TECH

A new attack that orchestrates malicious flows with BGP
Researchers at the University of Tennessee have recently identified the Master attack, a new link flooding attack (LFA) that leverages plane traffic control engineering techniques to concentrate botnet-sourced distributed denial of service (DDos) flows on transit links. In their paper, recently published on ArXiv, the researchers outlined this type attack, tried to understand its scope and presented effective mitigations for network operators who wish to insulate themselves from it.
Distributed denial of service (DDos) attacks work by directing traffic from different sources on the internet to overwhelm the capacity of a targeted system. Although researchers have introduced numerous mitigation and defense techniques to protect users against these attacks, they are still proliferating. Link flooding attacks (LFA) are a specific type of DDoS attacks that target infrastructure links, which are typically launched from botnets.
"While investigating how well an ISP could singlehandedly defend against massive denial of service attacks, we realized the same technique we were using to defend against attacks could be used by an adversary to take down our own defense," Jared Smith, one of the researchers who carried out the study. "This led to us exploring how well this technique, BGP poisoning, could be used to carry out such an attack."
Tyler McDaniel and Max Schuchard explored how an adversary's ability to influence routing decisions (ie his / her access to a compromised boarder gateway protocol or BGP speaker) can shape remote networks' path selection processes to their advantage. During their investigation, they identified a new type of LFA attack, which they called the Master attack.
"We are researching DDoS attacks against Internet infrastructure links," McDaniel told TechXolore. "These attacks are bounded by Internet routing characteristics, because DDoS sources do not always have a destination for their traffic that crosses a target link. "
The Master attack works by distributing fraudulent (i.e. poisoned) BGP messages from an internet router to channel inbound traffic (i.e. traffic flowing into the router) onto a target link. Simultaneously, it directs a DDoS attack against the same router using a botnet, which ultimately funnels DDoS traffic onto the target link.
In other words, in order to steer malicious flows onto links that would otherwise be inaccessible to botnets. To carry out this attack, a user would need to have two key tools: an edge router in some compromised AS and a botnet.
"For one of our major botnet models, Mirai, a well-positioned Master attacker can expect to bring a million additional infected hosts onto the target link vs. a traditional DDoS link," McDaniel said. "This number fully represents the third of the entire botnet."
According to the researchers, in order to insulate themselves from this attack, or at least mitigate the risk of becoming a target, network operators should filter out poisoned BGP messages. Interestingly, however, studies carried out in their lab revealed that most routers do not currently filter these messages out.
"An adversary who can compromise or buy an Internet router can disseminate fraudulent messages to intensify attacks on the Internet's infrastructure," McDaniel said. "This is troubling, because prior work has raised the specter of large-scale DDoS linking to isolate installations or entire geographic regions from the internet."
In addition to introducing the Master attack, the study carried out by Smith, McDaniel and Schuchard provides further evidence that BGP, as it stands, is no longer an ideal, scalable and secure routing protocol. This was already suggested by previous studies, as well as by recent incidents, such as the 3ve fraud operation and the China Telecom hijack. According to the researchers, although upgrades such as peer locking could help to prevent this specific attack, replacing BGP with an entirely new, next-generation system (e.g. SCION) would be the most effective solution.
"Going forward, we're primarily exploring two directions," Smith said. "First, while talking to ISP operators about Master, we found differing opinions of how vulnerable the Internet actually is. Our lab has a history of actively measuring the Internet's behavior and is working on measuring human operator intuition against the current behavior of the Internet. Second, we are already seeing strong results for extending Master to work even when you do not have a massive botnet available. " © 2019 Science X Network