research-article

Firewalling Scenic Routes: Preventing Data Exfiltration via Political and Geographic Routing Policies

Authors:

L. Jean CampAuthors Info & Claims

SafeConfig '16: Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense

Pages 31 - 36

https://doi.org/10.1145/2994475.2994477

Published: 24 October 2016 Publication History

Abstract

In this paper we describe a system that allows the real time creation of firewall rules in response to geographic and political changes in the control-plane. This allows an organization to mitigate data exfiltration threats by analyzing Border Gateway Protocol (BGP) updates and blocking packets from being routed through problematic jurisdictions. By inspecting the autonomous system paths and referencing external data sources about the autonomous systems, a BGP participant can infer the countries that traffic to a particular destination address will traverse. Based on this information, an organization can then define constraints on its egress traffic to prevent sensitive data from being sent via an untrusted region. In light of the many route leaks and BGP hijacks that occur today, this offers a new option to organizations willing to accept reduced availability over the risk to confidentiality. Similar to firewalls that allow organizations to block traffic originating from specific countries, our approach allows blocking outbound traffic from transiting specific jurisdictions. To illustrate the efficacy of this approach, we provide an analysis of paths to various financial services IP addresses over the course of a month from a single BGP vantage point that quantifies the frequency of path alterations resulting in the traversal of new countries. We conclude with an argument for the utility of country-based egress policies that do not require the cooperation of upstream providers.

References

[1]

R. Anderson and C. Hall. Collaborating with the Enemy on Network Management (Transcript of Discussion), pages 163--171. Springer International Publishing, Cham, 2014.

[2]

B. Andree Toonk. Massive route leak causes internet slowdown. http://www.bgpmon.net/massive-route-leak-cause-internet-slowdown/, 2015.

[3]

W. Andy Greenberg. Hacker redirects traffic from 19 internet providers to steal bitcoins. http://www.wired.com/2014/08/isp-bitcoin-theft/, 2014.

[4]

S. Bellovin, R. Bush, and D. Ward. Rfc 7353: Security requirements for bgp path validation. Technical report, 2014.

[5]

J. Chang, K. K. Venkatasubramanian, A. G. West, S. Kannan, I. Lee, B. T. Loo, and O. Sokolsky. As-cred: Reputation and alert service for interdomain routing. Systems Journal, IEEE, 7(3):396--409, 2013.

[6]

B. Eriksson, P. Barford, J. Sommers, and R. Nowak. A learning-based approach for ip geolocation. In Passive and Active Measurement, pages 171--180. Springer, 2010.

Digital Library

[7]

Exa-Networks. exabgp. https://github.com/Exa-Networks/exabgp, 2015.

[8]

V. Garg and L. J. Camp. Macroeconomic analysis of malware. In NDSS, 2013.

[9]

J. Gersch and D. Massey. Rover: Route origin verification using dns. In Computer Communications and Networks (ICCCN), 2013 22nd International Conference on, pages 1--9. IEEE, 2013.

[10]

M. S. Henry Tan and W. Zhou. Data-plane defenses against routing attacks on tor. Proceedings on Privacy Enhancing Technologies, 2016, 2016.

[11]

R. Hiran, N. Carlsson, and N. Shahmehri. Crowd-based detection of routing anomalies on the internet. 2015.

[12]

X. Hu and Z. M. Mao. Accurate real-time identification of ip prefix hijacking. In Security and Privacy, 2007. SP'07. IEEE Symposium on, pages 3--17. IEEE, 2007.

Digital Library

[13]

R. Jim Cowie. The new threat: Targeted internet traffic misdirection - dyn research. http://research.dyn.com/2013/11/mitm-internet-hijacking/, 2013.

[14]

J. Karlin, S. Forrest, and J. Rexford. Pretty good bgp: Improving bgp by cautiously adopting routes. In Network Protocols, 2006. ICNP'06. Proceedings of the 2006 14th IEEE International Conference on, pages 290--299. IEEE, 2006.

