Accurate Real-time Identification of IP Hijacking

In this paper, we present novel and practical techniques to a ccur tely detect IP prefix hijacking attacks in real time to facilitate timely mitigation respon ses. There are strong evidences that IP hijacking is common on today’s Internet. Attackers may hi jack victim’s IP address space to perpetrate malicious activities such as spamming and launc hing DoS attacks without worrying about disclosing their identity through source IP addresses. Mor e se iously, they can disrupt network services or regular communication by temporarily stealing actively used addresses. Unintentional network misconfigurations can also have similar effects, possibly l eading to severe impact on reachability. We propose novel ways to much more accurately detect IP hijacki ng by combining analysis of passively collected BGP routing updates and data plane fingerprints of suspicious prefixes. The key insight is to use data plane information in the form of edge network finge rprinting to disambiguate potentially numerous suspect IP hijacking incidences based on routing a nom ly detection. Previous work on identifying IP hijacking solely relies on c ontrol plane information in the form of anomalous routing updates or external data such as stale a ddr ss registries. Such an approach is inaccurate, suffering from too many false positives to be us ful in practice. In our proposed scheme, real-time fingerprinting provides confirming evidence for h ijacking, while incurring little overhead. More importantly, we provide mechanisms to perform online m itigation rather than post-mortem analysis. Utilizing real-time BGP data from multiple feeds as well as RouteViews, we demonstrate the ability of our system to distinguish between legitimate routing changes and hijacking attacks.

[1]  Ted Hardie,et al.  Distributing Authoritative Name Servers via Shared Unicast Addresses , 2002, RFC.

[2]  J.J. Garcia-Luna-Aceves,et al.  Securing the border gateway routing protocol , 1996, Proceedings of GLOBECOM'96. 1996 IEEE Global Telecommunications Conference.

[3]  Patrick D. McDaniel,et al.  Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing , 2003, NDSS.

[4]  Thomas Erlebach,et al.  Computing the types of the relationships between autonomous systems , 2007, IEEE/ACM Trans. Netw..

[5]  Nick Feamster,et al.  Geographic locality of IP prefixes , 2005, IMC '05.

[6]  Randy Bush,et al.  Slowing Routing Table Growth by Filtering Based on Address Allocation Policies , 2001 .

[7]  Jia Wang,et al.  Towards an accurate AS-level traceroute tool , 2003, SIGCOMM '03.

[8]  Bassam Halabi,et al.  Internet Routing Architectures , 1997 .

[9]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[10]  Randy H. Katz,et al.  Characterizing the Internet hierarchy from multiple vantage points , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[11]  Jia Wang,et al.  Scalable and accurate identification of AS-level forwarding paths , 2004, IEEE INFOCOM 2004.

[12]  Tony Tauber,et al.  BGP Security Requirements , 2008 .

[13]  David Wetherall,et al.  Scriptroute: A Public Internet Measurement Facility , 2003, USENIX Symposium on Internet Technologies and Systems.

[14]  Daniel Massey,et al.  Detection of invalid routing announcement in the Internet , 2002, Proceedings International Conference on Dependable Systems and Networks.

[15]  A. Perrig,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM '04.

[16]  Charles Lynn,et al.  Secure Border Gateway Protocol (Secure-BGP) , 2000 .

[17]  G. Di Battista,et al.  Computing the types of the relationships between autonomous systems , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[18]  Sean W. Smith,et al.  Aggregated path authentication for efficient BGP security , 2005, CCS '05.

[19]  Daniel Massey,et al.  An analysis of BGP multiple origin AS (MOAS) conflicts , 2001, IMW '01.

[20]  kc claffy,et al.  Traceroute and BGP AS Path Incongruities , 2003 .

[21]  V. Padmanabhan,et al.  An investigation of geographic mapping techniques for internet hosts , 2001, SIGCOMM '01.

[22]  Lixin Gao On inferring autonomous system relationships in the internet , 2001, TNET.

[23]  David Meyer,et al.  The Generalized TTL Security Mechanism (GTSM) , 2004, RFC.

[24]  Christopher Krügel,et al.  Topology-Based Detection of Anomalous BGP Messages , 2003, RAID.

[25]  Patrick D. McDaniel,et al.  Origin authentication in interdomain routing , 2003, CCS '03.

[26]  Evangelos Kranakis,et al.  Pretty Secure BGP, psBGP , 2005, NDSS.

[27]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[28]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[29]  John W. Stewart,et al.  BGP4 : inter-domain routing in the Internet , 1998 .

[30]  Daniel Massey,et al.  Protecting BGP routes to top level DNS servers , 2003, 23rd International Conference on Distributed Computing Systems, 2003. Proceedings..

[31]  Steven M. Bellovin,et al.  A technique for counting natted hosts , 2002, IMW '02.

[32]  Joseph Kee-yin Ng,et al.  Extensions to BGP to Support Secure Origin BGP , 2004 .