Skip to main content

The Maestro Attack: Orchestrating Malicious Flows with BGP

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2020)

Abstract

We present Maestro, a novel Distributed Denial of Service (DDoS) attack that leverages control plane traffic engineering techniques to concentrate botnet flows on transit links. Executed from a compromised or malicious Autonomous System (AS), Maestro advertises routes poisoned for selected ASes to collapse inbound traffic paths onto a single target link. A greedy heuristic fed by bot traceroute data iteratively builds the set of ASes to poison. Given a compromised router with advantageous positioning in the AS-level Internet topology, an adversary can expect to bring an additional 30% of the entire botnet against vulnerable links. Interestingly, the size of the adversary-controlled AS plays little role in this amplification effect; core links can be degraded by small, resource-limited ASes. To understand the scope of the attack, we evaluate widespread Internet link vulnerability via simulation across several metrics, including BGP betweenness and botnet flow density, and assess the topological requirements for successful attacks. We supplement simulation results with ethically conducted “attacks” on real Internet links. Finally, we present effective defenses for network operators seeking to mitigate this attack.

Study supported by the National Science Foundation under Grant No. 1850379.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Anwar, R., Niaz, H., Choffnes, D.R., Cunha, Í.S., Gill, P., Katz-Bassett, E.: Investigating interdomain routing policies in the wild. In: ACM IMC (2015)

    Google Scholar 

  2. Augustin, B., et al.: Avoiding traceroute anomalies with Paris traceroute. In: ACM SIGCOMM (2006)

    Google Scholar 

  3. Bellovin, S.M., Gansner, E.R.: Using Link Cuts to Attack Internet Routing (2003)

    Google Scholar 

  4. Birge-Lee, H., Wang, L., Rexford, J., Mittal, P.: SICO: surgical interception attacks by manipulating BGP communities. In: ACM CCS (2019)

    Google Scholar 

  5. Chang, W., Mohaisen, A., Wang, A., Chen, S.: Measuring botnets in the wild: some new trends (2015)

    Google Scholar 

  6. Chung, T., et al.: RPKI is coming of age: a longitudinal study of RPKI deployment and invalid route origins. In: ACM IMC (2019)

    Google Scholar 

  7. Cisco: Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability. https://bit.ly/3aFfFhN

  8. Cisco: Cisco IOS XE Software AAA Login Authentication Remote Code Execution Vulnerability. https://bit.ly/2RmkB3o

  9. Cisco: Cisco IOS XE Software Static Credential Vulnerability. https://bit.ly/2RnyjmA

  10. Cisco: Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability. https://bit.ly/2NVkIB5

  11. Colitti, L., et al.: Internet Topology Discovery Using Active Probing (2006)

    Google Scholar 

  12. Cristina, B., et al.: SIBRA: scalable internet bandwidth reservation architecture (2016)

    Google Scholar 

  13. Cymru, Team: The Team Cymru IP to ASN lookup page. https://www.team-cymru.com/IP-ASN-mapping.html

  14. Dainotti, A., et al.: Analysis of country-wide internet outages caused by censorship. In: ACM SIGCOMM (2011)

    Google Scholar 

  15. Demchak, C.C., Shavitt, Y.: China’s maxim - leave no access point unexploited: the hidden story of China telecom’s BGP Hijacking. Mil. Cyber Aff. (2018)

    Google Scholar 

  16. Donnet, B., Bonaventure, O.: On BGP communities. In: ACM SIGCOMM (2008)

    Google Scholar 

  17. Madory, D.: BGP Hijack of Amazon DNS to Steal Crypto Currency (2018). https://bit.ly/37vW2Ha

  18. Gao, L.: On inferring autonomous system relationships in the Internet. In: IEEE/ACM ToN (2001)

    Google Scholar 

  19. Huston, G.: AS65000 BGP Routing Table Analysis Report (2020). http://bgp.potaroo.net/as2.0/bgp-active.html

  20. Gilad, Y., Cohen, A., Herzberg, A., Schapira, M., Shulman, H.: Are we there yet? On RPKI’s deployment and security. In: NDSS (2017)

    Google Scholar 

  21. Goldberg, S.: Why is it taking so long to secure internet routing? CACM (2014)

    Google Scholar 

  22. Google Security and White Ops: The Hunt for 3ve (2016)

    Google Scholar 

  23. Pepelnjak, I.: Limit the maximum BGP path length (2009). http://wiki.nil.com/Limit_the_maximum_BGP_AS-path_length

  24. Snijders, J.: NTT Peer Locking (2016). http://instituut.net/job/peerlock_manual.pdf

  25. Kang, M.S., Gligor, V.D., Sekar, V.: SPIFFY: inducing cost-detectability tradeoffs for persistent link-flooding attacks. In: NDSS (2016)

    Google Scholar 

  26. Kang, M.S., Lee, S.B., Gligor, V.D.: The crossfire attack. In: IEEE S&P (2013)

    Google Scholar 

  27. Katz-Bassett, E., et al.: Reverse traceroute. In: Usenix NSDI (2010)

    Google Scholar 

  28. Katz-Bassett, E., et al.: LIFEGUARD: practical repair of persistent route failures. In: ACM SIGCOMM (2012)

    Google Scholar 

  29. Lee, S.B., Kang, M.S., Gligor, V.D.: CoDef: collaborative defense against large-scale link-flooding attacks. In: ACM CONEXT (2013)

