Justin Furuness (University of Connecticut), Cameron Morris (University of Connecticut), Reynaldo Morillo (University of Connecticut), Arvind Kasiliya (University of Connecticut), Bing Wang (University of Connecticut), Amir Herzberg (University of Connecticut)

Before the adoption of Route Origin Validation (ROV), prefix and subprefix hijacks were the most effective and common attacks on BGP routing. Recent works show that ROV adoption is increasing rapidly; with sufficient ROV adoption, prefix and subprefix attacks become ineffective.
We study this changing landscape and in particular the Autonomous System Provider Authorization (ASPA) proposal,
which focuses on route leakage but also foils some other
attacks.

Using recent measurements of real-world ROV adoption, we evaluate its security impact. Our simulations show substantial impact: emph{already today}, prefix hijacks are less effective than forged-origin hijacks, and the effectiveness of subprefix hijacks is much reduced.
Therefore, we expect attackers to move to forged-origin hijacks and other emph{post-ROV attacks}; we present a new, powerful post-ROV attack, emph{spoofing}.

We present extensive evaluations of different post-ROV defenses and attacks. Our results show that ASPA significantly protects against post-ROV attacks, even in partial adoption. It dramatically improves upon the use of only ROV or of BGPsec, Path-End, OTC, and EdgeFilter. BGP-iSec has even better protection but requires public-key operations to export/import announcements. We also present ASPAwN, an extension that further improves ASPA's performance. Our results show that contrary to prior works [74], [95], ASPA is effective even when tier-1 ASes are not adopting, hence motivating ASPA adoption at edge and intermediate ASes.
On the other hand, we find that against
emph{accidental} route leaks, the simpler, standardized OTC mechanism is as effective as ASPA.

View More Papers

ABElity: Attribute Based Encryption for Securing RIC Communication in...

K Sowjanya (Indian Institute of Technology Delhi), Rahul Saini (Eindhoven University of Technology), Dhiman Saha (Indian Institute of Technology Bhilai), Kishor Joshi (Eindhoven University of Technology), Madhurima Das (Indian Institute of Technology Delhi)

Read More

The Road to Trust: Building Enclaves within Confidential VMs

Wenhao Wang (Key Laboratory of Cyberspace Security Defense, Institute of Information Engineering, CAS), Linke Song (Key Laboratory of Cyberspace Security Defense, Institute of Information Engineering, CAS), Benshan Mei (Key Laboratory of Cyberspace Security Defense, Institute of Information Engineering, CAS), Shuang Liu (Ant Group), Shijun Zhao (Key Laboratory of Cyberspace Security Defense, Institute of Information Engineering,…

Read More

Probe-Me-Not: Protecting Pre-trained Encoders from Malicious Probing

Ruyi Ding (Northeastern University), Tong Zhou (Northeastern University), Lili Su (Northeastern University), Aidong Adam Ding (Northeastern University), Xiaolin Xu (Northeastern University), Yunsi Fei (Northeastern University)

Read More

Automated Expansion of Privacy Data Taxonomy for Compliant Data...

Yue Qin (Indiana University Bloomington & Central University of Finance and Economics), Yue Xiao (Indiana University Bloomington & IBM Research), Xiaojing Liao (Indiana University Bloomington)

Read More