An accurate distributed scheme for detection of prefix interception

Previous research in interdomain routing security has often focused on prefix hijacking. However, several prefix interception events have happened lately, which poses a new security challenge to the interdomain routing system. Compared to prefix hijacking, prefix interception is much harder to detect, as it avoids black hole by forwarding the hijacked traffic back to the victim. In this paper, we present a novel method to detect prefix interception. Our approach exploits a key observation about prefix interception: during a prefix interception event, the attacker detours the intercepted traffic through its network, which turns it into a new important “transit point” for access to the victim. By collecting data plane information to detect the emerging “transit point” and using control plane information to verify it, our scheme can identify prefix interception in real time. The results of Internet experiments and Internet-scale simulations show that our method is accurate with low false alarm rate (0.28%) and false negative rate (2.26%).摘要创新点(1)对基于 BGP 路由劫持的前缀窃听进行综合分类, 并建立 BGP 前缀窃听攻击模型。 (2)分析 BGP 前缀窃听事件, 提取 BGP 前缀窃听的重要攻击特征。(3)研究前缀窃听过程中 AS 入度和出度的变化,提出基于帕累托分布的检测异常 Upstart-AS 的分布式算法。(4)提出一种结合数据平面探测和控制平面监控的前缀窃听检测算法。(5)通过 Internet 实验和大规模仿真验证了检测算法的准确性。

[1]  Arun Venkataramani,et al.  iPlane: an information plane for distributed services , 2006, OSDI '06.

[2]  Ying Zhang,et al.  Studying Impacts of Prefix Interception Attack by Exploring BGP AS-PATH Prepending , 2012, 2012 IEEE 32nd International Conference on Distributed Computing Systems.

[3]  Lixin Gao,et al.  On the evaluation of AS relationship inferences [Internet reachability/traffic flow applications] , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[4]  Steve Uhlig,et al.  Modeling the routing of an autonomous system with C-BGP , 2005, IEEE Network.

[5]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[6]  Sharon Goldberg,et al.  BGP security in partial deployment: is the juice worth the squeeze? , 2013, SIGCOMM.

[7]  Niklas Carlsson,et al.  Characterizing Large-Scale Routing Anomalies: A Case Study of the China Telecom Incident , 2013, PAM.

[8]  Yang Xiang,et al.  Argus: An accurate and agile system to detecting IP prefix hijacking , 2011, 2011 19th IEEE International Conference on Network Protocols.

[9]  P. Faloutsos,et al.  Power-Laws and the AS-level Internet , 2003 .

[10]  Daniel Massey,et al.  Detection of invalid routing announcement in the Internet , 2002, Proceedings International Conference on Dependable Systems and Networks.

[11]  Dan Pei,et al.  A light-weight distributed scheme for detecting ip prefix hijacks in real-time , 2007, SIGCOMM '07.

[12]  Stephen T. Kent,et al.  An Infrastructure to Support Secure Internet Routing , 2012, RFC.

[13]  Olaf Maennel,et al.  Towards detecting BGP route hijacking using the RPKI , 2012, SIGCOMM.

[14]  Brice Augustin,et al.  Avoiding traceroute anomalies with Paris traceroute , 2006, IMC '06.

[15]  Randy Bush,et al.  iSPY: Detecting IP Prefix Hijacking on My Own , 2008, IEEE/ACM Transactions on Networking.

[16]  Jennifer Rexford,et al.  Pretty Good BGP: Improving BGP by Cautiously Adopting Routes , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[17]  Vasileios Giotsas,et al.  AS relationships, customer cones, and validation , 2013, Internet Measurement Conference.

[18]  Xinwen Zhang,et al.  Even Rockets Cannot Make Pigs Fly Sustainably: Can BGP be Secured with BGPsec? , 2014 .

[19]  Yang Xiang,et al.  Sign what you really care about - Secure BGP AS-paths efficiently , 2013, Comput. Networks.

[20]  Zhuoqing Morley Mao,et al.  Accurate Real-time Identification of IP Prefix Hijacking , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[21]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[22]  Paul Francis,et al.  A study of prefix hijacking and interception in the internet , 2007, SIGCOMM '07.

[23]  Evangelos Kranakis,et al.  On interdomain routing security and pretty secure BGP (psBGP) , 2007, TSEC.

[24]  Ying Zhang,et al.  iSPY: Detecting IP Prefix Hijacking on My Own , 2010, IEEE/ACM Trans. Netw..

[25]  Michalis Faloutsos,et al.  Power laws and the AS-level internet topology , 2003, TNET.

[26]  Joseph Kee-yin Ng,et al.  Extensions to BGP to Support Secure Origin BGP , 2004 .

[27]  Daniel Massey,et al.  An analysis of BGP multiple origin AS (MOAS) conflicts , 2001, IMW '01.

[28]  Lixin Gao,et al.  On inferring autonomous system relationships in the Internet , 2000, Globecom '00 - IEEE. Global Telecommunications Conference. Conference Record (Cat. No.00CH37137).

[29]  Shane Amante,et al.  Route-Leaks & MITM Attacks Against BGPSEC , 2014 .

[30]  Sharon Goldberg,et al.  A survey of interdomain routing policies , 2013, CCRV.

[31]  Daniel Massey,et al.  PHAS: A Prefix Hijack Alert System , 2006, USENIX Security Symposium.