[88641] in North American Network Operators' Group
NANOG36-NOTES 2006.02.14 talk 4 Flooding via routing loops
daemon@ATHENA.MIT.EDU (Matthew Petach)
Tue Feb 14 15:08:33 2006
Date: Tue, 14 Feb 2006 12:07:37 -0800
From: Matthew Petach <mpetach@netflight.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
------=_Part_542_35574.1139947657223
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
2006.02.14 talk 4 Flooding attacks
Jianhong Xia
A new talk added right before lunch by
Randy Bush will push us to 12:25.
Two talks coming up about DoS attacks
against control information
Flooding Attacks by exploiting persistent
forwarding loops.
Introduction: routing determines forwarding path.
Transient forwarding loops happen all the time
during convergence; that's normal. But this
focuses on persistent fowarding loops.
why would persistent loops exist?
Example on neglecting pull-up routes.
Router announces 18.0/16 to internet
router A has default pointing to B
router A uses 18.0.0/24 only
Any traffic to 18.0.1.0-18.0.255.255
will enter the forwarding loop between
A and B
Risk of persistent forwarding loops can
amplify based on ttl of packets injected into
the looping pair of routers.
Can create a denial of service by flooding the
upstream links between routers in front of host
they want to knock off.
any other hosts behind that link are "imperiled
addresses"
Measurement Design:
balancing granularity and overhead
samples 2 addresses in each /24 IP block
Addresses space collection
addresses covered by RouteView table
de-aggregate prefixes into /24 prefixes
fine-grained prefixes
data traces
traceroute to 5.5 million fine-grained prefixes
measurement lasts for 3 weeks in sept 2005
Almost 2.5% of routable addresses have persistent
forwarding loops
Almost .8% of routable addresses are imperiled addresses.
Validating these persistent forwarding loops
from multiple places
from asia, europe, west and east cost of US
90% of shadowed prefixes consistently have persistent
forwading loops
Validation to multiple addresses in shadowed prefixes
sampling 50 addresses in each shadowed prefix
68% of shadowed prefixes shows that...
Properties of the loops
How long are the loops?
86.6% of loops are 2 hops long
0.4% are more than 10 hops long
some are more than 15 hops
location
82.2% of persistent loops happen within destination
domain
implications
significantly amplify attacking traffic
can be exploited from different places.
(oops. Matt gets paged out to deal with issue, so no
more notes for a while).
------=_Part_542_35574.1139947657223
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<br>
<br>
2006.02.14 talk 4 Flooding attacks<br>
<br>
Jianhong Xia<br>
<br>
A new talk added right before lunch by<br>
Randy Bush will push us to 12:25.<br>
<br>
Two talks coming up about DoS attacks<br>
against control information<br>
<br>
Flooding Attacks by exploiting persistent<br>
forwarding loops.<br>
<br>
Introduction: routing determines forwarding path.<br>
<br>
Transient forwarding loops happen all the time<br>
during convergence; that's normal. But this<br>
focuses on persistent fowarding loops.<br>
<br>
why would persistent loops exist?<br>
<br>
Example on neglecting pull-up routes.<br>
Router announces 18.0/16 to internet<br>
router A has default pointing to B<br>
router A uses 18.0.0/24 only<br>
Any traffic to 18.0.1.0-18.0.255.255<br>
will enter the forwarding loop between<br>
A and B<br>
<br>
Risk of persistent forwarding loops can<br>
amplify based on ttl of packets injected into<br>
the looping pair of routers.<br>
Can create a denial of service by flooding the<br>
upstream links between routers in front of host<br>
they want to knock off.<br>
any other hosts behind that link are "imperiled<br>
addresses" <br>
<br>
Measurement Design:<br>
balancing granularity and overhead<br>
samples 2 addresses in each /24 IP block<br>
Addresses space collection<br>
addresses covered by RouteView table<br>
de-aggregate prefixes into /24 prefixes<br>
fine-grained prefixes<br>
data traces<br>
traceroute to 5.5 million fine-grained prefixes<br>
measurement lasts for 3 weeks in sept 2005<br>
<br>
Almost 2.5% of routable addresses have persistent<br>
forwarding loops<br>
Almost .8% of routable addresses are imperiled addresses.<br>
<br>
Validating these persistent forwarding loops<br>
from multiple places<br>
from asia, europe, west and east cost of US<br>
90% of shadowed prefixes consistently have persistent<br>
forwading loops<br>
Validation to multiple addresses in shadowed prefixes<br>
sampling 50 addresses in each shadowed prefix<br>
68% of shadowed prefixes shows that...<br>
<br>
Properties of the loops<br>
How long are the loops?<br>
86.6% of loops are 2 hops long<br>
0.4% are more than 10 hops long<br>
some are more than 15 hops<br>
location<br>
82.2% of persistent loops happen within destination<br>
domain<br>
implications<br>
significantly amplify attacking traffic<br>
can be exploited from different places.<br>
<br>
(oops. Matt gets paged out to deal with issue, so no<br>
more notes for a while).<br>
<br>
------=_Part_542_35574.1139947657223--
