( 您好!臺灣時間:2021/05/12 10:13
字體大小: 字級放大   字級縮小   預設字形  


論文名稱(外文):Design and Implementation of a Hierarchical Blockchain Security Mechanism for Border Gateway Protocol
指導教授(外文):Chu-Sing Yang
外文關鍵詞:Border Gateway ProtocolPrefix hijackingBlockchainPractical Byzantine Fault Tolerance
  • 被引用被引用:0
  • 點閱點閱:37
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
As the scale of the Internet continues to grow, Internet Service Providers developed the concept of Autonomous System (AS) in order to control and manage their network resource. Border Gateway Protocol (BGP) therefore becomes the dominant mainstream protocol that exchanges routing information between ASes. However, BGP itself is a trust-based protocol and does not employ security mechanisms to secure routes. As a result, AS can announce and propagate malicious routes to affect BGP network and result in inter-AS traffic redirection, causing network service to shut down
This thesis leverages the concept of blockchain to preserve normal route and prevent from BGP hijacking threats. Using Practical Byzantine Fault Tolerance method, ASes can record its local routes based on several metrics such as route stability. In order to reduce the communication overhead of our system, we develop a grouping mechanism to let the critical nodes in the topology maintain the blockchain. The experiment result shows that our BGP security mechanism can detect and filter out the malicious routes, and also stabilize the traffic towards the victim AS. By simulating real-world hijacking events, our system is able to alert half of the ASes in 10 seconds and 95% of the ASes under a minute.
摘要 I
致謝 VII
圖目錄 X
表目錄 XII
1. 緒論 1
1.1. 研究背景 1
1.2. 研究動機與目的 2
1.3. 論文架構 4
2. 背景知識與相關研究 5
2.1. Border Gateway Protocol (BGP) 5
2.1.1. BGP 會話過程 5
2.1.2. AS_PATH 屬性 7
2.1.3. BGP 路徑選擇依據 8
2.2. BGP攻擊 9
2.2.1. 常見BGP攻擊的類型 9
2.2.2. BGP攻擊的特性 11
2.3. 常見防禦BGP攻擊的方法 12
2.3.1. BGP 運行安全 12
2.3.2. 針對BGP協議的安全性增強 13
2.4. 區塊鏈 15
2.4.1. 共識演算法 16
2.4.2. Practical Byzantine Fault Tolerance 17
2.5. 相關BGP安全系統的研究 18
3. 系統設計與實作 20
3.1. 系統架構 20
3.2. Two Stage Approach and Grouping Mechanism 21
3.3. Distributed Routing Consensus for Autonomous Systems 26
3.4. TCP 認證機制 32
3.5. 問題探討 33
4. 實驗設置與結果分析 36
4.1. 實驗設置 36
4.1.1 實驗環境設置 36
4.1.2 路由資料來源與應用 37
4.2. 安全性分析 38
4.3. 系統效能分析 44
4.3.1 運行效能分析 44
4.3.2 階層式分群驗證 46
4.4. 案例探討 47
4.4.1 Youtube BGP hijacking 事件 48
4.4.2 Quad101 BGP hijacking 事件 52
5. 結論與未來展望 55
6. 參考文獻 56
[1] M. Hazas, J. Morley, O. Bates, and A. Friday, “Are there limits to growth in data traffic? on time use, data generation and speed, in Proceedings of the second workshop on computing within limits, pp. 1-5, 2016.
[2] J. Hawkinson and T. Bates, RFC 1930 : Guidelines for creation, selection, and registration of an Autonomous System (AS), IETF, March, 1996.
[3] Q. Vohra and E. Chen, RFC 6793 : BGP support for four-octet Autonomous System (AS) number space, IETF, December, 2012.
[4] Regional Internet Registries Statistics -- ASN Statistics, [Online]. Available: https://www-public.imtbs-tsp.eu/~maigron/RIR_Stats/RIR_Delegations/World/ASN-ByNb.html. [Accessed 28 5 2020].
