(34.226.234.102) 您好!臺灣時間:2021/05/12 10:13
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
: 
twitterline
研究生:鄭光廷
研究生(外文):Kuang-TingCheng
論文名稱:基於邊界閘道協議設計與實作階層式區塊鏈之安全機制
論文名稱(外文):Design and Implementation of a Hierarchical Blockchain Security Mechanism for Border Gateway Protocol
指導教授:楊竹星楊竹星引用關係
指導教授(外文):Chu-Sing Yang
學位類別:碩士
校院名稱:國立成功大學
系所名稱:電腦與通信工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2020
畢業學年度:108
語文別:中文
論文頁數:59
中文關鍵詞:邊界閘道協定路由劫持區塊鏈拜占庭容錯共識演算法
外文關鍵詞:Border Gateway ProtocolPrefix hijackingBlockchainPractical Byzantine Fault Tolerance
相關次數:
  • 被引用被引用:0
  • 點閱點閱:37
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
邊界閘道協定作為目前主流的外部閘道協定,負責連結與交換不同自治系統之間的路由,為組成今日網際網路骨幹中最重要的協定之一。然而隨著網際網路的規模持續的在增長,以信任為基礎的邊界閘道協定其安全性也受到考驗。自治系統可以透過刻意攻擊或者是設定失誤等原因,發布虛假的路由訊息來影響其他自治系統的路由,進而達到流量的重新導向甚至中斷的結果。由於邊界閘道協定廣播的特性,此類型的惡意路由將擴散給更多自治系統而造成更嚴重的影響,這使的路由劫持成為威脅網際網路的重大隱患。
因此,本論文借鑒區塊鏈的概念,透過拜占庭容錯演算法將自治系統之間穩定的路由以共識的方式記錄下來當作路由決策的參考依據。同時為了符合自治系統上下游的關係與降低系統負擔,本論文也設計了階層式分群機制,透過分配給自治系統不同的角色,使網路中較為大型的自治系統能夠替其客戶進行路由驗證與查詢。實驗結果顯示此路由保護機制能夠在短時間內偵測並過濾出路由劫持的訊息,並穩定地維持到被劫持網域的流量。而透過模擬實際發過的劫持事件,本系統能在10秒內對50%以上的自治系統提出預警,並可在一分鐘內將此比例提高到95%。
As the scale of the Internet continues to grow, Internet Service Providers developed the concept of Autonomous System (AS) in order to control and manage their network resource. Border Gateway Protocol (BGP) therefore becomes the dominant mainstream protocol that exchanges routing information between ASes. However, BGP itself is a trust-based protocol and does not employ security mechanisms to secure routes. As a result, AS can announce and propagate malicious routes to affect BGP network and result in inter-AS traffic redirection, causing network service to shut down
This thesis leverages the concept of blockchain to preserve normal route and prevent from BGP hijacking threats. Using Practical Byzantine Fault Tolerance method, ASes can record its local routes based on several metrics such as route stability. In order to reduce the communication overhead of our system, we develop a grouping mechanism to let the critical nodes in the topology maintain the blockchain. The experiment result shows that our BGP security mechanism can detect and filter out the malicious routes, and also stabilize the traffic towards the victim AS. By simulating real-world hijacking events, our system is able to alert half of the ASes in 10 seconds and 95% of the ASes under a minute.
摘要 I
致謝 VII
目錄 VIII
圖目錄 X
表目錄 XII
1. 緒論 1
1.1. 研究背景 1
1.2. 研究動機與目的 2
1.3. 論文架構 4
2. 背景知識與相關研究 5
2.1. Border Gateway Protocol (BGP) 5
2.1.1. BGP 會話過程 5
2.1.2. AS_PATH 屬性 7
2.1.3. BGP 路徑選擇依據 8
2.2. BGP攻擊 9
2.2.1. 常見BGP攻擊的類型 9
2.2.2. BGP攻擊的特性 11
2.3. 常見防禦BGP攻擊的方法 12
2.3.1. BGP 運行安全 12
2.3.2. 針對BGP協議的安全性增強 13
2.4. 區塊鏈 15
2.4.1. 共識演算法 16
2.4.2. Practical Byzantine Fault Tolerance 17
2.5. 相關BGP安全系統的研究 18
3. 系統設計與實作 20
3.1. 系統架構 20
3.2. Two Stage Approach and Grouping Mechanism 21
3.3. Distributed Routing Consensus for Autonomous Systems 26
3.4. TCP 認證機制 32
3.5. 問題探討 33
4. 實驗設置與結果分析 36
4.1. 實驗設置 36
4.1.1 實驗環境設置 36
4.1.2 路由資料來源與應用 37
4.2. 安全性分析 38
4.3. 系統效能分析 44
4.3.1 運行效能分析 44
4.3.2 階層式分群驗證 46
4.4. 案例探討 47
4.4.1 Youtube BGP hijacking 事件 48
4.4.2 Quad101 BGP hijacking 事件 52
5. 結論與未來展望 55
6. 參考文獻 56
[1] M. Hazas, J. Morley, O. Bates, and A. Friday, “Are there limits to growth in data traffic? on time use, data generation and speed, in Proceedings of the second workshop on computing within limits, pp. 1-5, 2016.