Digital Library

[15]

E. Katz-Bassett, J. P. John, A. Krishnamurthy, D. Wetherall, T. Anderson, and Y. Chawathe. Towards ip geolocation using delay and topology measurements. In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, pages 71--84. ACM, 2006.

Digital Library

[16]

W. Kim Zetter. Someone's been siphoning data through a huge security hole in the internet. http://www.wired.com/2013/12/bgp-hijacking-belarus-iceland, 2013.

[17]

M. Lepinski and S. Kent. Rfc 6480: an infrastructure to support secure internet routing. internet engineering task force (ietf), 2012.

[18]

Q. Li, M. Xu, J. Wu, X. Zhang, P. P. Lee, and K. Xu. Enhancing the trust of internet routing with lightweight route attestation. Information Forensics and Security, IEEE Transactions on, 7(2):691--703, 2012.

Digital Library

[19]

R. Martin Brown. Pakistan hijacks youtube. http://research.dyn.com/2008/02/pakistan-hijacks-youtube-1/, 2008.

[20]

C. McArthur and M. Guirguis. Stealthy ip prefix hijacking: don't bite off more than you can chew. In Global Telecommunications Conference, 2009. GLOBECOM 2009. IEEE, pages 1--6. IEEE, 2009.

Digital Library

[21]

U. of Oregon. Route views project. http://www.routeviews.org/, 2016.

[22]

I. Poese, S. Uhlig, M. A. Kaafar, B. Donnet, and B. Gueye. Ip geolocation databases: Unreliable? ACM SIGCOMM Computer Communication Review, 41(2):53--56, 2011.

Digital Library

[23]

J. Qiu, L. Gao, S. Ranjan, and A. Nucci. Detecting bogus bgp route information: Going beyond prefix hijacking. In Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007. Third International Conference on, pages 381--390. IEEE, 2007.

[24]

T. Qiu, L. Ji, D. Pei, J. Wang, J. J. Xu, and H. Ballani. Locating prefix hijackers using lock. In USENIX Security Symposium, pages 135--150, 2009.

Digital Library

[25]

Y. Rekhter and T. Li. A Border Gateway Protocol 4 (BGP-4). RFC 1654, IETF, July 1995.

Digital Library

[26]

M. Van Eeten, J. M. Bauer, H. Asghari, S. Tabatabaie, and D. Rand. The role of internet service providers in botnet mitigation an empirical analysis based on spam data. TPRC, 2010.

[27]

P.-A. Vervier, O. Thonnard, and M. Dacier. Mind your blocks: On the stealthiness of malicious bgp hijacks. In NDSS, 2015.

[28]

Yakov Rekhter, Tony Li, and S. Hares. A Border Gateway Protocol 4 (BGP-4). RFC 4271, IETF, January 2006.

[29]

Z. Zhang, Y. Zhang, Y. C. Hu, and Z. M. Mao. Practical defenses against bgp prefix hijacking. In Proceedings of the 2007 ACM CoNEXT conference, page 3. ACM, 2007.

Digital Library

[30]

Z. Zhang, Y. Zhang, Y. C. Hu, Z. M. Mao, and R. Bush. Ispy: detecting ip prefix hijacking on my own. In ACM SIGCOMM Computer Communication Review, volume 38, pages 327--338. ACM, 2008.

