Monitor, Detect, Mitigate: Combating BGP Prefix Hijacking in Real-Time with ARTEMIS

The Border Gateway Protocol (BGP) is globally used by Autonomous Systems (ASes) to establish route paths for IP prefixes in the Internet. Due to the lack of authentication in BGP, an AS can hijack IP prefixes owned by other ASes (i.e., announce illegitimate route paths), impacting thus the Internet routing system and economy. To this end, a number of hijacking detection systems have been proposed. However, existing systems are usually third party services that -inherently- introduce a significant delay between the hijacking detection (by the service) and its mitigation (by the network administrators). To overcome this shortcoming, in this paper, we propose ARTEMIS, a tool that enables an AS to timely detect hijacks on its own prefixes, and automatically proceed to mitigation actions. To evaluate the performance of ARTEMIS, we conduct real hijacking experiments. To our best knowledge, it is the first time that a hijacking detection/mitigation system is evaluated through extensive experiments in the real Internet. Our results (a) show that ARTEMIS can detect (mitigate) a hijack within a few seconds (minutes) after it has been launched, and (b) demonstrate the efficiency of the different control-plane sources used by ARTEMIS, towards monitoring routing changes.

[1]  Xenofontas A. Dimitropoulos,et al.  Routing centralization across domains via SDN: A model and emulation framework for BGP evolution , 2015, Comput. Networks.

[2]  Zhuoqing Morley Mao,et al.  Practical defenses against BGP prefix hijacking , 2007, CoNEXT '07.

[3]  Zhuoqing Morley Mao,et al.  Accurate Real-time Identification of IP Prefix Hijacking , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[4]  Lixia Zhang,et al.  Understanding Resiliency of Internet Topology against Prefix Hijack Attacks , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[5]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[6]  Lixia Zhang,et al.  Cyclops: the AS-level connectivity observatory , 2008, CCRV.

[7]  Ítalo S. Cunha,et al.  PEERING: An AS for Us , 2014, HotNets.

[8]  Jennifer Rexford,et al.  Pretty Good BGP: Improving BGP by Cautiously Adopting Routes , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[9]  Randy Bush,et al.  iSPY: Detecting IP Prefix Hijacking on My Own , 2008, IEEE/ACM Transactions on Networking.

[10]  Matt Lepinski,et al.  BGPsec Protocol Specification , 2017, RFC.

[11]  Daniel Massey,et al.  PHAS: A Prefix Hijack Alert System , 2006, USENIX Security Symposium.

[12]  Marc Dacier,et al.  Mind Your Blocks: On the Stealthiness of Malicious BGP Hijacks , 2015, NDSS.

[13]  Vasileios Giotsas,et al.  Periscope: Unifying Looking Glass Querying , 2016, PAM.

[14]  Yang Xiang,et al.  Detecting prefix hijackings in the internet with argus , 2012, Internet Measurement Conference.

[15]  Dan Pei,et al.  A light-weight distributed scheme for detecting ip prefix hijacks in real-time , 2007, SIGCOMM '07.

[16]  Olaf Maennel,et al.  Internet optometry: assessing the broken glasses in internet reachability , 2009, IMC '09.

[17]  Beichuan Zhang,et al.  Concurrent prefix hijacks: occurrence and impacts , 2012, IMC '12.

[18]  Xenofontas A. Dimitropoulos,et al.  ARTEMIS: Real-Time Detection and Automatic Mitigation for BGP Prefix Hijacking , 2016, SIGCOMM.

[19]  C. Orsini Project Summary : TWC : TTP Option : Small : Collaborative : Detecting and Characterizing Internet Traffic Interception based on BGP Hijacking , 2014 .

[20]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[21]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[22]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[23]  Stephen T. Kent,et al.  An Infrastructure to Support Secure Internet Routing , 2012, RFC.