Stealthy IP Prefix Hijacking: Don't Bite Off More Than You Can Chew

In prefix hijacking, an Autonomous System (AS) advertises routes for prefixes that are owned by another AS, and ends up hijacking traffic that is intended to the owner. While misconfigurations and/or misunderstandings of policies are the likely reasons behind the majority of those incidents, malicious incidents have also been reported. Recent works have focused on malicious scenarios that aim to maximize the amount of hijacked traffic from all ASes, without considering scenarios where the attacker is aiming to avoid detection. In this paper, we expose a new class of prefix hijacking that is stealthy in nature. The idea is to craft path(s) - of tunable lengths - that deceive only a small subset of ASes. By finely tuning the degree to which ASes are effected, the attacker can handle the hijacked traffic while the victimized AS would not observe a major reduction in its incoming traffic that would raise an alarm. We give upper bounds on the impact of those attacks via simulations on real BGP Internet announcements obtained from Route-Views. We discuss shortcomings in current proposed defense mechanisms against attackers which can falsify traceroute replies. We also present a defense mechanism against stealthy prefix hijacking attacks.

[1]  Evangelos Kranakis,et al.  Pretty Secure BGP, psBGP , 2005, NDSS.

[2]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM 2006.

[3]  Jennifer Rexford,et al.  Pretty Good BGP: Improving BGP by Cautiously Adopting Routes , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[4]  Lixin Gao,et al.  Detecting bogus BGP route information: Going beyond prefix hijacking , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[5]  Constantinos Dovrolis,et al.  Beware of BGP attacks , 2004, CCRV.

[6]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[7]  Daniel Massey,et al.  PHAS: A Prefix Hijack Alert System , 2006, USENIX Security Symposium.

[8]  Lixia Zhang,et al.  Understanding Resiliency of Internet Topology against Prefix Hijack Attacks , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[9]  Paul Francis,et al.  A study of prefix hijacking and interception in the internet , 2007, SIGCOMM 2007.

[10]  Tony Bates,et al.  Guidelines for creation, selection, and registration of an Autonomous System (AS) , 1996, RFC.

[11]  Yih-Chun Hu,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM 2004.

[12]  Susan Hares,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[13]  Ying Zhang,et al.  iSPY: Detecting IP Prefix Hijacking on My Own , 2010, IEEE/ACM Trans. Netw..

[14]  Zhuoqing Morley Mao,et al.  Accurate Real-time Identification of IP Prefix Hijacking , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[15]  Dan Pei,et al.  A light-weight distributed scheme for detecting ip prefix hijacks in real-time , 2007, SIGCOMM '07.

[16]  Jia Wang,et al.  Towards an accurate AS-level traceroute tool , 2003, SIGCOMM '03.

[17]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.