Visible to the public EAGER: USBRCCR: Researching Internet Routing Security in the WildConflict Detection Enabled

Project Details

Performance Period

Sep 01, 2017 - Aug 31, 2019

Institution(s)

Columbia University

Project URL


Award Number

1740883

The Internet provides a control plane to establish routes to destinations and a data plane to send traffic, and the protocols for both lack authentication. The lack of authentication allows networks to claim ownership of routes to other networks' addresses in order to siphon traffic (prefix hijacking), and allows devices to claim that their traffic came from a different source (source spoofing). These vulnerabilities form the basis for denial-of-service attacks, traffic interception and snooping, Bitcoin theft, and compromises of Tor's anonymity. Because of these vulnerabilities, routing research is a critical aspect of cybersecurity research. However, researchers lack experimental approaches that let them perform Internet routing experiments that are both realistic and controlled. This project aims to extend the public PEERING research testbed to enable classes of security-focused routing research that are beyond the reach of academic researchers today, and to subsequently develop techniques to identify which networks allow or are vulnerable to prefix hijacks and source spoofing. Results from this project will empower novel routing security research, help identify vulnerable networks, map bot populations, and serve as a step towards improved routing security in the Internet.

The project will extend the PEERING research testbed with security-related functionality, including the ability to execute containers on routers, integrating PEERING prefixes with the RPKI (an infrastructure for securing aspects of Internet routing), and making the testbed more reliable. It will also develop algorithms to (1) locate the sources of spoofed attack traffic and to (2) track the adoption of RPKI-based protection against prefix hijacking and identify possible problems in its application. The algorithms will use PEERING's ability to manipulate routing and its extensions developed in this project to force route changes and observe the impact on the volume of spoofed traffic received from each peer and which vantage points do/do not use routes that violate the RPKI. The algorithms will need to address challenges related to limited visibility of Internet routes, lack of ground truth about routing policies, and lack of control of routing decisions of other networks. The researchers will investigate how the algorithms can systematically change routes in order to narrow the set of feasible explanations to those consistent with all observations, yielding more precise inferences. The project's extensions to the testbed will allow others to conduct novel routing security research, and the algorithms from the project will identify vulnerable networks, a key step forwards in addressing the Internet's lack of authentication for traffic and routing.