Identifying and Addressing Protocol Manipulation Attacks in "Secure" BGP

Over more than a decade, researchers have studied a number of control and data plane attacks on BGP, the Internet´s interdomain routing protocol, in the presence of malicious ASes. These prior efforts have largely focused on attacks that can be addressed using traditional cryptographic mechanisms to ensure authentication or integrity (e.g., S-BGP). Although augmenting BGP with authentication and integrity mechanisms is critical, it is far from sufficient to prevent attacks based on manipulating the complex BGP protocol itself. In this paper, we identify two serious protocol manipulation attacks that undermine the two most fundamental goals of the BGP control plane -- to ensure reachability and enable ASes to pick routes according to their routing policies -- despite the presence of S-BGP-like mechanisms. Our key contributions are to (1) formalize two critical security properties, (2) experimentally validate using commodity router implementations that BGP fails to achieve them, (3) quantify the extent of the resulting vulnerabilities in the Internet´s AS topology, and (4) design and implement simple modifications to provably ensure that those properties are satisfied. Our experiments show that, a single malicious AS can cause thousands of other ASes to become disconnected from thousands of other ASes for arbitrarily long, while our proposed modifications almost completely eliminates such attacks.