Abstract
In this work, we introduce the Coordinated Cross Plane Session Termination, or CXPST, attack, a distributed denial of service attack that attacks the control plane of the Internet. CXPST extends previous work that demonstrates a vulnerability in routers that allows an adversary to disconnect a pair of routers using only data plane traffic. By carefully choosing BGP sessions to terminate, CXPST generates a surge of BGP updates that are seen by nearly all core routers on the Internet. This surge of updates surpasses the computational capacity of affected routers, crippling their ability to make routing decisions. In this paper we show how an adversary can attack multiple BGP sessions simultaneously and measure the impact these session failures have on the control plane of the Internet. We directly simulate the BGP activity resulting from this attack and compute the impact those messages have on router processing loads. Through simulations we show that botnets on the order of 250, 000 nodes can increase processing delays from orders of microseconds to orders of hours. We also propose and validate a defense against CXPST. Through simulation we demonstrate that current defenses are insufficient to stop CXPST. We propose an alternative, low cost, defense that is successful against CXPST, even if only the top 10% of Autonomous Systems by degree deploy it. Additionally, we consider more long term defenses that stop not only CXPST, but similar attacks as well.
Original language | English (US) |
---|---|
State | Published - 2011 |
Event | 18th Symposium on Network and Distributed System Security, NDSS 2011 - San Diego, United States Duration: Feb 6 2011 → Feb 9 2011 |
Conference
Conference | 18th Symposium on Network and Distributed System Security, NDSS 2011 |
---|---|
Country/Territory | United States |
City | San Diego |
Period | 2/6/11 → 2/9/11 |
Bibliographical note
Publisher Copyright:© 2011 Proceedings of the Symposium on Network and Distributed System Security, NDSS 2011. All Rights Reserved.