[5] G. Malkin, RIP Version 2, RFC 2453, November, 1998.
[6] J. Moy, RFC 2328 : OSPF Version 2, IETF, April, 1998.
[7] Y. Rekhter, T. Li and S. Hares, RFC 4271 : A Border Gateway Protocol 4 (BGP-4), IETF, January, 2006.
[8] L. Gao, On inferring autonomous system relationships in the internet, IEEE/ACM Transactions on networking, vol. 9, no. 6, pp. 733-745, 2001.
[9] M. Apostolaki, A. Zohar, and L. Vanbever, Hijacking Bitcoin: Routing Attacks on Cryptocurrencies, in 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, 2017.
[10] Routing security – getting better, but no reason to rest!, [Online]. Available: https://www.manrs.org/2019/02/routing-security-getting-better-but-no-reason-to-rest/. [Accessed 28 5 2020].
[11] YouTube Hijacking: A RIPE NCC RIS case study, [Online]. Available: https://www.ripe.net/publications/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study. [Accessed 23 4 2020].
[12] The Amazon Route 53 BGP Hijack to Take Over Ethereum Cryptocurrency Wallets, [Online]. Available: https://www.internetsociety.org/blog/2018/04/amazons-route-53-bgp-hijack/. [Accessed 28 5 2020].
[13] H. Ballani P. Francis and X. Zhang, A study of prefix hijacking and interception in the Internet, ACM SIGCOMM Computer Communication Review, vol. 37, no. 4, pp. 265-276, 2007.
[14] P. Sermpezis, V. Kotronis, A. Dainotti, and X. Dimitropoulos, A Survey among Network Operators on BGP Prefix Hijacking, ACM SIGCOMM Computer Communication Review, vol. 48, no. 1, pp. 64-69, 2018.
[15] S. Deshpande, M. Thottan, T. K. Ho, and B. Sikdar, An online mechanism for BGP instability detection and analysis, IEEE transactions on Computers, vol. 58, no. 11, pp. 1271-1286, 2010.
[16] S. Goldberg, Why is it taking so long to secure internet routing?, Communications of the ACM, vol. 57, no. 10, pp. 56-63, 2014.
[17] S. Murphy, RFC 4272 : BGP Security Vulnerabilities Analysis, IETF, January, 2006.
[18] K. Butler, T. R. Farley, P. McDaniel and J. Rexford, A Survey of BGP Security Issues and Solutions, Proceedings of the IEEE, vol. 98, no. 1, pp. 100-122, 2010.
[19] J. Durand, I. Pepelnjak, and G. Doering, RFC 7454 : BGP Operations and Security, IETF, February, 2015.
[20] A. Heffernan, RFC 2385 : Protection of BGP Sessions via the TCP MD5 Signature Option, IETF, August, 1998.
[21] S. Frankel and S. Krishnan, RFC 6071 : IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap, IETF, February, 2011.
[22] M. Wählisch, O. Maennel, and T. C. Schmidt, Towards detecting BGP route hijacking using the RPKI, ACM SIGCOMM Computer Communication Review, vol. 42, no. 4, pp. 103-104, 2012.
[23] M. Lepinski and K. Sriram, BGPsec Protocol Specification, RFC 8025, 2017.
[24] S. Nakamoto, Bitcoin: A peer-to-peer electronic cash system, 2008. [Online]. Available: https://bitcoin.org/bitcoin.pdf. [Accessed 28 5 2020].
[25] S. Huh, S. Cho, and S. Kim, Managing IoT devices using blockchain platform, in 2017 19th International Conference on Advanced Communication Technology, Bongpyeong, 2017.
[26] J. Truby, Decarbonizing Bitcoin: Law and policy choices for reducing the energy consumption of Blockchain technologies and digital currencies, Energy research & social science, vol. 44, pp. 399-410, 2018.
[27] D. Mingxiao, M. Xiaofeng, Z. Zhe, W. Xiangwei and C. Qijun, A review on consensus algorithm of blockchain, in 2017 IEEE International Conference on Systems, Man, and Cybernetics (SMC), Banff, Canada, 2017.
