Presentation is loading. Please wait.

Presentation is loading. Please wait.

Locating Prefix Hijackers using LOCK Tongqing Qiu +, Lusheng Ji *, Dan Pei * Jia Wang *, Jun (Jim) Xu +, Hitesh Ballani ++ + College of Computing, Georgia.

Published byLauren Mayhall Modified over 9 years ago

Similar presentations

Presentation on theme: "Locating Prefix Hijackers using LOCK Tongqing Qiu +, Lusheng Ji *, Dan Pei * Jia Wang *, Jun (Jim) Xu +, Hitesh Ballani ++ + College of Computing, Georgia."— Presentation transcript:

1 Locating Prefix Hijackers using LOCK Tongqing Qiu +, Lusheng Ji *, Dan Pei * Jia Wang *, Jun (Jim) Xu +, Hitesh Ballani ++ + College of Computing, Georgia Tech *AT&T Lab – Research ++ Department of Computer Science, Cornell University 1

2 Outline Background & Motivation System Architecture Basic algorithm and improvements Evaluation Conclusion 2

3 Background 3 Autonomous System (AS) Border Gateway Protocol (BGP) Profit-driven policy AS B AS E AS D AS A AS C I own prefix p! AS Path: BE AS Path: ABE AS Path: DE AS Path: CBE Peer-Peer Customer-provider AS update message CBE or CDE?

4 Background (cont.) 44 AS B AS E AS D AS A AS C AS Path: CBE Peer-Peer Customer-provider AS update message I own prefix p! AS Path: CBA AS Path: BA BGP lacks authentication Fabricated AS announcement Prefix hijacking blackholing imposture interception p

5 State of Art Proactive – Prevent the happenings of hijacks e.g. [Kent et al. JSAC 00] [Aiello et al. CCS 03], [Subramanian et al. NSDI 04], [Karlin et al. ICNP 06], etc. – Deployment issues: Routing infrastructure modification Difficulties of incremental deployment PKI requirement Reactive – Detection e.g. [Lad et al. Usenix Secuirty 06], [ Ballani et al. Sigcomm 07], [ Zheng et al. Sigcomm 07], [Hu et al. IEEE S&P 07], [ Zhang et al. Sigcomm 08], etc. – Recovery e.g. [ Zhang et al. CoNext 07] 5

6 A Complete and Automated Solution? Locating is important – Provide key information for recovery/mitigation Locating is not trivial – Current practice Indentify newly appeared origin AS of prefix p 6 Detect Recover Locate C C D D E E A A B B BA CBA BAE CBAE announce AE p

7 System Architecture of LOCK 7 AS B AS E AS D AS A AS C Peer-Peer Customer-provider Input: Target prefix p Output: A is the hijacker! p

8 Key Components of LOCK Monitor Selection (from candidates) – Maximize the likelihood of observing hijacking events on the target prefix – Maximize the diversity of paths from monitors to the target prefix Locating Scheme – Using AS path information – Infer the hijacker location (how?) 8

9 Two key observations Countermeasure ability – The hijacker cannot manipulate the portion of AS path from a polluted vantage point to the upstream neighbor AS of the hijacker AS 9 M1M1 M1M1 M2M2 M2M2 M3M3 M3M3 A A B B C C H H X X Y Y Z Z T T D D T owns prefix p AH BH H H H H AX BX X X X X

10 Two key observations Convergence: The trustworthy portion of polluted AS paths from multiple vantage points to a hijacked victim AS prefix converge around the hijacker AS (based on real AS topology). 10 M1M1 M1M1 M2M2 M2M2 M3M3 M3M3 A A B B C C H H X X Y Y Z Z T T D D AH BH H H H H AX BX X X X X converge at H converge at X? p

11 Basic Locating Algorithm Indentifying hijacker search space – Neighborset of one AS: ASes one-hop away (include itself) – Based on existing AS topology – The union of neighborset of all ASes on all polluted paths (why?) – The hijacker should be in the space (based on observation 1) Ranking all ASes in the search space – Based on observation 2 – The more frequently an AS appears, the higher its ranking is – Tie breaker: The closer an AS to the monitors, the higher its ranking is 11

12 Basic Locating Algorithm Example 12 M1M1 M1M1 M2M2 M2M2 M3M3 M3M3 A A B B C C H H X X Y Y Z Z T T D D MonitorsPolluted AS PATHNeighbor SetHijacker List M1A X(A H) ( H X Y)H > ( 4 times) X > Y > (2 times) A = B > C (once) M2B X(B H C) (H X Y) AX BX X X X X p

