Justin Furuness (University of Connecticut), Cameron Morris (University of Connecticut), Reynaldo Morillo (University of Connecticut), Arvind Kasiliya (University of Connecticut), Bing Wang (University of Connecticut), Amir Herzberg (University of Connecticut)

Before the adoption of Route Origin Validation (ROV), prefix and subprefix hijacks were the most effective and common attacks on BGP routing. Recent works show that ROV adoption is increasing rapidly; with sufficient ROV adoption, prefix and subprefix attacks become ineffective.
We study this changing landscape and in particular the Autonomous System Provider Authorization (ASPA) proposal,
which focuses on route leakage but also foils some other
attacks.

Using recent measurements of real-world ROV adoption, we evaluate its security impact. Our simulations show substantial impact: emph{already today}, prefix hijacks are less effective than forged-origin hijacks, and the effectiveness of subprefix hijacks is much reduced.
Therefore, we expect attackers to move to forged-origin hijacks and other emph{post-ROV attacks}; we present a new, powerful post-ROV attack, emph{spoofing}.

We present extensive evaluations of different post-ROV defenses and attacks. Our results show that ASPA significantly protects against post-ROV attacks, even in partial adoption. It dramatically improves upon the use of only ROV or of BGPsec, Path-End, OTC, and EdgeFilter. BGP-iSec has even better protection but requires public-key operations to export/import announcements. We also present ASPAwN, an extension that further improves ASPA's performance. Our results show that contrary to prior works [74], [95], ASPA is effective even when tier-1 ASes are not adopting, hence motivating ASPA adoption at edge and intermediate ASes.
On the other hand, we find that against
emph{accidental} route leaks, the simpler, standardized OTC mechanism is as effective as ASPA.

View More Papers

MOBIDOJO: A Virtual Security Combat Platform for 5G Cellular...

Hyunwoo Lee (Ohio State University), Haohuang Wen (Ohio State University), Phillip Porras (SRI), Vinod Yegneswaran (SRI), Ashish Gehani (SRI), Prakhar Sharma (SRI), Zhiqiang Lin (Ohio State University)

Read More

On Borrowed Time – Preventing Static Side-Channel Analysis

Robert Dumitru (Ruhr University Bochum and The University of Adelaide), Thorben Moos (UCLouvain), Andrew Wabnitz (Defence Science and Technology Group), Yuval Yarom (Ruhr University Bochum)

Read More

Revealing the Black Box of Device Search Engine: Scanning...

Mengying Wu (Fudan University), Geng Hong (Fudan University), Jinsong Chen (Fudan University), Qi Liu (Fudan University), Shujun Tang (QI-ANXIN Technology Research Institute; Tsinghua University), Youhao Li (QI-ANXIN Technology Research Institute), Baojun Liu (Tsinghua University), Haixin Duan (Tsinghua University; Quancheng Laboratory), Min Yang (Fudan University)

Read More

Hitchhiking Vaccine: Enhancing Botnet Remediation With Remote Code Deployment...

Runze Zhang (Georgia Institute of Technology), Mingxuan Yao (Georgia Institute of Technology), Haichuan Xu (Georgia Institute of Technology), Omar Alrawi (Georgia Institute of Technology), Jeman Park (Kyung Hee University), Brendan Saltaformaggio (Georgia Institute of Technology)

Read More