Presentation is loading. Please wait.

Presentation is loading. Please wait.

Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium."— Presentation transcript:

1 Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium on Security and Privacy Oakland, California

2 IEEE Symposium on Security and Privacy May 2007 2 Outline Introduction Taxonomy of IP prefix hijacking Proposed approach of combining control and data plane information Implementation and results Conclusion

3 IEEE Symposium on Security and Privacy May 2007 3 Outline Introduction Taxonomy of IP prefix hijacking Proposed approach of combining control and data plane information Implementation and results Conclusion

4 IEEE Symposium on Security and Privacy May 2007 4 IP prefix hijacking Fraudulent origin attack Steal IP prefixes belonging to other networks Announce unauthorized prefixes through BGP Can also result from network misconfiguration

5 IEEE Symposium on Security and Privacy May 2007 5 Motivation Existing solutions  Route filters  Short-lived announcements [Boothe06]  Anomalous routing information [Lad06] Control plane + Data plane  Control plane anomalies trigger real-time detection  Data plane fingerprints provide confirmative evidence  Real-time and accurate identification of prefix hijacking  Insufficient due to multi-homing  Solely rely on Control plane  High false positive and false negative

6 IEEE Symposium on Security and Privacy May 2007 6 Outline Introduction Taxonomy of IP prefix hijacking Proposed approach of combining control and data plane information Implementation and results Conclusion

7 IEEE Symposium on Security and Privacy May 2007 7 Prefix announcements IEEE Symposium on Security and Privacy May 2007 AS 1AS 2 AS 3 AS 4 AS 5 PrefixPath 1.2.0.0/161 PrefixPath 1.2.0.0/162, 1 PrefixPath 1.2.0.0/162, 1 Advertise 1.2.0.0/16 PrefixPath 1.2.0.0/164, 2, 1 1.2.0.0/16 Path: 1 1.2.0.0/16 Path: 2, 1 1.2.0.0/16 Path: 4, 2, 1 1.2.0.0/16 Path: 3, 2, 1

8 IEEE Symposium on Security and Privacy May 2007 8 Type 1: Hijack a prefix AS 1AS 2 AS 3 AS 4 AS 5 PrefixPath 1.2.0.0/161 PrefixPath 1.2.0.0/162, 1 PrefixPath 1.2.0.0/162, 1 1.2.0.0/16 path: 5 PrefixPath 1.2.0.0/165 PrefixPath 1.2.0.0/164, 5 MOAS (Multiple Origin AS) Advertise 1.2.0.0/16 1.2.0.0/16 path: 4, 5

9 IEEE Symposium on Security and Privacy May 2007 9 Type 2: Hijack a prefix and its AS number AS 1AS 2 AS 3 AS 4 AS 5 PrefixPath 1.2.0.0/161 PrefixPath 1.2.0.0/162, 1 PrefixPath 1.2.0.0/162, 1 1.2.0.0/16 Path: 5, 1 PrefixPath 1.2.0.0/165, 1 1.2.0.0/16 Path: 4, 5, 1 NO MOAS! Advertise 1.2.0.0/16 Advertise a path to 1.2.0.0/16

10 IEEE Symposium on Security and Privacy May 2007 10 Type 3: Hijack a subnet of a prefix AS 1AS 2 AS 3 AS 4 AS 5 PrefixPath 1.2.0.0/161 PrefixPath 1.2.0.0/162, 1 PrefixPath 1.2.0.0/162, 1 1.2.3.0/24 path: 5 1.2.3.0/24 Path: 4, 5 PrefixPath 1.2.3.0/245 1.2.0.0/162, 1 PrefixPath 1.2.3.0/244,5 1.2.0.0/162,1 PrefixPath 1.2.3.0/244,5 1.2.0.0/161 No MOAS! Advertise 1.2.3.0/ 24 SubMOAS! Advertise 1.2.0.0/ 16