[2] J. Hawkinson and T. Bates, RFC 1930 : Guidelines for creation, selection, and registration of an Autonomous System (AS), IETF, March, 1996.
[3] Q. Vohra and E. Chen, RFC 6793 : BGP support for four-octet Autonomous System (AS) number space, IETF, December, 2012.
[4] Regional Internet Registries Statistics -- ASN Statistics, [Online]. Available: https://www-public.imtbs-tsp.eu/~maigron/RIR_Stats/RIR_Delegations/World/ASN-ByNb.html. [Accessed 28 5 2020].
[5] G. Malkin, RIP Version 2, RFC 2453, November, 1998.
[6] J. Moy, RFC 2328 : OSPF Version 2, IETF, April, 1998.
[7] Y. Rekhter, T. Li and S. Hares, RFC 4271 : A Border Gateway Protocol 4 (BGP-4), IETF, January, 2006.
[8] L. Gao, On inferring autonomous system relationships in the internet, IEEE/ACM Transactions on networking, vol. 9, no. 6, pp. 733-745, 2001.
[9] M. Apostolaki, A. Zohar, and L. Vanbever, Hijacking Bitcoin: Routing Attacks on Cryptocurrencies, in 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, 2017.
[10] Routing security – getting better, but no reason to rest!, [Online]. Available: https://www.manrs.org/2019/02/routing-security-getting-better-but-no-reason-to-rest/. [Accessed 28 5 2020].
[11] YouTube Hijacking: A RIPE NCC RIS case study, [Online]. Available: https://www.ripe.net/publications/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study. [Accessed 23 4 2020].
[12] The Amazon Route 53 BGP Hijack to Take Over Ethereum Cryptocurrency Wallets, [Online]. Available: https://www.internetsociety.org/blog/2018/04/amazons-route-53-bgp-hijack/. [Accessed 28 5 2020].
[13] H. Ballani P. Francis and X. Zhang, A study of prefix hijacking and interception in the Internet, ACM SIGCOMM Computer Communication Review, vol. 37, no. 4, pp. 265-276, 2007.
[14] P. Sermpezis, V. Kotronis, A. Dainotti, and X. Dimitropoulos, A Survey among Network Operators on BGP Prefix Hijacking, ACM SIGCOMM Computer Communication Review, vol. 48, no. 1, pp. 64-69, 2018.
[15] S. Deshpande, M. Thottan, T. K. Ho, and B. Sikdar, An online mechanism for BGP instability detection and analysis, IEEE transactions on Computers, vol. 58, no. 11, pp. 1271-1286, 2010.
[16] S. Goldberg, Why is it taking so long to secure internet routing?, Communications of the ACM, vol. 57, no. 10, pp. 56-63, 2014.
[17] S. Murphy, RFC 4272 : BGP Security Vulnerabilities Analysis, IETF, January, 2006.
[18] K. Butler, T. R. Farley, P. McDaniel and J. Rexford, A Survey of BGP Security Issues and Solutions, Proceedings of the IEEE, vol. 98, no. 1, pp. 100-122, 2010.
[19] J. Durand, I. Pepelnjak, and G. Doering, RFC 7454 : BGP Operations and Security, IETF, February, 2015.
[20] A. Heffernan, RFC 2385 : Protection of BGP Sessions via the TCP MD5 Signature Option, IETF, August, 1998.
[21] S. Frankel and S. Krishnan, RFC 6071 : IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap, IETF, February, 2011.
[22] M. Wählisch, O. Maennel, and T. C. Schmidt, Towards detecting BGP route hijacking using the RPKI, ACM SIGCOMM Computer Communication Review, vol. 42, no. 4, pp. 103-104, 2012.
[23] M. Lepinski and K. Sriram, BGPsec Protocol Specification, RFC 8025, 2017.
[24] S. Nakamoto, Bitcoin: A peer-to-peer electronic cash system, 2008. [Online]. Available: https://bitcoin.org/bitcoin.pdf. [Accessed 28 5 2020].
