Internet resiliency to attacks and failures under BGP policy routing

Danny Dolev, Sugih Jamin, Osnat (Ossi) Mokryn, Yuval Shavitt

Research output: Contribution to journalArticlepeer-review


We investigate the resiliency of the Internet at the Autonomous System (AS) level to failures and attacks, under the real constraint of business agreements between the ASs. The agreements impose policies that govern routing in the AS level, and thus the resulting topology graph is directed, and thus the reachability between Ases is not transitive. We show, using partial views obtained from the Internet, that the Internet's resiliency to a deliberate attack is much smaller than previously found, and its reachability is also somewhat lower under random failures. We use different metrics to measure resiliency, and also investigate the effect of added backup connectivity on the resiliency.

Original languageEnglish
Pages (from-to)3183-3196
Number of pages14
JournalComputer Networks
Issue number16
StatePublished - 14 Nov 2006
Externally publishedYes

Bibliographical note

Funding Information:
This research was supported in part by a grant from the United States–Israel Binational Science Foundation (BSF), Jerusalem, Israel; by a grant from the Israel Science Foundation (ISF) center of excellence program (grant number 8008/03); by a grant from the EU 6th FP, IST Priority, Proactive Initiative “Complex Systems Research”, as part of the EVERGROW integrated project, and by a grant from the Israel Internet Association. Appendix A Theorem 1 The reachability algorithm is correct. Proof We shall first prove that the algorithm finds all the reachable nodes. A marking of a node as up, side, or down means it is reachable. Select a node s . Lets first examine a node v for which there exists a path comprised only of up links. Clearly all the nodes in this path should be marked as reachable from s . Suppose for the contrary that v is not marked as reachable, and let u be the closest node to s on the path to v for which the state variable, st u , is not up. By the assumption, the node before u is marked as up, and thus it is reachable. But by the inspect procedure the node must mark all its neighbors, with an up link connecting them, as up and inspect them, and thus it is impossible for u not to be in state up. Now suppose that node = = v has a path with (possibly zero) up links and down links. Let u be the last node in the climbing part of the path. If the path has no up links u s . As we proved above, u is bound to be in the up state. In case u s , s is initialized to be in the up state. Let w be the first node on the down part of the path which is not marked as reachable. Examine the node before w on the path, which by the assumption is marked as reachable. Due to the fall through in the case statement of the inspect procedure, regardless of the state this node is in it will mark w in state down and activate inspect for it, contrary to the assumption, thus it is impossible for w not to be marked as reachable. Finally, assume the path to v has a peer-to-peer link. Let this link be ( u 1 , u 2 ). We proved that u 1 will be marked as up. Based on the inspection procedure u 2 will be marked as side and be inspected in the down direction. Thus the downwards part of the path will be examined like proved above for the case of no side link and all nodes along it will be found reachable. To complete the proof we must show that no node, v , which is not reachable from s will be marked erroneously as reachable. We will show that v ’s marking is correct, namely that it is marked as up only if there is a path leading to it comprised of only up links, as side if there exist a path leading to it comprised of only up links and the last link is side, and as down if the path leading to it contain a down link. Let … If path reaches a node which is correctly marked as up, then all the nodes in the path are correctly marked as up, which contradicts the assumption v thus be erroneously marked as up. Clearly, if no neighbor of v is marked as up this cannot happen since only nodes in state up can mark their neighbors as up. Let p ( v ) be v ’s neighbor who marked it as up. Clearly p ( v ) state must be up as well and there is an up link between p ( v ) and v . Now examine the path v , p ( v ), p ( p ( v )), v is erroneously marked as up. Otherwise, either there must be a node that does not have a neighbor in the up state, or the path is cyclic. The first