A study of prefix hijacking and interception in the internet

There have been many incidents of prefix hijacking in the Internet. The hijacking AS can blackhole the hijacked traffic. Alternatively, it can transparently intercept the hijacked traffic by forwarding it onto the owner. This paper presents a study of such prefix hijacking and interception with the following contributions: (1). We present a methodology for prefix interception, (2). We estimate the fraction of traffic to any prefix that can be hijacked and intercepted in the Internet today, (3). The interception methodology is implemented and used to intercept real traffic to our prefix, (4). We conduct a detailed study to detect ongoing prefix interception. We find that: Our hijacking estimates are in line with the impact of past hijacking incidents and show that ASes higher up in the routing hierarchy can hijack a significant amount of traffic to any prefix, including popular prefixes. A less apparent result is that the same holds for prefix interception too. Further, our implementation shows that intercepting traffic to a prefix in the Internet is almost as simple as hijacking it. Finally, while we fail to detect ongoing prefix interception, the detection exercise highlights some of the challenges posed by the prefix interception problem.

[1]  Yvo Desmedt Man-in-the-Middle Attack , 2005, Encyclopedia of Cryptography and Security.

[2]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[3]  Zhuoqing Morley Mao,et al.  Accurate Real-time Identification of IP Prefix Hijacking , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[4]  Roger Wattenhofer,et al.  The impact of Internet policy and topology on delayed routing convergence , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[5]  Anja Feldmann,et al.  Building an AS-topology model that captures route diversity , 2006, SIGCOMM 2006.

[6]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM 2006.

[7]  Sean Convery,et al.  An Attack Tree for the Border Gateway Protocol , 2003 .

[8]  Jennifer Rexford,et al.  Pretty Good BGP: Improving BGP by Cautiously Adopting Routes , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[9]  Constantinos Dovrolis,et al.  Beware of BGP attacks , 2004, CCRV.

[10]  Lixin Gao On inferring autonomous system relationships in the internet , 2001, TNET.

[11]  Kwan-Liu Ma,et al.  Combining visual and automated data mining for near-real-time anomaly detection and analysis in BGP , 2004, VizSEC/DMSEC '04.

[12]  Nick Feamster,et al.  An empirical study of "bogon" route advertisements , 2005, CCRV.

[13]  David M. Nicol,et al.  A BGP attack against traffic engineering , 2004, Proceedings of the 2004 Winter Simulation Conference, 2004..

[14]  Yih-Chun Hu,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM 2004.

[15]  Daniel Massey,et al.  PHAS: A Prefix Hijack Alert System , 2006, USENIX Security Symposium.

[16]  Lixia Zhang,et al.  Understanding Resiliency of Internet Topology against Prefix Hijack Attacks , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[17]  Fred Baker,et al.  Cisco Architecture for Lawful Intercept in IP Networks , 2004, RFC.

[18]  Ratul Mahajan,et al.  Understanding BGP misconfiguration , 2002, SIGCOMM 2002.

[19]  J.J. Garcia-Luna-Aceves,et al.  Securing the border gateway routing protocol , 1996, Proceedings of GLOBECOM'96. 1996 IEEE Global Telecommunications Conference.

[20]  Russ White Architecture and Deployment Considerations for Secure Origin BGP (soBGP) , 2006 .

[21]  Yin Zhang,et al.  BGP routing stability of popular destinations , 2002, IMW '02.

[22]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[23]  Daniel Massey,et al.  Protecting BGP Routes to Top-Level DNS Servers , 2003, IEEE Trans. Parallel Distributed Syst..

[24]  Daniel Massey,et al.  An analysis of BGP multiple origin AS (MOAS) conflicts , 2001, IMW '01.

[25]  Dan Pei,et al.  A light-weight distributed scheme for detecting ip prefix hijacks in real-time , 2007, SIGCOMM 2007.

[26]  Evangelos Kranakis,et al.  Pretty Secure BGP, psBGP , 2005, NDSS.

[27]  Z. Morley Mao,et al.  Accurate Real-time Identication of IP Prex Hijacking , 2007 .

[28]  Lixin Gao,et al.  On inferring and characterizing Internet routing policies , 2003, Journal of Communications and Networks.

[29]  Patrick D. McDaniel,et al.  Origin authentication in interdomain routing , 2003, CCS '03.

[30]  Jennifer Rexford,et al.  Don't Secure Routing Protocols, Secure Data Delivery , 2006, HotNets.

[31]  Daniel Massey,et al.  Detection of invalid routing announcement in the Internet , 2002, Proceedings International Conference on Dependable Systems and Networks.

[32]  Daniel Massey,et al.  Protecting BGP routes to top level DNS servers , 2003, 23rd International Conference on Distributed Computing Systems, 2003. Proceedings..

[33]  kc claffy,et al.  Analysis of RouteViews BGP data: policy atoms , 2001 .

[34]  Christopher Krügel,et al.  Topology-Based Detection of Anomalous BGP Messages , 2003, RAID.

[35]  Arun Venkataramani,et al.  iPlane: an information plane for distributed services , 2006, OSDI '06.

[36]  Nick Feamster,et al.  Detecting BGP configuration faults with static analysis , 2005 .

[37]  Patrick D. McDaniel,et al.  Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing , 2003, NDSS.

[38]  Jia Wang,et al.  Towards an accurate AS-level traceroute tool , 2003, SIGCOMM '03.

[39]  David E. Culler,et al.  PlanetLab: an overlay testbed for broad-coverage services , 2003, CCRV.

[40]  Paul C. van Oorschot,et al.  Analysis of BGP prefix origins during Google's May 2005 outage , 2006, Proceedings 20th IEEE International Parallel & Distributed Processing Symposium.