Advertisement

An accurate distributed scheme for detection of prefix interception

  • Song Li
  • Haixin Duan
  • Zhiliang Wang
  • Jinjin Liang
  • Xing Li
Research Paper
  • 61 Downloads

Abstract

Previous research in interdomain routing security has often focused on prefix hijacking. However, several prefix interception events have happened lately, which poses a new security challenge to the interdomain routing system. Compared to prefix hijacking, prefix interception is much harder to detect, as it avoids black hole by forwarding the hijacked traffic back to the victim. In this paper, we present a novel method to detect prefix interception. Our approach exploits a key observation about prefix interception: during a prefix interception event, the attacker detours the intercepted traffic through its network, which turns it into a new important “transit point” for access to the victim. By collecting data plane information to detect the emerging “transit point” and using control plane information to verify it, our scheme can identify prefix interception in real time. The results of Internet experiments and Internet-scale simulations show that our method is accurate with low false alarm rate (0.28%) and false negative rate (2.26%).

Keywords

routing BGP hijacking interception detection 

一种准确检测 BGP 前缀窃听攻击的分布式方案

摘要

创新点

  1. (1)

    对基于 BGP 路由劫持的前缀窃听进行综合分类, 并建立 BGP 前缀窃听攻击模型。

     
  2. (2)

    分析 BGP 前缀窃听事件, 提取 BGP 前缀窃听的重要攻击特征。

     
  3. (3)

    研究前缀窃听过程中 AS 入度和出度的变化,提出基于帕累托分布的检测异常 Upstart-AS 的分布式算法。

     
  4. (4)

    提出一种结合数据平面探测和控制平面监控的前缀窃听检测算法。

     
  5. (5)

    通过 Internet 实验和大规模仿真验证了检测算法的准确性。

     

