Check out the new USENIX Web site. next up previous
Next: Discussion Up: Listen and Whisper: Security Previous: Detected Reachability Problems


Colluding Adversaries

Figure: The effects of colluding adversaries in the current Internet.
\includegraphics[width=\textwidth]{graphs/collmal-pol.eps}
Figure: Effects of colluding adversaries with whisper + policy routing.
\includegraphics[width=\textwidth]{graphs/shash-pol.eps}
Figure: Effect of colluding adversaries with whisper + shortest path routing
\includegraphics[width=\textwidth]{graphs/shash-sp.ps}

Additional to acting as a group of isolated adversaries, colluding adversaries can tunnel advertisements and secrets between them and create invalid routes with fake AS links without being detected by the Whisper protocols. These invalid routes are not detectable even with a PKI unless the complete topology is known and enforced. Despite the limitation, we can provide protective measures for avoiding these invalid routes.

Given the hierarchical nature and the skewed structure of the Internet topology, the invalid paths from colluding adversaries not detectable by the Whisper tend to be longer in AS path length. This is because, a normal route would traverse the Internet core (tier-1 + tier-2 ISPs) once while a consistent invalid route through $ 2$ colluding adversaries traverses the Internet core twice (since the adversary cannot remove any AS from the path). Hence, by choosing the shortest path we have a better chance of avoiding the invalid route. Figures 89 and 10, illustrates this effect of colluding adversaries for $ 3$ scenarios: (a) the current Internet with no protection; (b) whisper protocols with policy routing; (c) whisper protocols with shortest path routing. All these graphs show the cumulative distribution of the vulnerability metric (defined in Section 6.1) for a set of colluding malicious adversaries. We specifically consider three cases: (a) $ 2$ colluding tier-1 AS's; (b) $ 2$ colluding tier-2 AS's (c) $ 12$ colluding customer AS's.

We make two observations. First, $ 12$ randomly compromised customer routers can inflict the same magnitude of damage as that of two tier-1 nodes illustrating the effect of colluding adversaries in the current Internet. Typically, customer AS's are easier to compromise since many of them are unmanaged. Second, whisper protocols with shortest path routing drastically reduces the possibility of colluding adversaries (in comparison to policy routing) propagating invalid routes without triggering alarms. In particular, even when $ 12$ customer AS's are compromised, the effect on the Internet routing is negligible.

Whisper protocols with policy routing offers much lesser protection since BGP tends to choose routes based on the local preference. The typical policy convention based on stable routing and economic constraints is to prefer customer routes over peer and provider routes [18]. This preference rule increases the vulnerability of BGP to pick consistent invalid routes from customers over potentially shorter routes through peers /providers. In principle, this problem also exists in S-BGP. To strike a middle ground between the flexibility of policy routing and this vulnerability, we propose a simple modification to the policy engine: Do not associate any local preference to customer routes that have an AS path length greater than $ 2$ (any route from a pair of colluding route should have a minimum path length of $ 3$). We believe that this modification to BGP policies should have little impact on current operation since most customer routes today have a path length less than $ 3$.

To summarize, whisper protocols in combination with the modified policies (emulating shortest path routing) can largely restrict the damage of colluding adversaries.

next up previous
Next: Discussion Up: Listen and Whisper: Security Previous: Detected Reachability Problems
116 2004-02-12