Examining the Jurisdictions of Internet Routes to Prevent Data Exfiltration

Abstract

We illustrate the option of integrating Internet routing policies with geographic and political restrictions that allow an organization to mitigate network-based data exfiltration. We show that geolocation, jurisdiction and other political considerations can be leveraged real-time during routing decisions. We illustrate the possibility of defensive routing, where organizations (including governments) can identify network paths which create risk of information exposure via transit through specific jurisdictions perceived as risky, and take action to minimize that risk of exposure. Similar to firewalls that allow organizations to block traffic originating from or to specific countries’ IP addresses, our approach allows blocking outbound traffic that will transit specific countries. We show how an organization can select its own routing risk profile without trusting external entities. Other solutions to the challenges of BGP do not thoroughly integrate real world issues of trust and risk, e.g., BGPSEC and RPKI. These solutions also depend on network effects, requiring large-scale adoption. There are significant bodies of research on both the BGP protocol and IP filtering. Our approach is the first to allow an organization to filter its egress traffic based on high-level assertions about the path it will take. In related work geolocation of IP addresses and Autonomous Systems has significantly advanced. We illustrate that the work on geolocation of Internet entities can be used to alter dataflows real time with an implementation of a dynamic politically-aware routing layer. Traditional policy-routing considers stable economic considerations (e.g., customers are preferred over non-customers) and basic path parameters (e.g., path lengths with or without padding). A Border Gateway Protocol (BGP) participant (e.g., ISP) with our system, built on the current network knowledge base, can infer the countries that traffic to a particular destination address will traverse. This is done by inspecting the autonomous system paths advertised via BGP and referencing external data sources about the autonomous systems. Based on this information, an organization can define constraints on its egress traffic to prevent sensitive traffic from being sent via an unexpected or untrusted region of the Internet. In light of the current plethora of route leaks and BGP hijacks this offers a new option to organizations willing to accept potential downtimes. Specifically, organizations can choose to refuse to send traffic via an unacceptable path, instead choosing confidentiality over availability or choosing different routes or technologies. For example, organizations can leverage new SDN techniques to direct traffic via a different path. We demonstrated the feasibility of our described approach with a prototype implementation that receives a stream of BGP updates and generates access control lists (ACLs) to permit or deny egress traffic based on the defined policies. In related work, we illustrate its effectiveness by replaying publicly available BGP update data received from CAIDA and describe the resulting state of the ACLs after known BGP hijack and route-leak events. For this presentation, we present a series of case studies of past BGP hijacks and show how an individual organization can avoid the risks of certain jurisdictions real time.