Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active correlation between the control and data plane: Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan.

Published byJoseph Reeves Modified over 9 years ago

Similar presentations

Presentation on theme: "Active correlation between the control and data plane: Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan."— Presentation transcript:

1 Active correlation between the control and data plane: Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan

2 Data plane and control plane Data plane: determines data packet behavior Packet forwarding Packet differentiation (e.g., ACLs) Buffering, link scheduling Control plane: controls the state of network elements Route selection RSVP, capability signaling, etc.

3 Dynamic adaptation : Routing session routes Control plane: exchange routes Bear.eecs.umich.edu IP=141.212.110.196 Prefix=141.212.0.0/16 www.cnn.com IP=64.236.16.52 Prefix=64.236.16.0/20 Internet IP traffic Data plane: forward traffic Fail over to alternate route

4 Consistency between them Consistency (Routing) state advertised by the control plane is enforced by the data plane Inconsistency due to Routing anomalies Misconfigurations Protocol anomalies Malicious behavior Main insight: use expected consistency to identify routing problems.

5 IP hijacking An example routing attack Steal IP addresses belonging to other networks Also known as BGP Hijacking Achieved by announcing unauthorized prefixes on purpose or by accident

6 Reasons for IP hijacking Conduct malicious activities Spamming, illegal file sharing, advertising Disrupt communication of legitimate hosts DoS attacks Inherent advantage Hide attacker ’ s identities Difficult for trace back

7 Hijacked IP Space for selling

8 Prevention through route filtering Analogous to ingress/egress filtering for traffic Filter route announcements to preclude prefixes not owned by customers Lack of knowledge of address blocks owned by customers Difficult to enforce across all networks Filtering impossible along peering edges

9 Our approach Goal: Detect and thwart potential IP hijacking attempts Reduce false positive/negative rate Stale registry data Other timing-based techniques Light-weight and real-time detection Approach: Real-time monitoring and active/passive fingerprinting triggered by suspicious routing updates Identify conflicting data-plane fingerprints indicating “ successful ” IP hijacking

10 Comprehensive classification of hijacking Hijack only the prefix Hijack both the prefix and the AS number Hijack a subnet of an existing prefix Hijack a prefix subnet and the AS number

11 Hijacking only the prefix Attacker announces the prefixe belonging to other ASes using his own AS number. Leading to MOAS (Multiple Origin AS) conflicts

12 Hijack both the prefix and AS Announce a path through itself to other ASes and their prefix AS M announces a Path [AS M, AS 1] to reach prefix 141.212.110.0/24

13 Hijack a subnet of an existing prefix In previous attack models, the hijacker has to compete with victim to attract traffic. Announcing only a subnet of other ’ s prefix avoids the competition altogether due to the Longest Prefix Matching rule of BGP No apparent MOAS Conflicts in routing table! subMOAS!

14 Hijack a subnet of a prefix and AS number Announce a path to a subnet of one of victim AS ’ s Prefix No subMOAS conflicts! Most stealthy with almost no abnormal symptom in routing table Ability to receive all traffic because of longest prefix matching

15 Methodology Monitor all route updates in real time Given suspicious updates, use data- plane fingerprinting to reduce false positive/negative rate Our key insight: A real hijacking will result in conflicting fingerprints describing the edge networks

16 Fingerprinting Techniques for remotely determining the characteristics or identity of devices Our system employs four type of fingerprints: OS detection, IP ID probing, TCP timestamp and ICMP timestamp Any other fingerprinting techniques can be used as well e.g. physical fingerprint

17 Feasibility of fingerprinting IP ID implementation in modern OS Support for TCP/ICMP timestamp

18 Probe place selection From a single place, the probing packets can only reach either attacker ’ s or victim ’ s AS, not both. To probe both, we need multiple probing points. Use Planetlab, which consists of more than 600 machines all over the world. Select probing places that are near the targets, in terms of AS path.