关键词

路由 BGP 劫持 窃听 检测 

References

  1. 1.
    Karrenberg D. Youtube Hijacking: a Ripe Ncc Ris Case Study. RIPE NCC Technical Report. 2008Google Scholar
  2. 2.
    Hiran R, Carlsson N, Gill P. Characterizing large-scale routing anomalies: a case study of the China telecom incident. In: Proceedings of the 14th International Conference on Passive and Active Measurement, Hong Kong, 2013. 229–238CrossRefGoogle Scholar
  3. 3.
    Cowie J. The New Threat: Targeted Internet Traffic Misdirection. Dyn Research Technical Report. 2013Google Scholar
  4. 4.
    Madory D. Uk Traffic Diverted Through Ukraine. Dyn Research Technical Report. 2015Google Scholar
  5. 5.
    Kent S, Lynn C, Seo K. Secure border gateway protocol (s-bgp). IEEE J Sel Area Commun, 2000; 18: 582–592CrossRefGoogle Scholar
  6. 6.
    NgZ J. Extensions to BGP to support secure origin BGP (soBGP). IETF Draft draft-ng-sobgp-bgp-extensions-02. 2004Google Scholar
  7. 7.
    van Oorschot P C, Wan T, Kranakis E. On interdomain routing security and pretty secure bgp (psbgp). ACM Trans Inf Syst Secur, 2007, 10: 11CrossRefGoogle Scholar
  8. 8.
    Lepinski M, Kent S. An Infrastructure to Support Secure Internet Routing. IETF RFC 6480. 2012Google Scholar
  9. 9.
    Xiang Y, Shi X, Wu J, et al. Sign what you really care about-secure bgp as-paths efficiently. Comput Netw, 2013; 57: 2250–2265CrossRefGoogle Scholar
  10. 10.
    Lychev R, Goldberg S, Schapira M. BGP security in partial deployment: is the juice worth the squeeze? ACM SIGCOMM Comput Commun Rev, 2013; 43: 171–182CrossRefGoogle Scholar
  11. 11.
    McPherson D, Osterweil E, Amante S, et al. Route-Leaks & MITM attacks against BGPSEC. IETF Draft draft-ietfgrow- simple-leak-attack-bgpsec-no-help-04. 2014Google Scholar
  12. 12.
    Li Q, Hu Y C, Zhang X. Even rockets cannot make pigs fly sustainably: can BGP be secured with BGPsec? In: Proceedings of the NDSS Workshop on Security of Emerging Networking Technologies, San Diego, 2014Google Scholar
  13. 13.
    Hu X, Mao Z M. Accurate real-time identification of IP prefix hijacking. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, Oakland, 2007. 3–17CrossRefGoogle Scholar
  14. 14.
    Zhao X, Pei D, Wang L, et al. Detection of invalid routing announcement in the Internet. In: Proceedings of the International Conference on Dependable Systems and Networks, Bethesda, 2002. 59–68CrossRefGoogle Scholar
  15. 15.
    Zhang Z, Zhang Y, Hu Y C, et al. Ispy: detecting ip prefix hijacking on my own. ACM SIGCOMM Comput Commun Rev, 2008; 38: 327–338CrossRefGoogle Scholar
  16. 16.
    Xiang Y, Wang Z, Yin X, et al. Argus: an accurate and agile system to detecting IP prefix hijacking. In: Proceedings of the 19th IEEE International Conference on Network Protocols, Vancouver, 2011. 43–48Google Scholar
  17. 17.
    Ballani H, Francis P, Zhang X. A study of prefix hijacking and interception in the Internet. ACM SIGCOMM Comput Commun Rev, 2007; 37: 265–276CrossRefGoogle Scholar
  18. 18.
    Gao L. On inferring autonomous system relationships in the Internet. IEEE/ACM Trans Netw (ToN), 2001; 9: 733–745CrossRefGoogle Scholar
  19. 19.
    Gill P, Schapira M, Goldberg S. A survey of interdomain routing policies. ACM SIGCOMM Comput Commun Rev, 2013; 44: 28–34CrossRefGoogle Scholar
  20. 20.
    Zhang Y, Pourzandi M. Studying impacts of prefix interception attack by exploring bgp as-path prepending. In: Proceedings of the IEEE 32nd International Conference on Distributed Computing Systems (ICDCS), Macau, 2012. 667–677Google Scholar
  21. 21.
    Zhao X, Pei D, Wang L, et al. An analysis of BGP multiple origin AS (MOAS) conflicts. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, San Francisco, 2001. 31–35CrossRefGoogle Scholar
  22. 22.
    Pilosov A, Kapela T. Stealing the Internet: an Internet-Scale Man in the Middle Attack. Defcon Technical Report. 2008Google Scholar
  23. 23.
    Madhyastha H V, Isdal T, Piatek M, et al. iPlane: an information plane for distributed services. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, Seattle, 2006. 367–380Google Scholar
  24. 24.
    Faloutsos M, Faloutsos P, Faloutsos C. On power-law relationships of the internet topology. ACM SIGCOMM Comput Commun Rev, 1999; 29: 251–262CrossRefzbMATHGoogle Scholar
  25. 25.
    Siganos G, Faloutsos M, Faloutsos P, et al. Power laws and the AS-level internet topology. IEEE/ACM Trans Netw (TON), 2003; 11: 514–524CrossRefGoogle Scholar
  26. 26.
    Luckie M, Huffaker B, Dhamdhere A, et al. AS relationships, customer cones, and validation. In: Proceedings of the 2013 Conference on Internet Measurement, Barcelona, 2013. 243–256CrossRefGoogle Scholar
  27. 27.
    Xia J, Gao L. On the evaluation of AS relationship inferences [Internet reachability/traffic flow applications]. In: Proceedings of the Global Telecommunications Conference, Dallas, 2004. 1373–1377Google Scholar
  28. 28.
    Augustin B, Cuvellier X, Orgogozo B, et al. Avoiding traceroute anomalies with paris traceroute. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, Rio de Janeriro, 2006. 153–158Google Scholar
  29. 29.
    Quoitin B. Uhlig S. Modeling the routing of an autonomous system with C-BGP. IEEE Netw, 2005; 19: 12–19Google Scholar
  30. 30.
    Wählisch M, Maennel O, Schmidt T C. Towards detecting BGP route hijacking using the RPKI. ACM SIGCOMM Comput Commun Rev, 2012; 42: 103–104CrossRefGoogle Scholar
  31. 31.
    Zheng C, Ji L, Pei D, et al. A light-weight distributed scheme for detecting IP prefix hijacks in real-time. ACM SIGCOMM Comput Commun Rev, 2007; 37: 277–288CrossRefGoogle Scholar
  32. 32.
    Lad M, Massey D, Pei D, et al. Phas: a prefix hijack alert system. In: Proceedings of the 15th Conference on USENIX Security Symposium, Berkeley, 2006. 153–166Google Scholar
  33. 33.
    Karlin J, Forrest S, Rexford J. Pretty good BGP: improving BGP by cautiously adopting routes. In: Proceedings of the 14th IEEE International Conference on Network Protocols, Santa Barbara, 2006. 290–299Google Scholar

Copyright information

© Science China Press and Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  • Song Li
    • 1
  • Haixin Duan
    • 2
  • Zhiliang Wang
    • 2
  • Jinjin Liang
    • 3
  • Xing Li
    • 1
  1. 1.Department of Electronic EngineeringTsinghua UniversityBeijingChina
  2. 2.Institute of Network Science and CyberspaceTsinghua UniversityBeijingChina
  3. 3.Department of Computer Science and TechnologyTsinghua UniversityBeijingChina

Personalised recommendations