<div><div dir="auto">Dear Jared,</div></div><div dir="auto"><br></div><div dir="auto">This was a very interesting read. Thank you for sharing it with us. The paper contained new information for me, if I hope I summarize it correctly: by combining AS_PATH poisoning and botnets, the botnet’s firing power can be more precisely aimed at a specific target. </div><div dir="auto"><br></div><div dir="auto">Can you clarify what the definition of a “link” is? Is it the logical interconnection between two ASNs (many pairs of ASNs interconnect in many places), or is it a reference to a specific physical interconnection between two routers, each in a different ASN?</div><div dir="auto"><br></div><div dir="auto">The paper mentions that if the top 20 transit-free (“tier-1”) networks protect each other against poisoning, the Maestro attack is drastically reduced in effectiveness. I have good news, amongst this set of networks, there already is a widely deployed anti poisoning mechanism, sometimes referred to as “Peerlock”. <a href="https://www.youtube.com/watch?v=CSLpWBrHy10">https://www.youtube.com/watch?v=CSLpWBrHy10</a> / <div><div><a href="https://www.nanog.org/sites/default/files/Snijders_Everyday_Practical_Bgp.pdf">https://www.nanog.org/sites/default/files/Snijders_Everyday_Practical_Bgp.pdf</a> . I think this paper suggests the Peerlock practice should be promoted more, and perhaps automated.</div></div></div><div dir="auto"><br></div><div dir="auto">Kind regards,</div><div dir="auto"><br></div><div dir="auto">Job</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 10 May 2019 at 15:27, Jared Smith <<a href="mailto:jms@vols.utk.edu">jms@vols.utk.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div name="messageBodySection">
<div dir="auto">Hello,<br>
<br>
Our research lab at the University of Tennessee (<a href="http://volsec.org" target="_blank">volsec.org</a>) has recently completed<br>
a study on channeling link-flooding attack (transit link DDoS) flows<br>
via BGP poisoning: the Maestro attack. We are seeking feedback on mitigation (see below). A brief summary from the abstract:<br>
<br>
"Executed from a compromised or malicious Autonomous System (AS),<br>
Maestro advertises specific-prefix routes poisoned for selected ASes<br>
to collapse inbound traffic paths onto a single target link. A greedy<br>
heuristic fed by publicly available AS relationship data iteratively<br>
builds the set of ASes to poison. Given a compromised BGP speaker with<br>
advantageous positioning relative to the target link in the Internet<br>
topology, an adversary can expect to enhance flow density by more than 30%.<br>
For a large botnet (e.g., Mirai), the bottom line result is augmenting a<br>
DDoS by more than a million additional infected hosts. Interestingly, the<br>
size of the adversary-controlled AS plays little role in this<br>
amplification effect. Devastating attacks on core links can be executed by<br>
small, resource-limited ASes."<br>
<br>
We are seeking feedback from operators on the attack and the proposed<br>
mitigations we have identified. While we have worked with our campus BGP<br>
operators, we are reaching out to the broader community for additional insights.<br>
<br>
Other than general notes/comments, we have two specific questions that we would<br>
like to include feedback for in the final paper soon to be submitted:<br>
<br>
1) Do you already filter poisoned/path prepend advertisements? This would<br>
mitigate the attack.<br>
<br>
2) After seeing this attack, would you consider adding poison filtering or some other Day mitigation?<br>
<br>
The preprint is available at: <a href="https://tiny.utk.edu/maestro" target="_blank">tiny.utk.edu/maestro</a>. See Section 7 on defenses.<br>
<br>
Please reply with any thoughts. Thank you in advance for comments, insight, and general feedback.<br>
<br>
Best,<br>
Tyler McDaniel, Jared Smith, and Max Schuchard<br>
UT Computer Security Lab<br>
<a href="http://volsec.org" target="_blank">volsec.org</a></div>
</div>
</div>
</blockquote></div></div>