Wormhole Detection in Secured BGP Networks

Abstract

A wormhole attack is a specific mechanism where two or more Autonomous Systems (ASes) coordinate to perform a black hole attack by exchanging secure BGP updates over a tunnel, signing route attestations for each other. Routing protocols generally choose route through a wormhole because it is, in general, the shortest route. This attack can redirect traffic through a chosen path that is compromised by the attacker. It can also significantly degrade the performance of the network. In this paper we present an approach to detecting coordinated wormhole attack by the validation of the path to detect any tunnel that may exist between two consecutive nodes in the AS-PATH. Similarly to SoBGP, we require that each AS signs and publishes its local topology through the topology certificate. The BGP speaker can then verify that the AS path is wormhole free by assembling local topologies in a global inter-AS topology map. We develop a metric that calculates the likelihood that two consecutive ASes in the AS-PATH are real neighbors in the AS graph. We demonstrate this approach by developing a wormhole detector where randomly chosen ASes are colluding to perform attacks according to a stochastic distribution model. We present experimental results from testing this algorithm in a controlled environment, demonstrating that it has a high detection rate. Our analysis shows that the detection algorithm is optimized for detecting long tunnels, i.e. tunnels that span over multiple ASes.