[28] Z. Zheng, S. Xie and H. -N. Dai, X. Chen, and H. Wang, Blockchain challenges and opportunities: A survey, International Journal of Web and Grid Services, vol. 14, no. 4, pp. 352-375, 2018.
[29] M. Castro and B. Liskov, Practical Byzantine Fault Tolerance, in Proceedings of the Third Symposium on Operating Systems Design and Implementation, New Orleans, USA, 1999.
[30] S. Kent, C. Lynn, and K. Seo, Secure Border Gateway Protocol (S-BGP), IEEE Journal on Selected Areas in Communications, vol. 18, no. 4, pp. 582-592, 2000.
[31] R. White, Securing BGP Through Secure Origin BGP, The Internet Protocol Journal, vol. 6, no. 3, pp. 15-22, 2003.
[32] J. Israr, Y. Gahi, M. Guennoun and H. T. Mouftah, Security analysis of C-BGP: A light alternative to S-BGP, in 2016 IEEE Canadian Conference on Electrical and Computer Engineering, Vancouver, Canada, 2016.
[33] B. Al-Musawi, P. Branch, and G. Armitage, BGP Anomaly Detection Techniques: A Survey, IEEE Communications Surveys & Tutorials, vol. 19, no. 1, pp. 377-396, 2017.
[34] J. Karlin, S. Forrest, and J. Rexford, Pretty good BGP: Improving BGP by cautiously adopting routes, in Proceedings of the 2006 IEEE International Conference on Network Protocols, Santa Barbara, 2006.
[35] M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang, PHAS: A prefix hijack alert system, in USENIX Security symposium, Vancouver, Canada, 2006.
[36] Q. Xing, B. Wang, and X. Wang, Bgpcoin: Blockchain-based internet number resource authority and bgp security solution, Symmetry, vol. 10, no. 9, p. 408, 2018.
[37] G. Wood, Ethereum: A secure decentralised generalised transaction ledger, Ethereum project yellow paper, vol. 151, pp. 1-32, 2014.
[38] M. Saad, A. Anwar, A. Ahmad, H. Alasmary, M. Yuksel and A. Mohaisen, “Routechain: Towards blockchain-based secure and efficient bgp routing, 2019 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), pp. 210-218, 2019.
[39] A. Hari and T. V. Lakshman, The internet blockchain: A distributed tamper-resistant transaction framework for the internet, in ACM Workshop on Hot Topics in Networks ser. HotNets ’16, ACM, 2016.
[40] L. C. Freeman, Centrality in social networks conceptual clarification, Social networks, vol. 1, no. 3, pp. 215-239, 1978.
[41] M. Luckie, B. Huffaker, A. Dhamdhere, V. Giotsas, and K. Claffy, AS Relationships, Customer Cones, and Validation, in Proceedings of the 2013 conference on Internet measurement conference, Barcelona, Spain, 2013.
[42] W. Diffie and M. Hellman, New directions in cryptography, IEEE transactions on Information Theory, vol. 22, no. 6, pp. 644-654, 1976.
[43] iPerf - The ultimate speed test tool for TCP, UDP and SCTP, [Online]. Available: https://iperf.fr/. [Accessed 28 5 2020].
[44] Routing Information Service (RIS), [Online]. Available: https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris. [Accessed 29 6 2020].
[45] X. Dimitropoulos, D. Krioukov, M. Fomenkov, B. Huffaker, Y. Hyun, K. Claffy, and G. Riley, AS Relationships: Inference and Validation, ACM SIGCOMM Computer Communication Review, vol. 37, no. 1, pp. 29-40, 2007.
[46] Wireshark, [Online]. Available: https://www.wireshark.org/. [Accessed 20 6 2020].
[47] Public DNS in Taiwan the latest victim to BGP hijack, [Online]. Available: https://www.manrs.org/2019/05/public-dns-in-taiwan-the-latest-victim-to-bgp-hijack/. [Accessed 22 6 2020].
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