Towards uncovering BGP hijacking attacks

The Internet is composed of tens of thousands Autonomous Systems (ASes) that exchange routing information using the Border Gateway Protocol (BGP). Consequently, every AS implicitly trusts every other ASes to provide accurate routing information. Prefix hijacking is an attack against the inter-domain routing infrastructure that abuses mutual trust in order to propagate fallacious routes. The current detection techniques pathologically raise a large number of alerts, mostly composed of false positives resulting from benign routing practices. In this Dissertation, we seek the root cause of routing events beyond reasonable doubts. First, we reduce the global number of alerts by analyzing false positive alerts, from which we extract constructs that reflect real-world standard routing practices. We then consider the security threat associated with these constructs in a prefix hijacking scenario. Second, we use a variety of auxiliary datasets that reflect distinct facets of the networks involved in a suspicious routing event in order to closely approximate the ground-truth, which is traditionally only known by the network owner. Specifically, we investigate Multiple Origin AS (MOAS) prefixes, and introduce a classification that we use to discard up to 80% of false positive. Then we show a real-world case where a MOAS coincided with spam and web scam traffic. We look at prefix overlaps, clarify their global use, and present a prototype that discards around 50% of false positive sub-MOAS alerts. Finally, we explore the IP blackspace, study the routing-level characteristics of those networks, find live IP addresses, and uncover a large amount of spam and scam activities.

[1]  Walter Willinger,et al.  10 Lessons from 10 Years of Measuring and Modeling the Internet's Autonomous Systems , 2011, IEEE Journal on Selected Areas in Communications.

[2]  Yang Xiang,et al.  Argus: An accurate and agile system to detecting IP prefix hijacking , 2011, 2011 19th IEEE International Conference on Network Protocols.

[3]  Paul Francis,et al.  A study of prefix hijacking and interception in the internet , 2007, SIGCOMM '07.

[4]  Patrick D. McDaniel,et al.  Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing , 2003, NDSS.

[5]  Florent Parent,et al.  Routing Policy Specification Language next generation (RPSLng) , 2005, RFC.

[6]  Luca Bruno,et al.  Through the Looking-Glass, and What Eve Found There , 2014, WOOT.

[7]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[8]  Michalis Faloutsos,et al.  Analyzing BGP policies: methodology and tool , 2004, IEEE INFOCOM 2004.

[9]  Jennifer Rexford,et al.  Pretty Good BGP: Improving BGP by Cautiously Adopting Routes , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[10]  Lixin Gao,et al.  Detecting bogus BGP route information: Going beyond prefix hijacking , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[11]  T. Schmidt,et al.  Towards detecting BGP route hijacking using the RPKI , 2012, CCRV.

[12]  Tony Bates,et al.  Guidelines for creation, selection, and registration of an Autonomous System (AS) , 1996, RFC.

[13]  Dan Pei,et al.  A light-weight distributed scheme for detecting ip prefix hijacks in real-time , 2007, SIGCOMM '07.

[14]  Michalis Faloutsos,et al.  BGP routing: a study at large time scale , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[15]  Jon Mitchell Autonomous System (AS) Reservation for Private Use , 2013, RFC.

[16]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[17]  J. Sampson selection , 2006, Algorithm Design with Haskell.

[18]  Joseph D. Touch,et al.  The TCP Authentication Option , 2010, RFC.

[19]  Yao Zhao,et al.  Where the Sidewalk Ends: Extending the Internet AS Graph Using Traceroutes from P2P Users , 2014, IEEE Trans. Computers.

[20]  Andy Heffernan,et al.  Protection of BGP Sessions via the TCP MD5 Signature Option , 1998, RFC.

[21]  Geoff Huston,et al.  A Profile for Resource Certificate Repository Structure , 2012, RFC.

[22]  Stephen T. Kent,et al.  An Infrastructure to Support Secure Internet Routing , 2012, RFC.

[23]  Randy Bush,et al.  iSPY: Detecting IP Prefix Hijacking on My Own , 2008, IEEE/ACM Transactions on Networking.

[24]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[25]  Randy Bush,et al.  Slowing Routing Table Growth by Filtering Based on Address Allocation Policies , 2001 .

[26]  Grenville J. Armitage,et al.  Securing BGP — A Literature Survey , 2011, IEEE Communications Surveys & Tutorials.

[27]  M. Melamed Detection , 2021, SETI: Astronomy as a Contact Sport.

[28]  M. Bennett,et al.  Through the looking glass. , 2009, Minnesota medicine.

[29]  Stuart Cheshire,et al.  Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry , 2011, RFC.

