“phdThesis” — 2016/10/31 — 13:29 — page i — #1 Link¨opingStudies in Science and Technology Dissertations. No. 1798 Collaborative Network Security Targeting Wide-area Routing and Edge-network Attacks by Rahul Gokulchand Hiran Department of Computer and Information Science Link¨opingUniversity SE-581 83 Link¨oping,Sweden Link¨oping2016 \phdThesis" | 2016/11/1 | 14:39 | page ii | #2 Copyright c 2016 Rahul Hiran ISBN 978-91-7685-662-8 ISSN 0345{7524 Cover art together with Per Lagman Printed by LiU Tryck 2016 URL: http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-131959 \phdThesis" | 2016/10/31 | 13:29 | page iii | #3 Abstract To ensure that services can be delivered reliably and continuously over the Internet, it is important that both Internet routes and edge networks are secured. However, the sophistication and distributed nature of many at- tacks that target wide-area routing and edge networks make it difficult for an individual network, user, or router to detect these attacks. Therefore collaboration is important. Although the benefits of collaboration between different network entities have been demonstrated, many open questions still remain, including how to best design distributed scalable mechanisms to mitigate attacks on the network infrastructure. This thesis makes several contributions that aim to secure the network infrastructure against attacks targeting wide-area routing and edge networks. First, we present a characterization of a controversial large-scale routing anomaly, in which a large Telecom operator hijacked a very large number of Internet routes belonging to other networks. We use publicly available data from the time of the incident to understand what can be learned about large-scale routing anomalies and what type of data should be collected in the future to diagnose and detect such anomalies. Second, we present multiple distributed mechanisms that enable col- laboration and information sharing between different network entities that are affected by such attacks. The proposed mechanisms are applied in the contexts of collaborating Autonomous Systems (ASes), users, and servers, and are shown to help raise alerts for various attacks. Using a combina- tion of data-driven analysis and simulations, based on publicly available real network data (including traceroutes, BGP announcements, and net- work relationship data), we show that our solutions are scalable, incur low communication and processing overhead, and provide attractive tradeoffs between attack detection and false alert rates. Finally, for a set of previously proposed routing security mechanisms, we consider the impact of regional deployment restrictions, the scale of the collaboration, and the size of the participants deploying the solutions. Al- though regional deployment can be seen as a restriction and the participation of large networks is often desirable, we find interesting cases where regional deployment can yield better results compared to random global deployment, and where smaller networks can play an important role in achieving better security gains. This study offers new insights towards incremental deploy- ment of different classes of routing security mechanisms. This work was supported by the Swedish National Graduate School of Computer Science (CUGS) and the Internet Foundation in Sweden (IIS). iii \phdThesis" | 2016/10/31 | 13:29 | page iv | #4 \phdThesis" | 2016/10/31 | 13:29 | page v | #5 Popul¨arvetenskaplig sammanfattning Internet och dess tj¨anster¨armycket exponerade f¨orattacker. M˚angaav de kritiska protokoll och mekanismer som beh¨ovsf¨oratt leverera tj¨anster ¨over internet designades f¨orflera decennier sedan. Dessa protokoll och mekanis- mer ¨arstarkt beroende av tillit mellan olika n¨atverkskomponenter, s˚asom routers och servrar. Den explosionsartade tillv¨axtenav internetanv¨andning har dock lett till att angripare b¨orjatutnyttja denna underf¨orst˚addatillit mellan komponenter. Till exempel Border Gateway Protocol, som anv¨ands f¨oratt avg¨oravilken v¨agdata p˚ainternet skall ta, till˚ateratt vem som helst kan p˚ast˚aatt en viss v¨agexisterar. D¨arigenomkan angripare avlyssna och manipulera information som skickas ¨over internet. F¨oratt s¨akerst¨allaatt tj¨ansterkan levereras p˚aett tillf¨orlitligts¨att¨over internet ¨ardet viktigt b˚adeatt rutten ¨arkorrekt och att slutanv¨andarn¨atver- ket ¨ars¨akrat.Eftersom angreppen ofta ¨aravancerade och distribuerade ¨ar det sv˚artf¨oren enskild n¨atverksoperat¨oratt uppt¨acka angrepp. Samarbete ¨ard¨arf¨orviktigt f¨oratt uppt¨acka och skydda mot s˚adanaangrepp. Trots att f¨ordelarmed samarbete mellan n¨atverksoperat¨orerhar p˚avisats˚aterst˚ar m˚angautmaningar. En s˚adanutmaning best˚ari att designa distribuerade skalbara mekanismer f¨oratt f¨orhindraangrepp mot n¨atverksinfrastruktur. I denna avhandling f¨oresl˚asoch utv¨arderasflera s¨attatt skydda valet av rutter samt slutanv¨andarn¨atverk. F¨oratt f¨orst˚aomfattning och vilka tekniker som anv¨andsf¨oratt utf¨ora angrepp mot n¨atverksinfrastruktur presenterar vi