###
Journal of Software:2014.25(3):642-661

防范路由劫持的协同监测方法
王小强,朱培栋,卢锡城
(国防科学技术大学 计算机学院, 湖南 长沙 410073)
Securing Prefixes Against BGP Hijacking in a Cooperative Way
WANG Xiao-Qiang,ZHU Pei-Dong,LU Xi-Cheng
(School of Computer, National University of Defense Technology, Changsha 410073, China)
Abstract
Chart / table
Reference
Similar Articles
Article :Browse 2088   Download 1956
Received:November 04, 2011    Revised:November 28, 2013
> 中文摘要: 路由劫持是当前Internet域间路由系统(BGP)所面临的最严重的安全威胁之一,但目前仍缺乏有效的防护手段.将自治系统(autonomous system,简称AS)基于BGP路由信息自我发现路由劫持的概率定义为对路由劫持的免疫能力,对该免疫能力进行了建模,并给出了AS自我免疫的充分条件和必要条件以及该免疫能力的上界.实验结果发现,80%以上的AS对路由劫持完全没有免疫能力,仅不超过0.26%的AS具有大于85%的免疫能力.对AS免疫过程的进一步分析,揭示了造成AS免疫能力低下的提供商栅栏现象——提供商优先选择客户路由,从而阻止了劫持路由向被劫持者的传播.为了克服提供商栅栏,提高AS的免疫能力,设计了协同监测机制,并提出了一种计算复杂度较低的启发式协同邻居选取策略.该机制无需修改BGP协议,可增量部署.实验结果表明,仅与25个自治系统进行协同,就可以将对路由劫持的免疫能力提高到高于95%的水平.
中文关键词: 域间路由  路由劫持  提供商栅栏  协同  监测
Abstract:BGP hijacking is one of the most severe threats facing current inter-domain routing system, but yet there still lack effective countermeasures. This paper models AS (autonomous system) level immunity to BGP hijacking as the possibility of the victim AS learning bogus routes via local BGP routing information, and presents the sufficient condition and necessary condition for an AS to be immune in the presence of BGP hijacking, as well as the upper bound of such immunity. Evaluation results show that more than 80% of ASes have no immunity to BGP hijacking at all and only less than 0.26% of ASes have immunity higher than 85%. Further analysis pinpoints the root cause of such low immunity—provider barrier that victim AS' providers prefer customer routes and prevent the propagation of bogus route to the victim. To tackle this barrier and improve AS level immunity against BGP hijacking, this study designs a cooperation based monitoring mechanism, and proposes a lightweight heuristic approach for each participant to select AS cooperators. This proposed mechanism is completely compatible to BGP, and is incrementally deployable. Experimental results show that by peering with only 25 cautiously selected ASes, one AS can significantly improve its immunity to 95%.
文章编号:     中图分类号:    文献标志码:
基金项目:国家自然科学基金(61170285,61100223);国家重点基础研究发展计划(973)(2011CB302600) 国家自然科学基金(61170285,61100223);国家重点基础研究发展计划(973)(2011CB302600)
Foundation items:
Reference text:

王小强,朱培栋,卢锡城.防范路由劫持的协同监测方法.软件学报,2014,25(3):642-661

WANG Xiao-Qiang,ZHU Pei-Dong,LU Xi-Cheng.Securing Prefixes Against BGP Hijacking in a Cooperative Way.Journal of Software,2014,25(3):642-661