Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auto-Detecting Hijacked Prefixes?

Published bySibyl Bennett Modified over 6 years ago

Similar presentations

Presentation on theme: "Auto-Detecting Hijacked Prefixes?"— Presentation transcript:

1 Auto-Detecting Hijacked Prefixes?
Geoff Huston APNIC @APNIC 20 September 2005

2 Address Hijacking Is the unauthorized use of an address prefix as an advertised route object on the Internet It’s not a bogon the address block has been assigned by an RIR for use It may include identity fraud this may involve misrepresentation of identity in order to undertake a database change It’s commonly associated with identity cloaking Spam generation, attack launching platforms, etc How prevalent is this? Very hard to isolate hijacking incidents

3 What is a hijack signature?
What address blocks would not be noticed if they were used for a short period? Has been unadvertised for a ‘long time’ Is used only for a ‘short time’ Uses an entirely different origin AS and first hop AS Is not covered by an aggregate announcement Reannouncement interval idle interval

4 Data Collections Aggregated BGP route collection data
Can provide information for any prefix: When was this prefix advertised and withdrawn? What was the announcing AS? What was the first hop AS? What other prefixes were also advertised at the same time?

5 Noise reduction in BGP data
BGP update logs are possibly unhelpful here The high frequency noise of BGP convergence is different from the longer frequency signal of prefix use through network connectivity and prefix advertisement Use successive static BGP snapshots Highest frequency component of 2 hours reduces protocol-induced noise levels in the data

6 Initial results Readvertisement of prefixes with different Origin AS and First Hop AS

7 2nd Pass Very short window announce
> 2 months down, < 3 days up, > 1 month down

8 3rd Pass Short window > 2 months down, days up, > 1 month down

9 Some comments Address announcement patterns do not appear to be a reliable hijack indicator in isolation. There is no clear signature in the patterns of prefix appearance that forms a reliable indicator of misuse. Address use profiles can assist in the process of identifying address hijacking for suspect prefixes. Additional information is necessary to reliably identify candidate hijack prefixes. Careful checking of the provenance of an address before accepting it into the routing system make good sense But thorough checks of a prefix’s history of use as a precondition to accepting it into the local routing session as a valid advertisement consume time and increase an ISPs’ operating overhead costs

10 It’s not a very reassuring answer.

11 Address and Routing Security
The basic routing payload security questions that need to be answered are: Is this a valid address prefix? Who injected this address prefix into the network? Did they have the necessary credentials to inject this address prefix? Is the forwarding path to reach this address prefix an acceptable representation of the network’s forwarding state?

12 Address and Routing Security
What we have today is a relatively insecure system that is vulnerable to various forms of deliberate disruption and subversion Address hijacking is just one aspect of the insecurity of the Internet’s routing system

13 What I really would like to see…
The use of a public key infrastructure to support attestations that allow automated validation of: the authenticity of the address object being advertised authenticity of the origin AS the explicit authority given from the address to AS that permits a routing announcement

14 What would also be good…
If the attestation referred to the address allocation path use of an RIR issued certificate to validate the attestation signature chain If the attestation was associated with the route advertisement Such attestations to be carried in BGP as an Update attribute If validation these attestations was treated as a route object preference indicator Attestation validation to be a part of the BGP route acceptance process

15 But… We are nowhere near where we need to be:
We need more than “good router housekeeping” – it’s trusting the protocol payload as well as trusting the protocol’s operation and the routing engines We need so much more than piecemeal distributed 2nd hand bogon and martian lists, filters and heuristics about use patterns for guessing at ‘bad’ addresses and ‘bad’ routes We need to adopt some basic security functions into the Internet’s routing domain: Injection of reliable trustable data Address and AS certificate PKI as the base of validation of network data Explicit verifiable mechanisms for integrity of data distribution Adoption of some form of certification mechanism to support validation of distributed address and routing information

16 Oh yes, and about address hijacking…
This type of resource security framework would make address hijacking much harder to perform!

17 Questions? Thank You!

Download ppt "Auto-Detecting Hijacked Prefixes?"

Similar presentations

RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
An Operational Perspective on Routing Security Geoff Huston Chief Scientist, APNIC.

An Operational Perspective on Routing Security Geoff Huston Chief Scientist, APNIC.
Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN SSAC Meeting, March 2008.

Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN SSAC Meeting, March 2008.
An Operational Perspective on BGP Security Geoff Huston February 2005.

An Operational Perspective on BGP Security Geoff Huston February 2005.
Experimental Internet Resource Allocations Philip Smith, Geoff Huston September 2002.

Experimental Internet Resource Allocations Philip Smith, Geoff Huston September 2002.
The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
RPKI and Routing Security ICANN 44 June 2012. Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.

RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
ROAs and Detecting “Bad” Originations Geoff Huston SIDR WG IETF 74.

ROAs and Detecting “Bad” Originations Geoff Huston SIDR WG IETF 74.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.

Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Securing BGP Geoff Huston November 2007. Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions.

Securing BGP Geoff Huston November Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions.
BGP update profiles and the implications for secure BGP update validation processing Geoff Huston Swinburne University of Technology PAM2007 5 April 2007.

BGP update profiles and the implications for secure BGP update validation processing Geoff Huston Swinburne University of Technology PAM April 2007.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007.

Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC.

A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC.
Inter-domain Routing security Problems Solutions.

Inter-domain Routing security Problems Solutions.
An Operational Perspective on Routing Security Geoff Huston Chief Scientist, APNIC November 2006.

An Operational Perspective on Routing Security Geoff Huston Chief Scientist, APNIC November 2006.

Similar presentations

Ads by Google