11 IEEE Symposium on Security and Privacy May 2007 11 Longest prefix matching IEEE Symposium on Security and Privacy May 2007 Attacker is able to attract all traffic AS 1AS 2 AS 3 AS 4 AS 5 PrefixPath 1.2.0.0/162, 1 PefixPath 1.2.3.0/245 1.2.0.0/162, 1 PrefixPath 1.2.3.0/244,5 1.2.0.0/162, 1 PrefixPath 1.2.3.0/244,5 1.2.0.0/161 Send packet to 1.2.3.4 in AS 1 Longest Prefix Matching Advertise 1.2.3.0/ 24 Advertise 1.2.0.0/ 16

12 IEEE Symposium on Security and Privacy May 2007 12 Type 4: Hijack a subnet of a prefix and AS number IEEE Symposium on Security and Privacy May 2007 AS 1AS 2 AS 3 AS 4 AS 5 PrefixPath 1.2.0.0/161 PrefixPath 1.2.0.0/162, 1 PrefixPath 1.2.0.0/162, 1 1.2.3.0/24 path 5, 1 1.2.3.0/24 Path: 4, 5,1 PrefixPath 1.2.3.0/245,1 1.2.0.0/162, 1 PrefixPath 1.2.3.0/244,5,1 1.2.0.0/162, 1 PrefixPath 1.2.3.0/244,5,1 1.2.0.0/161 Neither MOAS Nor SubMOAS! Advertise a path to 1.2.3.0/ 24 Advertise 1.2.0.0/ 16 Longest Prefix Matching

13 IEEE Symposium on Security and Privacy May 2007 13 Outline Introduction Taxonomy of IP prefix hijacking Proposed approach of combining control and data plane information Implementation and results Conclusion

14 IEEE Symposium on Security and Privacy May 2007 14 Control plane information alone is insufficient False positive  Legitimate reasons for anomalous routing updates  Multi-homing with static link AS 3 AS 2 1.2.3.0/24 path: 1 AS 1 1.2.3.0/24 static link or IGP route 1.2.3.0/24 path: 2,1 1.2.3.0/24 path: 3 aggregation MOAS! AS 2 1.2.0.0/16 AS 1 1.2.3.0/24 AS 3 5.6.0.0/16 1.2.3.0/24 path: 1 1.2.0.0/16 path: 2 1.2.3.0/24 path: 1 1.2.3.0/24 path: 3, 1 subMOAS!

15 IEEE Symposium on Security and Privacy May 2007 15 Control plane information alone is insufficient False positive  Legitimate reasons for anomalous routing updates  Multi-homing with static link and aggregation False negative  AS-level path may not match the forwarding path  Type 2 and type 4 attack do not lead to control plane anomalies

16 IEEE Symposium on Security and Privacy May 2007 16 Proposed approach Combine control plane and data plane information  A successful hijacking will result in conflicting data plane fingerprints  A hijacking attempt cannot affect the entire network, especially the network topologically close to the victim Fingerprinting-based consistency check  For valid MOAS and subMOAS, there is only one owner for the prefix  For real hijacking, traffic from different locations may arrive at true owner or attackers  Same data plane fingerprints  conflicting fingerprints

17 IEEE Symposium on Security and Privacy May 2007 17 Fingerprinting techniques Determine characteristics of remote hosts or networks by sending probe packets Host-based fingerprinting  Host Operating System detection  IP Identifier (IPID) probing  Timestamp probing (ICMP and TCP timestamp)  Reflect-scan Network fingerprinting  Firewall policies  Resource properties (e.g., bandwidth)  Edge router characteristics

18 IEEE Symposium on Security and Privacy May 2007 18 Detection of prefix hijack AS 1 AS 2 AS 3 AS 4 AS 5 PrefixPath 1.2.0.0/162, 1 PrefixPath 1.2.0.0/162, 1 Advertise 1.2.0.0/16 PrefixPath 1.2.0.0/165 PrefixPath 1.2.0.0/164, 5 Advertise 1.2.0.0/16 1.2.3.4 PrefixPath 1.2.0.0/161 Fingerprint 1.2.3.4 probing server

