Dear Jared, This was a very interesting read. Thank you for sharing it with us. The paper contained new information for me, if I hope I summarize it correctly: by combining AS_PATH poisoning and botnets, the botnet’s firing power can be more precisely aimed at a specific target.
Can you clarify what the definition of a “link” is? Is it the logical interconnection between two ASNs (many pairs of ASNs interconnect in many places), or is it a reference to a specific physical interconnection between two routers, each in a different ASN? The paper mentions that if the top 20 transit-free (“tier-1”) networks protect each other against poisoning, the Maestro attack is drastically reduced in effectiveness. I have good news, amongst this set of networks, there already is a widely deployed anti poisoning mechanism, sometimes referred to as “Peerlock”. https://www.youtube.com/watch?v=CSLpWBrHy10 / https://www.nanog.org/sites/default/files/Snijders_Everyday_Practical_Bgp.pdf . I think this paper suggests the Peerlock practice should be promoted more, and perhaps automated. Kind regards, Job On Fri, 10 May 2019 at 15:27, Jared Smith <j...@vols.utk.edu> wrote: > Hello, > > Our research lab at the University of Tennessee (volsec.org) has recently > completed > a study on channeling link-flooding attack (transit link DDoS) flows > via BGP poisoning: the Maestro attack. We are seeking feedback on > mitigation (see below). A brief summary from the abstract: > > "Executed from a compromised or malicious Autonomous System (AS), > Maestro advertises specific-prefix routes poisoned for selected ASes > to collapse inbound traffic paths onto a single target link. A greedy > heuristic fed by publicly available AS relationship data iteratively > builds the set of ASes to poison. Given a compromised BGP speaker with > advantageous positioning relative to the target link in the Internet > topology, an adversary can expect to enhance flow density by more than 30%. > For a large botnet (e.g., Mirai), the bottom line result is augmenting a > DDoS by more than a million additional infected hosts. Interestingly, the > size of the adversary-controlled AS plays little role in this > amplification effect. Devastating attacks on core links can be executed by > small, resource-limited ASes." > > We are seeking feedback from operators on the attack and the proposed > mitigations we have identified. While we have worked with our campus BGP > operators, we are reaching out to the broader community for > additional insights. > > Other than general notes/comments, we have two specific questions that we > would > like to include feedback for in the final paper soon to be submitted: > > 1) Do you already filter poisoned/path prepend advertisements? This would > mitigate the attack. > > 2) After seeing this attack, would you consider adding poison filtering or > some other Day mitigation? > > The preprint is available at: tiny.utk.edu/maestro. See Section 7 on > defenses. > > Please reply with any thoughts. Thank you in advance for comments, > insight, and general feedback. > > Best, > Tyler McDaniel, Jared Smith, and Max Schuchard > UT Computer Security Lab > volsec.org >
