Citadels in cyberspace

Abstract

Cyberwarfare remains a sparsely explored domain of cybersecurity research, most often involving targeted attacks by one nation against another, using botnets. These botnets use malware to launch various kinds of attacks against their targets {ranging from exploiting vulnerabilities, launching Distributed Denial of Service (DDoS) attacks, to various forms of traffic interception attacks. A powerful nation could use network cartography based techniques to identify key locations within its own nation, where it could install defenders that involve interception of illegitimate traffic. More specifically, the government may use network tomography to identify a relatively small number of Autonomous Systems (ASes) such that they can intercept the large fraction of network paths (and potentially a large fraction of network traffic). In our research, we use network tomography to construct such large-scale network maps which could be used to identify Cyber Defense Line (viz., collection of strategically important ASes that intercept all the network paths of the country) for installing defenders to prevent various kinds of targeted attacks (like DDoS). These defenders would intercept traffic of large fraction of users based on their location, intercepting large fraction of network traffic. We study how well these defenders can prevent the attacker from crippling the critical networked services, such as financial institutions, defence sites etc. based on their networked locations. For our analysis, we selected 9 different countries (including China and India) and found \Cyber defence line" for aforementioned network services, DNS infrastructure and for full country net-work map. We found that, countries are significantly similar in network structures viz., all have hierarchical structure. For all sample countries, we found that handful ASes, intercept more than _ 90% of all intra country AS paths. For example, in India only 4 ASes capture more than 95% of the network paths. Interestingly, this holds true, if we select ASes based on different AS properties (like customer degree, cone size, and peer degree etc.) Finding cuts in country's AS topology is only meaningful, when one aims for intercepting 100% paths by the cut. Our results reveal that, for majority of our sample countries, all boundary ASes (that have peering relationship with foreign ASes of the country) capture more than 99% paths, whereas for 100% paths interception we require considerably very large number of ASes (for example, in China 9 ASes intercepts over 90% of the paths, 90 ASes for 99% of paths and 213 ASes for 100% paths).