19 IEEE Symposium on Security and Privacy May 2007 19 Detection of prefix and AS hijacking Problem  Attackers avoid MOAS conflicts by retaining correct origin AS  Checking all updates is prohibitively expensive Heuristics for detecting the fake AS edge  Edge popularity constraint  Geographic constraint  Relationship constraint [ Kruegel2003 ] Violation of these constraints triggers fingerprinting check

20 IEEE Symposium on Security and Privacy May 2007 20 Detection of prefix subnet hijacking Problem  Attackers avoid MOAS conflicts by hijacking a subnet  longest prefix matching AS 1 AS 2 AS 3 AS 4 AS 5 Advertise 1.2.3.0/24 Advertise 1.2.0.0/16 1.2.3.4 fingerprint 1.2.3.4 PrefixPath 1.2.3.0/245 1.2.0.0/162, 1 PrefixPath 1.2.3.0/244,5 1.2.0.0/162, 1 PrefixPath 1.2.3.0/244,5 1.2.0.0/161

21 IEEE Symposium on Security and Privacy May 2007 21 Detection of prefix subnet hijacking (Cont.) Identify subMOAS conflicts  Newly announced prefixes which is part of existing prefix Customer-provider relationship check  Assume provider and customer will not hijack one another Reflect-scan to detect subnet hijacking  IGP routing within victim AS is unaffected  Use IP spoofing to solicit traffic inside victim AS  Predictable IP ID increment in IP packet

22 IEEE Symposium on Security and Privacy May 2007 22 Summary of detection techniques IEEE Symposium on Security and Privacy May 2007 Limitations  Detection is triggered by anomalous updates  Limited number of vantage points  Firewall blocks probing packets  Ingress filtering Attack Type Monitored Routing Updates Detection Technique Hijack prefixMOAS updates Fingerprinting-based consistency check (FP check) Hijack prefix & ASAll updates Edge, geographic, and relationship (EGR) constraints, FP check Hijack subnet prefixsubMOAS updates Customer-provider (C-P) check, reflect-scan Hijack subnet prefix & ASNew, non-subMOAS updatesEGR constraints, reflect-scan

23 IEEE Symposium on Security and Privacy May 2007 23 Outline Introduction Taxonomy of IP prefix hijacking Proposed approach of combining control and data plane information Implementation and results Conclusion

24 IEEE Symposium on Security and Privacy May 2007 24 Prototype Implementation Data Set  BGP data set: RouteView + Our own BGP monitor  Probe location: Planetlab testbed  Live IP addresses: DNS and Web Server log + lightweight ping  Prefix Geographic information: NetGeo from CAIDA Fingerprinting  OS detection and TCP timestamp: Nmap v 3.95  IPID and ICMP timestamp: Ruby in planetlab  Reflect-scan: hping v2

25 IEEE Symposium on Security and Privacy May 2007 25 Results 2 weeks’ monitoring period Real time BGP data from our BGP monitor Attack Type Anomalous updatesTotal number Avg rate /15 min Suspicious updates (After F-P check) 1MOAS conflicts36850.52332 2Violate EGR constraints172052.43594 3 subMOAS conflicts (after C-P check) 33800.47594 4 New non-subMOAS prefix that viiolate EGR constraints 11950.1785

26 IEEE Symposium on Security and Privacy May 2007 26 Potential attack (type 1)

27 IEEE Symposium on Security and Privacy May 2007 27 Potential attack (type 2)

28 IEEE Symposium on Security and Privacy May 2007 28 DNS anycast validation IP anycast of root DNS server  Multiple server support same service under same IP address  5 out of 13 DNS servers use anycast (C, F, I, J and K) Legitimate type 2 hijack attack  Hijack both prefix and AS number  Our system successfully detect 4 of them  C-root server doesn’t violate EGR check

29 IEEE Symposium on Security and Privacy May 2007 29 Fingerprints for F root server

30 IEEE Symposium on Security and Privacy May 2007 30 Correlation with spam data Hijacked IP prefixes are often used for spamming  Correlate identified suspicious updates with Spam source IPs  Non-negligible correlation between hijacking and spamming Time interval between identification of suspicious updates and the arrival of spam Type# of suspicious prefix # of matched prefix # of matched prefixes within the time window 1 h6 h1 d 1332281925 259491347487 31511048 4851151011 Correlation between detected suspicious prefixes and spam sources.

