NSF-BSF: SaTC: CORE: Small: Prevention, Detection and Mitigation for Secure Interdomain Routing

Supported by NSF CNS-2247810

The Border Gateway Protocol (BGP) is the glue that connects hundreds of thousands of autonomous systems into the global Internet infrastructure. From its inception, BGP however has no built-in security mechanisms. This vulnerability has been abused for myriad attacks, many causing large-scale network disruptions and catastrophic financial loss. Extensive efforts on securing BGP have led to the current increasing deployment of mechanisms for authenticating and validating route origins. As a result, simple prefix hijacks are expected to become less effective. While this is encouraging, attackers can adopt many other forms of more sophisticated attacks, e.g., path manipulation attacks and route leaks, which can be extremely damaging. While many prevention techniques have been proposed by academia, industry and standardization organizations, none of them has been actively deployed , partly because of insufficient attention paid to deployment challenges. This NSF-BSF project aims to develop effective and deployable solutions to significantly improve BGP security. In addition, this project incorporates research outcome in course development and provides research opportunities to underrepresented students.
This project takes a multi-pronged approach to improve BGP security. First, it develops effective and deployable strategies to prevent attacks to BGP. Th proposed techniques aim to finally overcome the long-standing obstacle of deploy-ability by combining significantly better security under partial deployment with significantly lower overhead. Second, this project develops a detect-then-prevent service that is broadly applicable to many types of attacks, including 'hidden' and 'stealthy' attacks that are difficult to prevent directly. In the same time the approaches will keep the defense resilient to new classes of attacks that purposely mislead and abuse the detection service. Third, this project develops automated mitigation techniques, with a novel on-demand route origin authorization design, and outsourced-mitigations leveraging content delivery networks and overlay networks. Last, this project significantly advances the state-of-the-art of inter-domain routing security evaluation, by developing accurate and flexible open-source simulation tools and formal analysis mechanisms.

People

Dr. Amir Herzberg (School of Computing, UConn)
Dr. Bing Wang (School of Computing, UConn)
Dr. Yossi Gilad (The Hebrew University of Jerusalem, Israel)
Dr. Hemi Leibowitz (The College of Management Academic Studies, Israel)

Publication

• EZ-SAVE: Evaluation of Easy-to-Deploy Source Address Validation Policies.
  N. Scaglione, J. Furuness, Y. Gilad, H. Leibowitz, C. Morris, B. Wang, K. Sriram, and A. Herzberg.
  Proc. of NSDI, 2026.

• Suppressing BGP Zombies with Route Status Transparency.
  Y. E. Anahory, J. Kong, N. Scaglione, J. Furuness, H. Leibowitz, A. Herzberg, B. Wang, and Y. Gilad.
  Proc. NDSS, 2025.

• Securing BGP ASAP: ASPA and other Post-ROV Defenses.
  J. Furuness, C. Morris, R. Morillo, A. Kasiliya, B. Wang, and A. Herzberg.
  Proc. NDSS, 2025.

• BGP-iSec: improved security of internet routing against Post-ROV attacks.
  C. Morris, A. Herzberg, B. Wang, and S. Secondo.
  Proc. of NDSS, 2024.

• BGPy: The BGP Python Security Simulator.
  J. Furuness, C. Morris, R. Morillo, A. Herzberg, and B. Wang.
  Proc. of Cyber Security Experimentation and Test (CSET), 2023.

• ROV++: Improved deployable defense against BGP hijacking.
  R. Morillo, J. Furuness, C. Morris, J. Breslin, A. Herzberg, and B. Wang.
  Proc. of NDSS, 2021.