13 Improvements Search space of basic algorithm – Trim the suspect list Improvement I: AS relationship – Basic algorithm neighborset – Valley free – Trim the neighorset on “trustworthy” ASes Improvement II: excluding “innocent” ASes Two improvements may introduce false negative 13

14 Evaluation Three sets of experiments: – Simulating synthetic prefix hijacking events – Reconstructed previous known hijacking events – Real prefix hijacking events 14

15 Simulating Synthetic Prefix Hijacking Events Hijacker h and source s from 73 Planetlab nodes – http://www.planet-lab.org/ http://www.planet-lab.org/ 451 Target prefix t – Multiple Origin ASes (MOAS) prefix – Single Origin Ases with large traffic – Popular website (based on Alexa ranking) Emulate all possible hijacking events – Based on the combination of (s, h, t) – Imposture, interception, and malicious (countermeasure) cases Monitor selection – From Planetlab nodes – Based on the target prefix 15

16 Effectiveness and Improvement The accuracy of basic algorithm is 85%+ Combine both improvements, the accuracy is up to 94.3% False negative ratio is relatively low. 16

17 Reconstruct Previously-known Hijacking Events 7 hijacking events Locate all hijackers 17

18 Real Hijacking Events 18 Internet Seattle BerkeleyPittsburgh Cornell Prefix: 204.9.168.0/22 victim hijacker

19 Real Hijacking Events (cont.) 19

20 Conclusion LOCK to locate prefix hijacker ASes – First study of hijacker location problem – Locate the hijacker even when countermeasures are engaged – Extensively evaluation illustrates high location accuracy 20

21 Acknowledgement Authors Tongqing Qiu and Jun (Jim) Xu would like to acknowledge the generous support from the NSF CyberTrust program (specifically CNS 0716423) 21

22 Thanks You! Questions 22

Download ppt "Locating Prefix Hijackers using LOCK Tongqing Qiu +, Lusheng Ji *, Dan Pei * Jia Wang *, Jun (Jim) Xu +, Hitesh Ballani ++ + College of Computing, Georgia."

Similar presentations

Data Mining Challenges for Network Management Nick Feamster, Georgia Tech Dave Andersen, CMU (joint with Jay Lepreau and Emulab)

Data Mining Challenges for Network Management Nick Feamster, Georgia Tech Dave Andersen, CMU (joint with Jay Lepreau and Emulab)
Security in Mobile Ad Hoc Networks

Security in Mobile Ad Hoc Networks
LASTor: A Low-Latency AS-Aware Tor Client

LASTor: A Low-Latency AS-Aware Tor Client
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
Consensus Routing: The Internet as a Distributed System 2009. 2. 26 John P. John, Ethan Katz-Bassett, Arvind Krishnamurthy, and Thomas Anderson Presented.

Consensus Routing: The Internet as a Distributed System John P. John, Ethan Katz-Bassett, Arvind Krishnamurthy, and Thomas Anderson Presented.
SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez School of Computer Science.

SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez School of Computer Science.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.

By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
LightFlood: An Optimal Flooding Scheme for File Search in Unstructured P2P Systems Song Jiang, Lei Guo, and Xiaodong Zhang College of William and Mary.

LightFlood: An Optimal Flooding Scheme for File Search in Unstructured P2P Systems Song Jiang, Lei Guo, and Xiaodong Zhang College of William and Mary.
Progress in inferring business relationships between ASs Dmitri Krioukov 4 th CAIDA-WIDE Workshop.

Progress in inferring business relationships between ASs Dmitri Krioukov 4 th CAIDA-WIDE Workshop.
Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1
1 Towards Secure Interdomain Routing For Dr. Aggarwal 60-592 Win 2004.

1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011.

BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011.
1 Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network Jian Wu (University of Michigan) Z. Morley Mao (University.

1 Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network Jian Wu (University of Michigan) Z. Morley Mao (University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.

An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.
Improving BGP Convergence Through Consistency Assertions Dan Pei, Lan Wang, Lixia Zhang UCLA Xiaoliang Zhao, Daniel Massey, Allison Mankin, USC/ISI S.

Improving BGP Convergence Through Consistency Assertions Dan Pei, Lan Wang, Lixia Zhang UCLA Xiaoliang Zhao, Daniel Massey, Allison Mankin, USC/ISI S.
Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.

Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.
Slide -1- February, 2006 Interdomain Routing Gordon Wilfong Distinguished Member of Technical Staff Algorithms Research Department Mathematical and Algorithmic.

Slide -1- February, 2006 Interdomain Routing Gordon Wilfong Distinguished Member of Technical Staff Algorithms Research Department Mathematical and Algorithmic.

Similar presentations

Ads by Google