19 Detecting hijacking a prefix Candidates are prefixes that have MOAS conflicts. Build path tree for the prefix: Select Planetlab nodes near different origin ASes and probing live hosts in the prefix

20 Detecting hijacking prefix and AS number Candidates are BGP Updates that violates geographical constraint ASes that are connected in AS path should be located in close vicinity. The invalid path announced by attacker will be very likely to violate this constraint Geographical location of prefixes and ASes can be obtained from a number of commercial and public database such as IP2Location, Netgeo Netgeo Record for prefix 141.212.0.0/16 |141.212.0.0/16|237| COUNTRY: USNAME: UMNET2 CITY: ANN ARBOR STATE: MICHIGAN LAT: 42.29 LONG: -83.72

21 Detecting hijacking a subnet of prefix -- reflect scan During hijacking, the reflected SYN/ACK packet will not reach H 2 IP ID value of H 2 will not increase. If not hijacking, the reflected SYN/ACK packet will be sent to H 2 IP ID value of H 2 will increase

22 Detect hijacking a prefix subnet and AS number Candidate is every new prefix that is a subnet of some prefix in its origin AS. Edge prevalence serves a heuristic to reduce target space Combine geographical constraint and reflect scan

23 System architecture

24 Classifier For each BGP update, classifier decides whether it is a valid update and classify those invalid updates into separate types Then feed the classification results to probing module for selecting proper probing methods

25 Different signatures, example: 63.130.249.0/24|63.130.249.1|1273 3561|1273:planetlab- 1.eecs.cwru.edu 3561:node1.lbnl.nodes.planet-lab.org planetlab-1.eecs.cwru.edu: Interesting ports on 63.130.249.1: (The 1664 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 23/tcp open telnet 1214/tcp filtered fasttrack 6346/tcp filtered gnutella 6699/tcp filtered napster No exact OS matches for host … node1.lbnl.nodes.planet-lab.org: Interesting ports on 63.130.249.1: (The 1663 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen 23/tcp open telnet No exact OS matches for host …

26 DNS Anycast - valid hijacking k.root-servers.net (193.0.14.129:25152) Violation of geographic constraint: 193.0.14.0/24|25152|UK:ENGLAND (country):LONDON:51.50:-0.17|1103|NL:SOUTH HOLLAND (province):THE HAGUE:52.08:4.27|312.4 Fingerprint from one planetlab in China and my local machine in US

27 K-root server results Planetlab in China bash-2.05b# nmap -O 193.0.14.129 Interesting ports on k.root-servers.net (193.0.14.129): (The 1664 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 53/tcp open domain 179/tcp open bgp 2601/tcp open zebra 2605/tcp open bgpd Device type: general purpose Running: FreeBSD 5.X|6.X OS details: FreeBSD 5.2-CURRENT - 5.3 (x86) with pf scrub all, FreeBSD 5.2.1-RELEASE or 6.0-CURRENT Uptime 119.383 days (since Mon Dec 19 22:13:54 2005) Nmap finished: 1 IP address (1 host up) scanned in 15.899 seconds Local Machine [root@wing statistic]# nmap -O 193.0.14.129 Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting ports on k.root-servers.net (193.0.14.129): (The 1667 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 53/tcp open domain Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux 2.4.0 - 2.5.20 Uptime 26.048 days (since Thu Mar 23 06:17:24 2006) Nmap finished: 1 IP address (1 host up) scanned in 43.319 seconds

28 Conclusion A comprehensive classification of IP hijacking Implemented hijacking detection using active correlation of data and control plane Other uses of correlation: Routing anomaly detection Other routing attacks: e.g., stealthy attacks. Enforcement of routing behavior

Download ppt "Active correlation between the control and data plane: Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan."

Similar presentations

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen

1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Seongcheol Hong, POSTECHPhD Thesis Defense 1/30 Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense - Seongcheol Hong Supervisor:

Seongcheol Hong, POSTECHPhD Thesis Defense 1/30 Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense - Seongcheol Hong Supervisor:
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.

By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.

Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Sagar Vemuri (slides, courtesy Z. Morley Mao and Mohit Lad)

Sagar Vemuri (slides, courtesy Z. Morley Mao and Mohit Lad)
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)

Similar presentations

Ads by Google