TowerDefense: Deployment strategies for battling against IP prefix hijacking

IP prefix hijacking is one of the top security threats targeting today's Internet routing protocol. Several schemes have been proposed to either detect or mitigate prefix hijacking events. However, none of these approaches is adopted and deployed on a large-scale on the Internet for reasons such as scalability, economical practicality, or unrealistic assumptions about the collaborations among ISPs. Thus there are no actionable and deployable solutions for dealing with prefix hijacking. In this paper, we study key issues related to deploying and operating an IP prefix hijacking detection and mitigation system. Our contributions include (i) deployment strategies for hijacking detection and mitigation system (named as TowerDefense): a practical service model for prefix hijacking protection and effective algorithms for selecting agent locations for detecting and mitigating prefix hijacking attacks; and (ii) large scale experiments on PlanetLab and extensive analysis on the performance of TowerDefense.

[1]  Daniel Massey,et al.  PHAS: A Prefix Hijack Alert System , 2006, USENIX Security Symposium.

[2]  Randy H. Katz,et al.  Characterizing the Internet hierarchy from multiple vantage points , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[3]  Paul Francis,et al.  A study of prefix hijacking and interception in the internet , 2007, SIGCOMM 2007.

[4]  Zhuoqing Morley Mao,et al.  Practical defenses against BGP prefix hijacking , 2007, CoNEXT '07.

[5]  Patrick D. McDaniel,et al.  Optimizing BGP security by exploiting path stability , 2006, CCS '06.

[6]  Bruce M. Maggs,et al.  On the impact of route monitor selection , 2007, IMC '07.

[7]  Michalis Faloutsos,et al.  Neighborhood Watch for Internet Routing: Can We Improve the Robustness of Internet Routing Today? , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[8]  Daniel Massey,et al.  Detection of invalid routing announcement in the Internet , 2002, Proceedings International Conference on Dependable Systems and Networks.

[9]  Lixia Zhang,et al.  Understanding Resiliency of Internet Topology against Prefix Hijack Attacks , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[10]  Walter Willinger,et al.  The (In)Completeness of the Observed Internet AS-level Structure , 2010, IEEE/ACM Transactions on Networking.

[11]  A. Terzis,et al.  Efficient Techniques for Detecting False Origin Advertisements in Inter-domain Routing , 2006, 2006 2nd IEEE Workshop on Secure Network Protocols.

[12]  Susan Hares,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[13]  Dan Pei,et al.  A light-weight distributed scheme for detecting ip prefix hijacks in real-time , 2007, SIGCOMM '07.

[14]  Lixin Gao,et al.  On inferring autonomous system relationships in the Internet , 2000, Globecom '00 - IEEE. Global Telecommunications Conference. Conference Record (Cat. No.00CH37137).

[15]  Daniel Massey,et al.  Protecting BGP routes to top level DNS servers , 2003, 23rd International Conference on Distributed Computing Systems, 2003. Proceedings..

[16]  Jennifer Rexford,et al.  Pretty Good BGP: Improving BGP by Cautiously Adopting Routes , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[17]  Anees Shaikh,et al.  On the effectiveness of DNS-based server selection , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[18]  Ying Zhang,et al.  iSPY: Detecting IP Prefix Hijacking on My Own , 2010, IEEE/ACM Trans. Netw..

[19]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[20]  Zhuoqing Morley Mao,et al.  Accurate Real-time Identification of IP Prefix Hijacking , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[21]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[22]  Patrick D. McDaniel,et al.  Origin authentication in interdomain routing , 2003, CCS '03.

[23]  Josh Karlin Pretty Good BGP : Protecting BGP by Cautiously Selecting Routes Paper , 2005 .

[24]  Philip S. Yu,et al.  Redirection algorithms for load sharing in distributed Web-server systems , 1999, Proceedings. 19th IEEE International Conference on Distributed Computing Systems (Cat. No.99CB37003).

[25]  Joseph Kee-yin Ng,et al.  Extensions to BGP to Support Secure Origin BGP , 2004 .

[26]  Dan Pei,et al.  Locating Prefix Hijackers using LOCK , 2009, USENIX Security Symposium.

[27]  J.J. Garcia-Luna-Aceves,et al.  Securing the border gateway routing protocol , 1996, Proceedings of GLOBECOM'96. 1996 IEEE Global Telecommunications Conference.

[28]  Patrick D. McDaniel,et al.  Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing , 2003, NDSS.

[29]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[30]  Christopher Krügel,et al.  Topology-Based Detection of Anomalous BGP Messages , 2003, RAID.

[31]  Yih-Chun Hu,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM 2004.

[32]  Ying Zhang,et al.  HC-BGP: A light-weight and flexible scheme for securing prefix ownership , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.