Versions Compared

Old Version 53

changes.mady.by.user Lefteris Manassakis

Saved on

compared with

New Version 54

changes.mady.by.user Lefteris Manassakis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Fig. 2: The conceptual demo topology.
 Image Removed

                                          

 

 

 

 

 

 

 

 

 

 

 

 

 

Fig. 3: The full emulated demo topology.      

...

                                                              

  • AS65001

    Intermediate AS that consists of a BGP speaker (R1), a L2 switch, a host (H1) and an ExaBGP Route Collector (RC).

    • R1: Announces via BGP the 10.0.0.0/8 and is a neighbor of prefix to it's neighbors, AS65003 and AS65002. Also, it has an iBGP session established with the exaBGP RC as an iBGP neighbor and so that it propagates BGP update messages to it, in order for exaBGP to act as a BGP monitoring service .

    • ExaBGP RC: RC connected to R1 R1 via iBGP but also to the ONOS controller on the protected AS (in real world this connection is done can be established through the underlying networkexisting network (e.g. via a tunnel); the only limitation is that the IP endpoint network interface of ONOS should that interconnects with the RC must have a non-hijacked IP address, so that the monitor can reach ONOS it can be reached by the monitoring service during the hijack).

    • H1 / 10.0.0.100: Host which is going to be communicating communicates with the host inside the protected AS. It is used to provide us a visualization of the data-plane behavior when the BGP hijack occurs.

  •  AS65002
    Intermediate AS that consists of a BGP speaker (R2) that announces via BGP the prefix 20.0.0.0/8 to it's neighbors (R1, R4), and its purpose is to add an additional hop to the AS-PATH so that the protected AS can be hijacked. Although in the demo the attacker announces the exact prefix that belongs to the protected AS and not a more specific one, due to the shortest path attribute of the BGP best path selection algorithm, the hijacker is able to steal the traffic.

  • AS65003
    Hijacker AS that consists of a BGP speaker (R3).

    • R3: By announcing the prefix of the protected AS (40.0.0.0/8) from this BGP speaker, we trigger a BGP hijack, and all traffic generated from AS65001 and directed towards AS65004, will be redirected to the network of AS65003.

  • AS65004
    Protected AS that is employing ONOS. It consists of a BGP speakerspeaker (R4), an OVS switch, a host (H4) and the ONOS instance.

    • R4: BGP speaker announcing 40.0.0.0/8. It is connected with his neighbor (R2) through the OVS switch which is configured by via the SDN-IP application to talk with the BGP speaker of AS65002.

    • OVS: Talks Communicates with ONOS on a management interface via 192.168.0.0/24.

    • ONOS: ONOS is Is connected with the BGP speaker R4 to retrieve the BGP routing table. Also, it receives the BGP update messages from the ExaBGP router. Also, it has a link RC, when routing changes occur. Finally, it is connected with the OVS switch in order to interact with the data plane.

    • H4 / 40.0.0.100: Host that receives traffic with the help of the reactive-routing application from the host in AS65001 (H1).

JSON Configuration File

The JSON configuration file(network-cfg.json) contains the required configuration entries to monitor prefixes and check the validity of neighbors and paths. The following code block shows an example of the JSON configuration format for ARTEMIS which is used in the Demo Topology.

...

Now the hijacker (AS65003) will attract all the traffic away from AS65001 (destined to 40.0.0.0/8); at the same time, the ExaBGP speaker will send the BGP update of the hijack (among other updates seen by AS65004) to the ONOS instance (running ARTEMIS) and the hijack will be detected. Checking the logs, you will see that the attack is actually detected and the deaggregation mechanism has successfully mitigated the attack (by announcing the more specific prefixes 40.0.0.0/9 and 40.128.0.0/9 from the BGP speaker of the protected AS). After BGP converges and the control and data planes are consistent, the traffic of AS65001, destined to 40.0.0.0/8, returns to the protected AS.

Demo video

Image Added

 

 

 

Fig. 3: The fully emulated demo topology.


Widget Connector
urlhttps://www.youtube.com/watch?v=UouzKz8sUFw

ONOS Technical Steering Team Presentation

 

Widget Connector
urlhttps://www.youtube.com/watch?v=VeFeqbcviUE

 

 

 

Presentation Slides: https://goo.gl/UZREBe

References

[1] G. Chaviaras, P. Gigis, P. Sermpezis, and X. Dimitropoulos, “ARTEMIS: Real-Time Detection and Automatic Mitigation for BGP Prefix Hijacking (demo)”, in ACM SIGCOMM, 2016 (url: http://www.inspire.edu.gr/wp-content/pdfs/PavlosSIGCOMM2016.pdf)

...