[30]  Olaf Maennel,et al.  Internet optometry: assessing the broken glasses in internet reachability , 2009, IMC '09.

[31]  Georgios Theodoridis,et al.  Visual analytics for BGP monitoring and prefix hijacking identification , 2012, IEEE Network.

[32]  Enrico Gregori,et al.  On the incompleteness of the AS-level graph: a novel methodology for BGP route collector placement , 2012, Internet Measurement Conference.

[33]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[34]  Enke Chen,et al.  BGP Support for Four-Octet Autonomous System (AS) Number Space , 2012, RFC.

[35]  Marc Dacier,et al.  Mind Your Blocks: On the Stealthiness of Malicious BGP Hijacks , 2015, NDSS.

[36]  Vince Fuller,et al.  Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan , 2006, RFC.

[37]  Evangelos Kranakis,et al.  On interdomain routing security and pretty secure BGP (psBGP) , 2007, TSEC.

[38]  Geoff Huston,et al.  Textual Representation of Autonomous System (AS) Numbers , 2008, RFC.

[39]  Brian Trammell,et al.  Bidirectional Flow Export Using IP Flow Information Export (IPFIX) , 2008, RFC.

[40]  Lixia Zhang,et al.  BGPmon: A Real-Time, Scalable, Extensible Monitoring System , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[41]  Donald F. Towsley,et al.  On characterizing BGP routing table growth , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[42]  Vinton G. Cerf,et al.  Specification of Internet Transmission Control Program , 1974, RFC.

[43]  Nick Feamster,et al.  An empirical study of "bogon" route advertisements , 2005, CCRV.

[44]  Olivier Thonnard,et al.  SpamTracer: How stealthy are spammers? , 2013, 2013 Proceedings IEEE INFOCOM.

[45]  Georg Carle,et al.  A forensic case study on as hijacking: the attacker's perspective , 2013, CCRV.

[46]  Johann Schlamp,et al.  An Evaluation of Architectural Threats to Internet Routing , 2016 .

[47]  Zhuoqing Morley Mao,et al.  Accurate Real-time Identification of IP Prefix Hijacking , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[48]  Cengiz Alaettinoglu,et al.  Routing Policy Specification Language (RPSL) , 1998, RFC.

[49]  Naoki Tateishi,et al.  A Method to Detect Prefix Hijacking by Using Ping Tests , 2008, APNOMS.

[50]  Olaf Maennel,et al.  Testing the reachability of (new) address space , 2007, INM '07.

[51]  Yang Xiang,et al.  Detecting prefix hijackings in the internet with argus , 2012, Internet Measurement Conference.

[52]  Kwan-Wu Chin,et al.  On the characteristics of BGP multiple origin AS conflicts , 2007, 2007 Australasian Telecommunication Networks and Applications Conference.

[53]  Kirk Lougheed,et al.  Border Gateway Protocol (BGP) , 2021, IP Routing Protocols.

[54]  Lixin Gao On inferring autonomous system relationships in the internet , 2001, TNET.

[55]  Susan Hares,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[56]  Giuseppe Di Battista,et al.  26 Computer Networks , 2004 .

[57]  James Won-Ki Hong,et al.  IP Prefix Hijacking Detection Using Idle Scan , 2009, APNOMS.

[58]  Daniel Massey,et al.  An analysis of BGP multiple origin AS (MOAS) conflicts , 2001, IMW '01.

[59]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[60]  Yanghee Choi,et al.  A comparative study on IP prefixes and their origin ases in BGP and the IRR , 2013, CCRV.

[61]  Daniel Massey,et al.  PHAS: A Prefix Hijack Alert System , 2006, USENIX Security Symposium.

[62]  Patrick D. McDaniel,et al.  A Survey of BGP Security Issues and Solutions , 2010, Proceedings of the IEEE.

[63]  Mina Guirguis,et al.  Stealthy IP Prefix Hijacking: Don't Bite Off More Than You Can Chew , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[64]  Wolfgang Mühlbauer,et al.  Evolution of Internet Address Space Deaggregation: Myths and Reality , 2010, IEEE Journal on Selected Areas in Communications.

[65]  Ratul Mahajan,et al.  Understanding BGP misconfiguration , 2002, SIGCOMM '02.

[66]  Jim Kurose,et al.  Computer Networking: A Top-Down Approach , 1999 .

[67]  Pierre-Antoine Vervier Detection, analysis and mitigation of malicious BGP hijack attacks , 2014 .

[68]  Michalis Faloutsos,et al.  Neighborhood Watch for Internet Routing: Can We Improve the Robustness of Internet Routing Today? , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.