete) empirically-derived AS-level topologies. In this paper, we discuss our approach for analyzing the robustness of our results to incomplete empirical data.

Public Review By: 
Yin Zhang

This paper focuses on improving the scalability and robustness of simulations for analyzing interdomain routing techniques. There are two challenges with inter-domain routing simulations (as outlined by the paper): (i) The running time of simulations on large AS graphs can be very high – O(|V|^3) for an AS graph with |V| vertices. For an empirical AS graph with 36K nodes, it will take several months to finish. (ii) The lack of ground truth information makes assessing the accuracy and robustness of routing techniques difficult. To address the first challenge, the author develops a novel routing tree algorithm that takes only O(|V|^2) time to compute paths between all source-destination pairs in an AS graph with |V| vertices, which is significantly faster than the state of the art. The algorithm exploits the fact that realworld AS graphs are typically very sparse, with only around 4*|V| edges as opposed to O(|V|^2) edges. It computes all the paths by performing a specialized three-stage breadth-first search (BFS) on the AS graph. To further improve the scalability in the context of repeated simulations, the paper develops lightweight faster amortized algorithms that achieve 5-times speedup compared to running repeated simulations. The idea is to run a single computation for all-pairs paths once and saving and reusing the intermediate results for subsequent iterations. Since the algorithms can be run independently across destinations, Map-reduce style parallelization is used to achieve another 200-times speedup. This is very good! Regarding robustness, the paper proposes to perform repeated simulations with varied parameters – this becomes computationally feasible because of the significantly reduced run-time. While it is arguable whether repeated simulations alone suffice to cope with the lack of ground truth, the approach helps better understand the impact of the imperfect data and modeling assumptions and is therefore clearly valuable. Overall, a very nice paper. The core ideas are both interesting and useful. The techniques proposed in the paper should really become the common practice in future large-scale simulation studies of interdomain routing.

How secure are secure interdomain routing protocols

By: 
Sharon Goldberg, Michael Schapira, Peter Hummon, and Jennifer Rexford
Appears in: 
CCR October 2010

In response to high-profile Internet outages, BGP security variants have been proposed to prevent the propagation of bogus routing information. To inform discussions of which variant should be deployed in the Internet, we quantify the ability of the main protocols (origin authentication, soBGP, S-BGP, and data-plane verification) to blunt traffic-attraction attacks; i.e., an attacker that deliberately attracts traffic to drop, tamper, or eavesdrop on packets.

Rationality and Traffic Attraction: Incentives for Honest Path Announcements in BGP

By: 
Sharon Goldberg, Shai Halevi, Aaron D. Jaggard, Vijay Ramachandran, and Rebecca N. Wright
Appears in: 
CCR October 2008

We study situations in which autonomous systems (ASes)may have incentives to send BGP announcements differing from the AS-level paths that packets traverse in the data plane. Prior work on this issue assumed that ASes seek only to obtain the best possible outgoing path for their traffic. In reality, other factors can influence a rational AS’s behavior. Here we consider a more natural model, in which an AS is also interested in attracting incoming traffic (e.g., because other ASes pay it to carry their traffic).

Syndicate content