    Google Scholar 

  30. Lepinski, M., Sriram, K.: RFC 8205 - BGPSEC protocol specification. IETF (2013)

    Google Scholar 

  31. Liaskos, C., Kotronis, V., Dimitropoulos, X.: A novel framework for modeling and mitigating distributed link flooding attacks. In: IEEE INFOCOM (2016)

    Google Scholar 

  32. Litke, P., Stewart, J.: BGP hijacking for cryptocurrency profit (2014)

    Google Scholar 

  33. Luckie, M., et al.: AS relationships, customer cones, and validation. In: ACM IMC (2013)

    Google Scholar 

  34. Lepinski, M., Kent, S.: An Infrastructure to Support Secure Internet Routing (2012). https://tools.ietf.org/html/rfc6480

  35. Majkowski, M.: Memcrashed-Major amplification attacks from UDP port 11211 (2018)

    Google Scholar 

  36. McDaniel, T., Smith, J.M., Schuchard, M.: Flexsealing BGP against route leaks: peerlock active measurement and analysis. In: NDSS (2021, in press)

    Google Scholar 

  37. McPherson, D., Gill, V.: BGP MULTI\_EXIT\_DISC (MED) Considerations (2006)

    Google Scholar 

  38. Netlab360: Mirai Scanner (2017). http://data.netlab.360.com/mirai-scanner/

  39. Nordström, O., Dovrolis, C.: Beware of BGP attacks. In: ACM SIGCOMM (2004)

    Google Scholar 

  40. Oliveira, R., Pei, D., Willinger, W., Zhang, B., Zhang, L.: The (in) completeness of the observed internet AS-level structure. In: IEEE/ACM ToN (2009)

    Google Scholar 

  41. Putman, C.G.J., et al.: Business model of a botnet

    Google Scholar 

  42. Ravi, N., Shalinie, S.M., Theres, D.D.J.: BALANCE: link flooding attack detection and mitigation via hybrid-SDN. IEEE Trans. Netw. Serv. Manag. 17, 1715–1729 (2020)

    Article  Google Scholar 

  43. Rekhter, Y., Li, T.: A Border Gateway Protocol 4 (BGP-4) (1995)

    Google Scholar 

  44. Schlinker, B., Arnold, T., Cunha, I., Katz-Bassett, E.: PEERING: virtualizing BGP at the edge for research. In: ACM CONEXT (2019)

    Google Scholar 

  45. Schuchard, M., Geddes, J., Thompson, C., Hopper, N.: Routing around decoys. In: ACM CCS (2012)

    Google Scholar 

  46. Schuchard, M., Mohaisen, A., Foo Kune, D., Hopper, N., Kim, Y., Vasserman, E.Y.: Losing control of the internet: using the data plane to attack the control plane. In: ACM CCS. ACM (2010)

    Google Scholar 

  47. Scott Sr, J., Winter Summit: Rise of the Machines: The Dyn Attack was Just a Practice Run, December 2016

    Google Scholar 

  48. Smith, J.M., Birkeland, K., McDaniel, T., Schuchard, M.: Withdrawing the BGP re-routing curtain: understanding and analyzing the security impact of BGP poisoning through real-world measurements. In: NDSS (2020)

    Google Scholar 

  49. Smith, J.M., Schuchard, M.: Routing around congestion: defeating DDoS attacks and adverse network conditions via reactive BGP routing. In: 2018 IEEE Symposium on Security and Privacy (SP) (2018)

    Google Scholar 

  50. Sriram, K., Montgomery, D.C.: Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. NIST (2019)

    Google Scholar 

  51. RN Staff: Ripe atlas: a global internet measurement network. IP J. (2015)

    Google Scholar 

  52. Studer, A., Perrig, A.: The coremelt attack. In: ESORICS (2009)

    Google Scholar 

  53. Thomas, M., Mohaisen, A.: Kindred domains: detecting and clustering botnet domains using DNS traffic. In: WWW (2014)

    Google Scholar 

  54. Tran, M., Kang, M.S., Hsiao, H.-C., Chiang, W.-H., Tung, S.-P., Wang, Y.-S.: On the feasibility of rerouting-based DDoS defenses. In: IEEE S&P (2019)

    Google Scholar 

  55. UCSD-CAIDA: CAIDA AS Rank dataset (2019). http://as-rank.caida.org/

  56. UCSD-CAIDA: CAIDA AS Relationship dataset (2019). https://bit.ly/2RpRWuv

  57. Jacobson, V.: Traceroute Man Page. https://linux.die.net/man/8/traceroute

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Tyler McDaniel .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

McDaniel, T., Smith, J.M., Schuchard, M. (2020). The Maestro Attack: Orchestrating Malicious Flows with BGP. In: Park, N., Sun, K., Foresti, S., Butler, K., Saxena, N. (eds) Security and Privacy in Communication Networks. SecureComm 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 335. Springer, Cham. https://doi.org/10.1007/978-3-030-63086-7_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-63086-7_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-63085-0

  • Online ISBN: 978-3-030-63086-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics