邊界閘道協定作為目前主流的外部閘道協定，負責連結與交換不同自治系統之間的路由，為組成今日網際網路骨幹中最重要的協定之一。然而隨著網際網路的規模持續的在增長，以信任為基礎的邊界閘道協定其安全性也受到考驗。自治系統可以透過刻意攻擊或者是設定失誤等原因，發布虛假的路由訊息來影響其他自治系統的路由，進而達到流量的重新導向甚至中斷的結果。由於邊界閘道協定廣播的特性，此類型的惡意路由將擴散給更多自治系統而造成更嚴重的影響，這使的路由劫持成為威脅網際網路的重大隱患。
因此，本論文借鑒區塊鏈的概念，透過拜占庭容錯演算法將自治系統之間穩定的路由以共識的方式記錄下來當作路由決策的參考依據。同時為了符合自治系統上下游的關係與降低系統負擔，本論文也設計了階層式分群機制，透過分配給自治系統不同的角色，使網路中較為大型的自治系統能夠替其客戶進行路由驗證與查詢。實驗結果顯示此路由保護機制能夠在短時間內偵測並過濾出路由劫持的訊息，並穩定地維持到被劫持網域的流量。而透過模擬實際發過的劫持事件，本系統能在10秒內對50%以上的自治系統提出預警，並可在一分鐘內將此比例提高到95%。

As the scale of the Internet continues to grow, Internet Service Providers developed the concept of Autonomous System (AS) in order to control and manage their network resource. Border Gateway Protocol (BGP) therefore becomes the dominant mainstream protocol that exchanges routing information between ASes. However, BGP itself is a trust-based protocol and does not employ security mechanisms to secure routes. As a result, AS can announce and propagate malicious routes to affect BGP network and result in inter-AS traffic redirection, causing network service to shut down
This thesis leverages the concept of blockchain to preserve normal route and prevent from BGP hijacking threats. Using Practical Byzantine Fault Tolerance method, ASes can record its local routes based on several metrics such as route stability. In order to reduce the communication overhead of our system, we develop a grouping mechanism to let the critical nodes in the topology maintain the blockchain. The experiment result shows that our BGP security mechanism can detect and filter out the malicious routes, and also stabilize the traffic towards the victim AS. By simulating real-world hijacking events, our system is able to alert half of the ASes in 10 seconds and 95% of the ASes under a minute.

[1] M. Hazas, J. Morley, O. Bates, and A. Friday, “Are there limits to growth in data traffic? on time use, data generation and speed,” in Proceedings of the second workshop on computing within limits, pp. 1-5, 2016.
[2] J. Hawkinson and T. Bates, "RFC 1930 : Guidelines for creation, selection, and registration of an Autonomous System (AS)," IETF, March, 1996.
[3] Q. Vohra and E. Chen, "RFC 6793 : BGP support for four-octet Autonomous System (AS) number space," IETF, December, 2012.
[4] "Regional Internet Registries Statistics -- ASN Statistics," [Online]. Available: https://www-public.imtbs-tsp.eu/~maigron/RIR_Stats/RIR_Delegations/World/ASN-ByNb.html. [Accessed 28 5 2020].
[5] G. Malkin, "RIP Version 2," RFC 2453, November, 1998.
[6] J. Moy, "RFC 2328 : OSPF Version 2," IETF, April, 1998.
[7] Y. Rekhter, T. Li and S. Hares, "RFC 4271 : A Border Gateway Protocol 4 (BGP-4)," IETF, January, 2006.
[8] L. Gao, "On inferring autonomous system relationships in the internet," IEEE/ACM Transactions on networking, vol. 9, no. 6, pp. 733-745, 2001.
[9] M. Apostolaki, A. Zohar, and L. Vanbever, "Hijacking Bitcoin: Routing Attacks on Cryptocurrencies," in 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, 2017.
[10] "Routing security – getting better, but no reason to rest!," [Online]. Available: https://www.manrs.org/2019/02/routing-security-getting-better-but-no-reason-to-rest/. [Accessed 28 5 2020].
[11] "YouTube Hijacking: A RIPE NCC RIS case study," [Online]. Available: https://www.ripe.net/publications/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study. [Accessed 23 4 2020].
[12] "The Amazon Route 53 BGP Hijack to Take Over Ethereum Cryptocurrency Wallets," [Online]. Available: https://www.internetsociety.org/blog/2018/04/amazons-route-53-bgp-hijack/. [Accessed 28 5 2020].
[13] H. Ballani P. Francis and X. Zhang, "A study of prefix hijacking and interception in the Internet," ACM SIGCOMM Computer Communication Review, vol. 37, no. 4, pp. 265-276, 2007.
[14] P. Sermpezis, V. Kotronis, A. Dainotti, and X. Dimitropoulos, "A Survey among Network Operators on BGP Prefix Hijacking," ACM SIGCOMM Computer Communication Review, vol. 48, no. 1, pp. 64-69, 2018.
[15] S. Deshpande, M. Thottan, T. K. Ho, and B. Sikdar, "An online mechanism for BGP instability detection and analysis," IEEE transactions on Computers, vol. 58, no. 11, pp. 1271-1286, 2010.
[16] S. Goldberg, "Why is it taking so long to secure internet routing?," Communications of the ACM, vol. 57, no. 10, pp. 56-63, 2014.
[17] S. Murphy, "RFC 4272 : BGP Security Vulnerabilities Analysis," IETF, January, 2006.
[18] K. Butler, T. R. Farley, P. McDaniel and J. Rexford, "A Survey of BGP Security Issues and Solutions," Proceedings of the IEEE, vol. 98, no. 1, pp. 100-122, 2010.
[19] J. Durand, I. Pepelnjak, and G. Doering, "RFC 7454 : BGP Operations and Security," IETF, February, 2015.
[20] A. Heffernan, "RFC 2385 : Protection of BGP Sessions via the TCP MD5 Signature Option," IETF, August, 1998.
[21] S. Frankel and S. Krishnan, "RFC 6071 : IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap," IETF, February, 2011.
[22] M. Wählisch, O. Maennel, and T. C. Schmidt, "Towards detecting BGP route hijacking using the RPKI," ACM SIGCOMM Computer Communication Review, vol. 42, no. 4, pp. 103-104, 2012.
[23] M. Lepinski and K. Sriram, "BGPsec Protocol Specification," RFC 8025, 2017.
[24] S. Nakamoto, "Bitcoin: A peer-to-peer electronic cash system," 2008. [Online]. Available: https://bitcoin.org/bitcoin.pdf. [Accessed 28 5 2020].
[25] S. Huh, S. Cho, and S. Kim, "Managing IoT devices using blockchain platform," in 2017 19th International Conference on Advanced Communication Technology, Bongpyeong, 2017.
[26] J. Truby, "Decarbonizing Bitcoin: Law and policy choices for reducing the energy consumption of Blockchain technologies and digital currencies," Energy research & social science, vol. 44, pp. 399-410, 2018.
[27] D. Mingxiao, M. Xiaofeng, Z. Zhe, W. Xiangwei and C. Qijun, "A review on consensus algorithm of blockchain," in 2017 IEEE International Conference on Systems, Man, and Cybernetics (SMC), Banff, Canada, 2017.
[28] Z. Zheng, S. Xie and H. -N. Dai, X. Chen, and H. Wang, "Blockchain challenges and opportunities: A survey," International Journal of Web and Grid Services, vol. 14, no. 4, pp. 352-375, 2018.
[29] M. Castro and B. Liskov, "Practical Byzantine Fault Tolerance," in Proceedings of the Third Symposium on Operating Systems Design and Implementation, New Orleans, USA, 1999.
[30] S. Kent, C. Lynn, and K. Seo, "Secure Border Gateway Protocol (S-BGP)," IEEE Journal on Selected Areas in Communications, vol. 18, no. 4, pp. 582-592, 2000.
[31] R. White, "Securing BGP Through Secure Origin BGP," The Internet Protocol Journal, vol. 6, no. 3, pp. 15-22, 2003.
[32] J. Israr, Y. Gahi, M. Guennoun and H. T. Mouftah, "Security analysis of C-BGP: A light alternative to S-BGP," in 2016 IEEE Canadian Conference on Electrical and Computer Engineering, Vancouver, Canada, 2016.
[33] B. Al-Musawi, P. Branch, and G. Armitage, "BGP Anomaly Detection Techniques: A Survey," IEEE Communications Surveys & Tutorials, vol. 19, no. 1, pp. 377-396, 2017.
[34] J. Karlin, S. Forrest, and J. Rexford, "Pretty good BGP: Improving BGP by cautiously adopting routes," in Proceedings of the 2006 IEEE International Conference on Network Protocols, Santa Barbara, 2006.
[35] M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang, "PHAS: A prefix hijack alert system," in USENIX Security symposium, Vancouver, Canada, 2006.
[36] Q. Xing, B. Wang, and X. Wang, "Bgpcoin: Blockchain-based internet number resource authority and bgp security solution," Symmetry, vol. 10, no. 9, p. 408, 2018.
[37] G. Wood, "Ethereum: A secure decentralised generalised transaction ledger," Ethereum project yellow paper, vol. 151, pp. 1-32, 2014.
[38] M. Saad, A. Anwar, A. Ahmad, H. Alasmary, M. Yuksel and A. Mohaisen, “Routechain: Towards blockchain-based secure and efficient bgp routing,” 2019 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), pp. 210-218, 2019.
[39] A. Hari and T. V. Lakshman, "The internet blockchain: A distributed tamper-resistant transaction framework for the internet," in ACM Workshop on Hot Topics in Networks ser. HotNets ’16, ACM, 2016.
[40] L. C. Freeman, "Centrality in social networks conceptual clarification," Social networks, vol. 1, no. 3, pp. 215-239, 1978.
[41] M. Luckie, B. Huffaker, A. Dhamdhere, V. Giotsas, and K. Claffy, "AS Relationships, Customer Cones, and Validation," in Proceedings of the 2013 conference on Internet measurement conference, Barcelona, Spain, 2013.
[42] W. Diffie and M. Hellman, "New directions in cryptography," IEEE transactions on Information Theory, vol. 22, no. 6, pp. 644-654, 1976.
[43] "iPerf - The ultimate speed test tool for TCP, UDP and SCTP," [Online]. Available: https://iperf.fr/. [Accessed 28 5 2020].
[44] "Routing Information Service (RIS)," [Online]. Available: https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris. [Accessed 29 6 2020].
[45] X. Dimitropoulos, D. Krioukov, M. Fomenkov, B. Huffaker, Y. Hyun, K. Claffy, and G. Riley, "AS Relationships: Inference and Validation," ACM SIGCOMM Computer Communication Review, vol. 37, no. 1, pp. 29-40, 2007.
[46] "Wireshark," [Online]. Available: https://www.wireshark.org/. [Accessed 20 6 2020].
[47] "Public DNS in Taiwan the latest victim to BGP hijack," [Online]. Available: https://www.manrs.org/2019/05/public-dns-in-taiwan-the-latest-victim-to-bgp-hijack/. [Accessed 22 6 2020].