option is impossible since only nodes in the up state can mark their neighbor as up. The second option is impossible by the definition of p ( v ) and the ordering of the marking times. Thus all the up markings are correct. Clearly all the side markings are correct since only nodes whose neighbors are marked as up and have a peer-to-peer link to them can be marked as a side. The nodes that need to be marked as down are correctly marked since we showed before that all the reachable nodes are marked as such, and we showed they cannot be erroneously marked as up or side. To show that no unreachable node is marked as down, we see that only nodes that have a down link can be marked as down by a reachable neighbor (at any state). As before we can look at a chain of nodes … were □ v , p ( v ), p ( p ( v )), p ( v ) is the node that marked v as down first. The chain cannot exist using the same rational as before. Danny Dolev (SM’89) received his B.Sc. degree in mathematics and physics from the Hebrew University, Jerusalem in 1971. His M.Sc. thesis in Applied Mathematics was completed in 1973, at the Weizmann Institute of Science, Israel. His Ph.D. thesis was on Synchronization of Parallel Processors (1979). He was a Post-Doctoral fellow at Stanford University, 1979–1981, and IBM Research Fellow 1981–1982. He joined the Hebrew University in 1982. From 1987 to 1993 he held a joint appointment as a professor at the Hebrew University and as a research staff member at the IBM Almaden Research Center. He is currently a professor at the Hebrew University of Jerusalem. His research interests are all aspects of distributed computing, fault tolerance, and networking—theory and practice. Sugih Jamin is an Associate Professor in the Department of Electrical Engineering and Computer Science at the University of Michigan. He received his Ph.D. in Computer Science from the University of Southern California, Los Angeles in 1996 for his work on measurement-based admission control algorithms. He spent parts of 1992 and 1993 at the Xerox Palo Alto Research Center, was a Visiting Scholar at the University of Cambridge for part of 2002, and a Visiting Associate Professor at the University of Tokyo for part of 2003. He received the ACM SIGCOMM Best Student Paper Award in 1995, the National Science Foundation (NSF) CAREER Award in 1998, the Presidential Early Career Award for Scientists and Engineers (PECASE) in 1999, and the Alfred P. Sloan Research Fellowship in 2001. Osnat (Ossi) Mokryn Received the B.Sc. in Computer Engineering and M.Sc. in Electrical Engineering from the Technion—Israel Institute of Technology, Haifa in 1993 and 1998, respectively. Submitted the Ph.D. in Computer Science and Electrical Engineering to the Hebrew University of Jerusalem, Israel in December 2003. She currently holds a Post-Doctorate position at the department of Electrical Engineering at Tel-Aviv University. Her recent research focuses on Internet structure and topology; Complex systems; Multicast; Caching and content delivery. Yuval Shavitt (s’88–M’97–SM’00) received the B.Sc. in Computer Engineering (cum laude), M.Sc. in Electrical Engineering and D.Sc. from the Technion—Israel Institute of Technology, Haifa in 1986, 1992, and 1996, respectively. From 1986 to 1991, he served in the Israel Defense Forces first as a system engineer and the last two years as a software engineering team leader. After graduation he spent a year as a Post-Doctoral Fellow at the Department of Computer Science at Johns Hopkins University, Baltimore, MD. Between 1997 and 2001 he was a Member of Technical Stuff at the Networking Research Laboratory at Bell Labs, Lucent Technologies, Holmdel, NJ. Starting October 2000, he is a faculty member in the department of Electrical Engineering at Tel-Aviv University. His recent research focuses on Internet measurement, mapping, and characterization; QoS routing; and cache placement. He served as TPC member for INFOCOM 2000–2003, IWQoS 2001 and 2002, ICNP 2001, MMNS 2001, and IWAN 2003 and 2003, and on the executive committee of INFOCOM 2000, 2002, and 2003. He is an editor of Computer Networks, and served as a guest editor of IEEE JSAC and JWWW.


  • AS relationships
  • Directed graph
  • Valley free routing

ASJC Scopus subject areas

  • Computer Networks and Communications


Dive into the research topics of 'Internet resiliency to attacks and failures under BGP policy routing'. Together they form a unique fingerprint.

Cite this