31 IEEE Symposium on Security and Privacy May 2007 31 Conclusion IEEE Symposium on Security and Privacy May 2007 Propose a framework for accurate real-time detection of IP prefix hijacking attacks Exploit a novel insight that a real hijacking will result in conflicting data-plane fingerprints Propose detailed classification of hijacking attacks and the detection algorithm for each type Achieve significant reduction in both false positives and false negatives

32 IEEE Symposium on Security and Privacy May 2007 32 Paper-2 A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time In SIGCOMM’07

33 IEEE Symposium on Security and Privacy May 2007 33 Key observations If a prefix is hijacked, the paths observed from certain vantage points to the prefix would likely exhibit significant changes. The path from a source to a prefix is almost always a super-path of the path from the same source to a reference point along the previous path, as long as the reference point is topologically close to the prefix.

34 IEEE Symposium on Security and Privacy May 2007 34 High-level Methodology and Results Detect the suspicious hijacking using the first observation Confirm the real hijacking using the second observation Result is surprising good, 0.5% false positive and false negative. (which is really beyond my expectation, why?)

35 IEEE Symposium on Security and Privacy May 2007 35 Comparison between the two paper Paper 1Paper 2 Simplicity control + data√ data Real-time effect analysis -> probing √ online probing Accuracy √ Probing overhead √ targeted brute-force

36 IEEE Symposium on Security and Privacy May 2007 36 My thinking (a 100% detection) Observation ? (my guess) - hijacked prefixes and victim prefixes are not identically used. Hijacked addresses may be little used ? Proposed Method - Why not use a very simple and 100% accurate method, PING!!! Just ping the sampled addresses, to detect reachable or unreachable. Merits - Very simple, easy to deploy, no false positive and false negative, comparable overhead with previous work, no other assistance is need! Opportunity - I search online, nobody do so! Want to discuss with all of you - Why cannot we just do so?

Download ppt "Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium."

Similar presentations

Zhiyun Qian, Z. Morley Mao (University of Michigan)

Zhiyun Qian, Z. Morley Mao (University of Michigan)
Locating Prefix Hijackers using LOCK Tongqing Qiu +, Lusheng Ji *, Dan Pei * Jia Wang *, Jun (Jim) Xu +, Hitesh Ballani ++ + College of Computing, Georgia.

Locating Prefix Hijackers using LOCK Tongqing Qiu +, Lusheng Ji *, Dan Pei * Jia Wang *, Jun (Jim) Xu +, Hitesh Ballani ++ + College of Computing, Georgia.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.
Seongcheol Hong, POSTECHPhD Thesis Defense 1/30 Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense - Seongcheol Hong Supervisor:

Seongcheol Hong, POSTECHPhD Thesis Defense 1/30 Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense - Seongcheol Hong Supervisor:
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.

By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Active correlation between the control and data plane: Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan.

Active correlation between the control and data plane: Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level.

1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.

SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.

Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.

On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.
Measurement and Monitoring Nick Feamster Georgia Tech.

Measurement and Monitoring Nick Feamster Georgia Tech.
Sagar Vemuri (slides, courtesy Z. Morley Mao and Mohit Lad)

Sagar Vemuri (slides, courtesy Z. Morley Mao and Mohit Lad)
Verification in Routing Protocols Lakshminarayanan Subramanian Sahara Retreat, Jan 2004.

Verification in Routing Protocols Lakshminarayanan Subramanian Sahara Retreat, Jan 2004.

Similar presentations

Ads by Google