[25] S. Huh, S. Cho, and S. Kim, Managing IoT devices using blockchain platform, in 2017 19th International Conference on Advanced Communication Technology, Bongpyeong, 2017.
[26] J. Truby, Decarbonizing Bitcoin: Law and policy choices for reducing the energy consumption of Blockchain technologies and digital currencies, Energy research & social science, vol. 44, pp. 399-410, 2018.
[27] D. Mingxiao, M. Xiaofeng, Z. Zhe, W. Xiangwei and C. Qijun, A review on consensus algorithm of blockchain, in 2017 IEEE International Conference on Systems, Man, and Cybernetics (SMC), Banff, Canada, 2017.
[28] Z. Zheng, S. Xie and H. -N. Dai, X. Chen, and H. Wang, Blockchain challenges and opportunities: A survey, International Journal of Web and Grid Services, vol. 14, no. 4, pp. 352-375, 2018.
[29] M. Castro and B. Liskov, Practical Byzantine Fault Tolerance, in Proceedings of the Third Symposium on Operating Systems Design and Implementation, New Orleans, USA, 1999.
[30] S. Kent, C. Lynn, and K. Seo, Secure Border Gateway Protocol (S-BGP), IEEE Journal on Selected Areas in Communications, vol. 18, no. 4, pp. 582-592, 2000.
[31] R. White, Securing BGP Through Secure Origin BGP, The Internet Protocol Journal, vol. 6, no. 3, pp. 15-22, 2003.
[32] J. Israr, Y. Gahi, M. Guennoun and H. T. Mouftah, Security analysis of C-BGP: A light alternative to S-BGP, in 2016 IEEE Canadian Conference on Electrical and Computer Engineering, Vancouver, Canada, 2016.
[33] B. Al-Musawi, P. Branch, and G. Armitage, BGP Anomaly Detection Techniques: A Survey, IEEE Communications Surveys & Tutorials, vol. 19, no. 1, pp. 377-396, 2017.
[34] J. Karlin, S. Forrest, and J. Rexford, Pretty good BGP: Improving BGP by cautiously adopting routes, in Proceedings of the 2006 IEEE International Conference on Network Protocols, Santa Barbara, 2006.
[35] M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang, PHAS: A prefix hijack alert system, in USENIX Security symposium, Vancouver, Canada, 2006.
[36] Q. Xing, B. Wang, and X. Wang, Bgpcoin: Blockchain-based internet number resource authority and bgp security solution, Symmetry, vol. 10, no. 9, p. 408, 2018.
[37] G. Wood, Ethereum: A secure decentralised generalised transaction ledger, Ethereum project yellow paper, vol. 151, pp. 1-32, 2014.
[38] M. Saad, A. Anwar, A. Ahmad, H. Alasmary, M. Yuksel and A. Mohaisen, “Routechain: Towards blockchain-based secure and efficient bgp routing, 2019 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), pp. 210-218, 2019.
[39] A. Hari and T. V. Lakshman, The internet blockchain: A distributed tamper-resistant transaction framework for the internet, in ACM Workshop on Hot Topics in Networks ser. HotNets ’16, ACM, 2016.
[40] L. C. Freeman, Centrality in social networks conceptual clarification, Social networks, vol. 1, no. 3, pp. 215-239, 1978.
[41] M. Luckie, B. Huffaker, A. Dhamdhere, V. Giotsas, and K. Claffy, AS Relationships, Customer Cones, and Validation, in Proceedings of the 2013 conference on Internet measurement conference, Barcelona, Spain, 2013.
[42] W. Diffie and M. Hellman, New directions in cryptography, IEEE transactions on Information Theory, vol. 22, no. 6, pp. 644-654, 1976.
[43] iPerf - The ultimate speed test tool for TCP, UDP and SCTP, [Online]. Available: https://iperf.fr/. [Accessed 28 5 2020].
[44] Routing Information Service (RIS), [Online]. Available: https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris. [Accessed 29 6 2020].
[45] X. Dimitropoulos, D. Krioukov, M. Fomenkov, B. Huffaker, Y. Hyun, K. Claffy, and G. Riley, AS Relationships: Inference and Validation, ACM SIGCOMM Computer Communication Review, vol. 37, no. 1, pp. 29-40, 2007.
[46] Wireshark, [Online]. Available: https://www.wireshark.org/. [Accessed 20 6 2020].
[47] Public DNS in Taiwan the latest victim to BGP hijack, [Online]. Available: https://www.manrs.org/2019/05/public-dns-in-taiwan-the-latest-victim-to-bgp-hijack/. [Accessed 22 6 2020].
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