f¨orsten beskrivande studie av en storskalig incident d¨arChina Telecoms n¨atverkssystem felaktigt p˚astod att de var slutdestination f¨oren betydande del av trafiken p˚ainternet. Detta ledde till att mycket internettrafik omdirigerades till China Telecom, inklu- sive trafik ¨amnadf¨oramerikanska f¨orsvarsorganisationer. Det som utm¨arkte denna incident var att China Telecom hade bandbredd nog att i sin tur lev- erera trafik till den korrekta destinationen, vilket gjorde incidenten sv˚aratt uppt¨acka. Vi har studerat konsekvenserna av denna incident och unders¨okt vilka f¨oruts¨attningarsom gjorde den storskaliga avledningen av trafik m¨ojlig. Vi f¨oresl˚aroch utv¨arderarflera mekanismer som till˚atersamarbete mel- lan olika n¨atverksoperat¨orer, och som m¨ojligg¨oruppt¨ackt av f¨ors¨okatt omdirigera rutter. De f¨oreslagnametodernas l¨amplighetf¨oratt uppt¨acka angrepp mot n¨atverk unders¨oksgenom omfattande simuleringar. Vi visar p˚a en f¨ordelaktigbalans mellan antal rapporterade avvikelser och n¨odv¨andiga systemresurser. Slutligen unders¨oker vi hur s¨akerhetsvinsterna av tidigare f¨oreslagna mekanismer p˚averkas n¨artill¨ampningenav dessa mekanismer begr¨ansas,till exempel geografiskt. Genom att j¨amf¨oraden begr¨ansadetill¨ampningenmed v \phdThesis" | 2016/10/31 | 13:29 | page vi | #6 den obegr¨ansadevisar vi hur effektiv en implementation i till exempel en- dast EU-omr˚adetskulle kunna vara. Vi unders¨oker hur antal samarbetande n¨atverk, samt n¨atverkens storlek, p˚averkar m¨ojlighetenatt uppt¨acka och f¨orebygga angrepp. Vi unders¨oker ¨aven v˚araegna protokoll f¨oratt demon- strera nyttan av dessa i b˚adestor och liten skala. Vi visar att v˚aramekanis- mer kan hj¨alpatill att skydda anv¨andarestrafik, inte bara i regionen d¨arde implementeras, utan ¨aven globalt. \phdThesis" | 2016/11/1 | 14:39 | page vii | #7 Acknowledgements First I would like to thank my primary supervisor, Professor Nahid Shah- mehri for giving me the opportunity to do research in the interesting area of security. She has played a vital role in shaping my research work. Not only has she been tireless in planning for my research, she has helped me with smaller but important aspects such as presentation skills, writing, listening, questioning, and improving my research ideas. She has helped me improve my research skills in so many ways. I would also like to take this opportunity to thank my co-supervisor, Associate Professor Niklas Carlsson. I truly enjoy working with Niklas. He has been an inspiration and a role model as a researcher. He has been instrumental in helping me choose interesting research topics and research questions. Our discussions on research questions and their possible solutions are always interesting. I can ask him, without hesitation, the simplest or the hardest of questions, and always receive helpful tips. During my PhD studies I have had the opportunity to work with As- sistant Professor Phillipa Gill. Working with Phillipa helped me increase my knowledge and experience greatly. I am thankful to her for the collab- oration. I would also like to thank Dr. David Byers with whom I worked during the initial period of my PhD. I thank Brittany Shahmehri for thor- ough proof-reading of the thesis. I would also like to thank Anne Moe for all the help with administrative matters. I thank all current and former members of ADIT for their friendship, support, and all the valuable comments during numerous ADIT meetings. I would also like to express my gratitude to members of the badminton group at Campushallen and IDA. I enjoyed training with them, which helped improve my badminton skills and kept me healthy. I express my gratitude to my wife, Vaishali, who has positively impacted my studies. She has been a constant source of support and, when needed, a pleasant distraction. Finally, I thank my family for supporting and trusting the decisions that I make in life. Rahul Hiran September 2016 Link¨oping,Sweden vii \phdThesis" | 2016/10/31 | 13:29 | page viii | #8 \phdThesis" | 2016/10/31 | 13:29 | page ix | #9 Dedicated to Riddhansh, Shashwati, Divya, Grishma, Sakshi, and Shraddha ix \phdThesis" | 2016/10/31 | 13:29 | page x | #10 \phdThesis" | 2016/10/31 | 13:29 | page xi | #11 Contents 1 Introduction 1 1.1 Cybercrime . .1 1.1.1 Incidents of cybercrimes . .2 1.1.2 Reasons networks and users are vulnerable to cyber- attacks . .4 1.2 Cybercrime classification and thesis focus . .5 1.3 Network-centric attacks . .7 1.3.1 Incidents of network-centric attacks . .8 1.3.2 Factors contributing to network-centric attacks . 10 1.4 Problem formulation . 11 1.5 Contributions . 14 1.5.1 Study of large-scale routing anomaly . 14 1.5.2 Collaboration among network entities to detect attacks 14 1.5.3 Effect of scale, size, and locality . 15 1.6 Methodology . 16 1.6.1 Characterization and empirical observations . 16 1.6.2 Evaluation of large-scale systems . 16 1.6.3 Working with large datasets . 18 1.7 List of publications . 20 1.8 Thesis organization . 21 2 Background and Related Work 23 2.1 Internet routing .