Digital Library

Cited By

Wu LLin NZhang KWu Y(2024)Modeling the BGP Prefix Hijack via Pollution and Recovery ProcessesBig Data and Social Computing10.1007/978-981-97-5803-6_15(253-265)Online publication date: 1-Aug-2024
https://doi.org/10.1007/978-981-97-5803-6_15
Douzet FPétiniaud LSalamatian KSamaan J(2022)Digital routes and borders in the Middle East: the geopolitical underpinnings of Internet connectivityTerritory, Politics, Governance10.1080/21622671.2022.215372611:6(1059-1080)Online publication date: 16-Dec-2022
https://doi.org/10.1080/21622671.2022.2153726
Mundt MBaier H(2022)Towards Mitigation of Data Exfiltration Techniques Using the MITRE ATT&CK FrameworkDigital Forensics and Cyber Crime10.1007/978-3-031-06365-7_9(139-158)Online publication date: 4-Jun-2022
https://doi.org/10.1007/978-3-031-06365-7_9
Show More Cited By

Index Terms

Firewalling Scenic Routes: Preventing Data Exfiltration via Political and Geographic Routing Policies
1. Networks
2. Security and privacy

Recommendations

Sign what you really care about --- secure BGP AS paths efficiently
IFIP'12: Proceedings of the 11th international IFIP TC 6 conference on Networking - Volume Part I

The inter-domain routing protocol, Border Gateway Protocol (BGP), plays a critical role in the reliability of the Internet routing system, but forged routes generated by malicious attacks or mis-configurations may devastate the system. The security ...
Inter-domain routing bottlenecks and their aggravation
Abstract
As autonomous systems tend to forward packets along the path with minimal routing cost, Internet routes are unevenly distributed on physical links. Links which a large number of routes go through are called routing bottlenecks. ...
Quantifying the BGP routes diversity inside a tier-1 network
NETWORKING'06: Proceedings of the 5th international IFIP-TC6 conference on Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems

Many large ISP networks today rely on route-reflection [1] to allow their iBGP to scale. Route-reflection was officially introduced to limit the number of iBGP sessions, compared to the $\frac{n\times(n-1)}{2}$ sessions required by an iBGP full-mesh. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SafeConfig '16: Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense

October 2016

130 pages

ISBN:9781450345668

DOI:10.1145/2994475

General Chairs:
Nicholas J. Multari
Pacific Northwest National Lab, USA
,
Anoop Singhal
National Institute of Standards and Technology, USA
,
David O. Manz
Pacific Northwest National Lab, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24, 2016

Vienna, Austria

Acceptance Rates

SafeConfig '16 Paper Acceptance Rate 6 of 13 submissions, 46%;

Overall Acceptance Rate 22 of 61 submissions, 36%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
160
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wu LLin NZhang KWu Y(2024)Modeling the BGP Prefix Hijack via Pollution and Recovery ProcessesBig Data and Social Computing10.1007/978-981-97-5803-6_15(253-265)Online publication date: 1-Aug-2024
https://doi.org/10.1007/978-981-97-5803-6_15
Douzet FPétiniaud LSalamatian KSamaan J(2022)Digital routes and borders in the Middle East: the geopolitical underpinnings of Internet connectivityTerritory, Politics, Governance10.1080/21622671.2022.215372611:6(1059-1080)Online publication date: 16-Dec-2022
https://doi.org/10.1080/21622671.2022.2153726
Mundt MBaier H(2022)Towards Mitigation of Data Exfiltration Techniques Using the MITRE ATT&CK FrameworkDigital Forensics and Cyber Crime10.1007/978-3-031-06365-7_9(139-158)Online publication date: 4-Jun-2022
https://doi.org/10.1007/978-3-031-06365-7_9
Salamatian LDouzet FSalamatian KLimonier K(2021)The geopolitics behind the routes data travel: a case study of IranJournal of Cybersecurity10.1093/cybsec/tyab0187:1Online publication date: 17-Aug-2021
https://doi.org/10.1093/cybsec/tyab018
Douzet FPetiniaud LSalamatian LLimonier KSalamatian KAlchus T(2020)Measuring the Fragmentation of the Internet: The Case of the Border Gateway Protocol (BGP) During the Ukrainian Crisis2020 12th International Conference on Cyber Conflict (CyCon)10.23919/CyCon49761.2020.9131726(157-182)Online publication date: May-2020
https://doi.org/10.23919/CyCon49761.2020.9131726

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents