Abstract |
Prefix hijacking is a persistent and serious threat for the Internet's routing system, having
a technical and financial impact on a global scale. The research community has developed
several sophisticated prefix hijacking detection techniques, which nevertheless lack wide
adoption. On the other hand, network operators usually follow simple, tested practices,
albeit with their own limitations (e.g., slow mitigation speed).
In the current work, we present a Software Defined Networking (SDN) application which
is built upon the principles of the prototype ARTEMIS, such as self-monitoring, and utilizes
ONOS, a carrier-grade SDN Operating System. The application is called ARTEMISONOS; it
uses modern, publicly available streaming services to monitor the BGP control plane in
real-time, and accurately detects different types of hijacks. Moreover, it reacts
automatically with a configurable mitigation countermeasure.
ARTEMISONOS is an official application of ONOS, and leverages several advantages of SDN.
In particular, it provides the following features. ARTEMISONOS is developed as a modular
application on top of the OSGi framework, containing a monitoring, a detection and a
mitigation module. It achieves high availability and scalability through the distributed
architecture of the network control plane, and is agnostic to the network infrastructure
(BGP speakers, data-plane devices, etc) that it operates on, allowing for easy deployment
and reduced operational complexity. Although ARTEMISONOS is an SDN application, it is
fully compatible with BGP, and is thus ready to be used in operational environments.
We evaluate our work by implementing a framework that emulates prefix hijacks. We
show that ARTEMISONOS detects the hijack and starts the mitigation process within
milliseconds. On the contrary, mitigation is achieved in seconds; the time required for
BGP to fully converge. Despite ARTEMISONOS being --in principle-- a reactive application, in
some cases it is faster than the propagation of the actual hijack event, protecting some
networks (the ones “close” to the victim) almost proactively.
|