防范路由劫持的协同监测方法
CSTR:
作者:
作者单位:

作者简介:

通讯作者:

中图分类号:

基金项目:

国家自然科学基金(61170285,61100223);国家重点基础研究发展计划(973)(2011CB302600)


Securing Prefixes Against BGP Hijacking in a Cooperative Way
Author:
Affiliation:

Fund Project:

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    路由劫持是当前Internet域间路由系统(BGP)所面临的最严重的安全威胁之一,但目前仍缺乏有效的防护手段.将自治系统(autonomous system,简称AS)基于BGP路由信息自我发现路由劫持的概率定义为对路由劫持的免疫能力,对该免疫能力进行了建模,并给出了AS自我免疫的充分条件和必要条件以及该免疫能力的上界.实验结果发现,80%以上的AS对路由劫持完全没有免疫能力,仅不超过0.26%的AS具有大于85%的免疫能力.对AS免疫过程的进一步分析,揭示了造成AS免疫能力低下的提供商栅栏现象——提供商优先选择客户路由,从而阻止了劫持路由向被劫持者的传播.为了克服提供商栅栏,提高AS的免疫能力,设计了协同监测机制,并提出了一种计算复杂度较低的启发式协同邻居选取策略.该机制无需修改BGP协议,可增量部署.实验结果表明,仅与25个自治系统进行协同,就可以将对路由劫持的免疫能力提高到高于95%的水平.

    Abstract:

    BGP hijacking is one of the most severe threats facing current inter-domain routing system, but yet there still lack effective countermeasures. This paper models AS (autonomous system) level immunity to BGP hijacking as the possibility of the victim AS learning bogus routes via local BGP routing information, and presents the sufficient condition and necessary condition for an AS to be immune in the presence of BGP hijacking, as well as the upper bound of such immunity. Evaluation results show that more than 80% of ASes have no immunity to BGP hijacking at all and only less than 0.26% of ASes have immunity higher than 85%. Further analysis pinpoints the root cause of such low immunity—provider barrier that victim AS' providers prefer customer routes and prevent the propagation of bogus route to the victim. To tackle this barrier and improve AS level immunity against BGP hijacking, this study designs a cooperation based monitoring mechanism, and proposes a lightweight heuristic approach for each participant to select AS cooperators. This proposed mechanism is completely compatible to BGP, and is incrementally deployable. Experimental results show that by peering with only 25 cautiously selected ASes, one AS can significantly improve its immunity to 95%.

    参考文献
    相似文献
    引证文献
引用本文

王小强,朱培栋,卢锡城.防范路由劫持的协同监测方法.软件学报,2014,25(3):642-661

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2011-11-04
  • 最后修改日期:2013-11-28
  • 录用日期:
  • 在线发布日期: 2013-11-28
  • 出版日期:
文章二维码
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号