LOCK: Locating Countermeasure-Capable Prefix Hijackers

Prefix hijacking is known as one of the security threats on today’s Internet. A number of measurement based solutions have been proposed to detect prefix hijacking even ts. In this paper we take these solutions one step further by addres sing the problem of locating the attacker in each of the detected hijacking event. Being able to locate an attacker is critical for deciding at the earliest time the proper mitigation mechani sms to invoke to limit the impact of the attack and successfully stopping the attack. In this paper, we propose a robust scheme named LOCK, LOcating Countermeasure-capable hijacKers, for locating the prefix hijacker ASes based on distributed data-plane Internet measurements. LOCK locates each attacker AS by actively monitoring paths to the victim prefix from a small number of carefully selected monitors distributed on the Internet. More importantly, LOCK is robust against various countermeasures that the hijackers may employ. This is achieved by taking advantage of two observations: that the hijacker cannot manipulate the data-plane path before a packet reaches the hijacker, an d that the data-plane paths to victim prefix “converge” around the hijacker AS. We have deployed LOCK on a number of PlanetLab nodes and conducted several large scale measurem nts and experiments to evaluate the performance of LOCK against three sets of hijacking attacks: synthetic attacks, recons tructed previously known attacks, and controlled attacks on the Int ernet. Our evaluation results show that LOCK is able to pinpoint the prefix hijacker AS with an accuracy of over 90%.

[1]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[2]  Christopher Krügel,et al.  Topology-Based Detection of Anomalous BGP Messages , 2003, RAID.

[3]  Jia Wang,et al.  Towards an accurate AS-level traceroute tool , 2003, SIGCOMM '03.

[4]  Jennifer Rexford,et al.  Don't Secure Routing Protocols, Secure Data Delivery , 2006, HotNets.

[5]  Daniel Massey,et al.  Collecting the internet AS-level topology , 2005, CCRV.

[6]  Constantinos Dovrolis,et al.  Beware of BGP attacks , 2004, CCRV.

[7]  Patrick D. McDaniel,et al.  Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing , 2003, NDSS.

[8]  Lixia Zhang,et al.  Understanding Resiliency of Internet Topology against Prefix Hijack Attacks , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[9]  Z. Morley Mao,et al.  Accurate Real-time Identication of IP Prex Hijacking , 2007 .

[10]  Rami Cohen,et al.  The Internet Dark Matter - on the Missing Links in the AS Connectivity Map , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[11]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM 2006.

[12]  Patrick D. McDaniel,et al.  Origin authentication in interdomain routing , 2003, CCS '03.

[13]  Yin Zhang,et al.  On AS-level path inference , 2005, SIGMETRICS '05.

[14]  Daniel Massey,et al.  Detection of invalid routing announcement in the Internet , 2002, Proceedings International Conference on Dependable Systems and Networks.

[15]  Patrick D. McDaniel,et al.  Optimizing BGP security by exploiting path stability , 2006, CCS '06.

[16]  Yih-Chun Hu,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM 2004.

[17]  A. Terzis,et al.  Efficient Techniques for Detecting False Origin Advertisements in Inter-domain Routing , 2006, 2006 2nd IEEE Workshop on Secure Network Protocols.

[18]  Lixin Gao On inferring autonomous system relationships in the internet , 2001, TNET.

[19]  Bruce M. Maggs,et al.  On the impact of route monitor selection , 2007, IMC '07.

[20]  Jennifer Rexford,et al.  MIRO: multi-path interdomain routing , 2006, SIGCOMM 2006.

[21]  Paul Francis,et al.  A study of prefix hijacking and interception in the internet , 2007, SIGCOMM 2007.

[22]  Michalis Faloutsos,et al.  Neighborhood Watch for Internet Routing: Can We Improve the Robustness of Internet Routing Today? , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[23]  Daniel Massey,et al.  Protecting BGP routes to top level DNS servers , 2003, 23rd International Conference on Distributed Computing Systems, 2003. Proceedings..

[24]  Zhuoqing Morley Mao,et al.  Practical defenses against BGP prefix hijacking , 2007, CoNEXT '07.

[25]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[26]  J.J. Garcia-Luna-Aceves,et al.  Securing the border gateway routing protocol , 1996, Proceedings of GLOBECOM'96. 1996 IEEE Global Telecommunications Conference.

[27]  Dan Pei,et al.  A light-weight distributed scheme for detecting ip prefix hijacks in real-time , 2007, SIGCOMM '07.

[28]  S. C. Johnson Hierarchical clustering schemes , 1967, Psychometrika.

[29]  Daniel Massey,et al.  PHAS: A Prefix Hijack Alert System , 2006, USENIX Security Symposium.

[30]  Josh Karlin Pretty Good BGP : Protecting BGP by Cautiously Selecting Routes Paper , 2005 .

[31]  Daniel Massey,et al.  Placing BGP Monitors in the Internet ∗ , 2006 .

[32]  Joseph Kee-yin Ng,et al.  Extensions to BGP to Support Secure Origin BGP , 2004 .

[33]  Azer Bestavros,et al.  On the marginal utility of network topology measurements , 2001, IMW '01.