iSPY: Detecting IP Prefix Hijacking on My Own

IP prefix hijacking remains a major threat to the security of the Internet routing system due to a lack of authoritative prefix ownership information. Despite many efforts in designing IP prefix hijack detection schemes, no existing design can satisfy all the critical requirements of a truly effective system: real-time, accurate, lightweight, easily and incrementally deployable, as well as robust in victim notification. In this paper, we present a novel approach that fulfills all these goals by monitoring network reachability from key external transit networks to one's own network through lightweight prefix-owner-based active probing. Using the prefix-owner's view of reachability, our detection system, iSPY, can differentiate between IP prefix hijacking and network failures based on the observation that hijacking is likely to result in topologically more diverse polluted networks and unreachability. Through detailed simulations of Internet routing, 25-day deployment in 88 autonomous systems (ASs) (108 prefixes), and experiments with hijacking events of our own prefix from multiple locations, we demonstrate that iSPY is accurate with false negative ratio below 0.45% and false positive ratio below 0.17%. Furthermore, iSPY is truly real-time; it can detect hijacking events within a few minutes.

[1]  Charles Lynn,et al.  Secure Border Gateway Protocol (Secure-BGP) , 2000 .

[2]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[3]  Lixin Gao On inferring autonomous system relationships in the internet , 2001, TNET.

[4]  Walter Willinger,et al.  Towards capturing representative AS-level Internet topologies , 2002, SIGMETRICS '02.

[5]  Jia Wang,et al.  Towards an accurate AS-level traceroute tool , 2003, SIGCOMM '03.

[6]  Ratul Mahajan,et al.  Measuring ISP topologies with Rocketfuel , 2004, IEEE/ACM Transactions on Networking.

[7]  Ramesh Govindan,et al.  Locating BGP missing routes using multiple perspectives , 2004, NetT '04.

[8]  Renata Teixeira,et al.  A measurement framework for pin-pointing routing changes , 2004, NetT '04.

[9]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[10]  Joseph Kee-yin Ng,et al.  Extensions to BGP to Support Secure Origin BGP , 2004 .

[11]  Anja Feldmann,et al.  Locating internet routing instabilities , 2004, SIGCOMM '04.

[12]  Yih-Chun Hu,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM 2004.

[13]  Ming Zhang,et al.  PlanetSeer: Internet Path Failure Monitoring and Characterization in Wide-Area Services , 2004, OSDI.

[14]  Jennifer Rexford,et al.  Don't Secure Routing Protocols, Secure Data Delivery , 2006, HotNets.

[15]  Martín Casado,et al.  The Clack graphical router: visualizing network software , 2006, SoftVis '06.

[16]  J. Rexford,et al.  MIRO: multi-path interdomain routing , 2006, SIGCOMM.

[17]  Jennifer Rexford,et al.  Pretty Good BGP: Improving BGP by Cautiously Adopting Routes , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[18]  Brice Augustin,et al.  Avoiding traceroute anomalies with Paris traceroute , 2006, IMC '06.

[19]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[20]  Arun Venkataramani,et al.  iPlane: an information plane for distributed services , 2006, OSDI '06.

[21]  Daniel Massey,et al.  PHAS: A Prefix Hijack Alert System , 2006, USENIX Security Symposium.

[22]  Zhuoqing Morley Mao,et al.  Accurate Real-time Identification of IP Prefix Hijacking , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[23]  Lixin Gao,et al.  Detecting bogus BGP route information: Going beyond prefix hijacking , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[24]  Olaf Maennel,et al.  Testing the reachability of (new) address space , 2007, INM '07.

[25]  Kang G. Shin,et al.  Internet routing resilience to failures: analysis and implications , 2007, CoNEXT '07.

[26]  Z. Morley Mao,et al.  Accurate Real-time Identication of IP Prex Hijacking , 2007 .

[27]  H. Ballani,et al.  A study of prefix hijacking and interception in the internet , 2007, SIGCOMM '07.

[28]  Dan Pei,et al.  A light-weight distributed scheme for detecting ip prefix hijacks in real-time , 2007, SIGCOMM 2007.

[29]  Michalis Faloutsos,et al.  A Systematic Framework for Unearthing the Missing Links: Measurements and Impact , 2007, NSDI.

[30]  Bruce M. Maggs,et al.  On the impact of route monitor selection , 2007, IMC '07.

[31]  A. Krishnamurthy,et al.  Studying Blackholes in the Internet with Hubble , 2007 .

[32]  Zhuoqing Morley Mao,et al.  Practical defenses against BGP prefix hijacking , 2007, CoNEXT '07.

[33]  Lixia Zhang,et al.  Understanding Resiliency of Internet Topology against Prefix Hijack Attacks , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[34]  Craig A. Shue,et al.  The web is smaller than it seems , 2007, IMC '07.

[35]  Walter Willinger,et al.  In search of the elusive ground truth: the internet's as-level connectivity structure , 2008, SIGMETRICS '08.

[36]  David Wetherall,et al.  Studying Black Holes in the Internet with Hubble , 2008, NSDI.

[37]  Dan Pei,et al.  Locating Prefix Hijackers using LOCK , 2009, USENIX Security Symposium.

[38]  Lixia Zhang,et al.  Quantifying Path Exploration in the Internet , 2006, IEEE/ACM Transactions on Networking.