1 / 28

Z. Morley Mao University of Michigan

Active correlation between the control and data plane: Accurate real-time identification of IP hijacking. Z. Morley Mao University of Michigan. Data plane and control plane. Data plane: determines data packet behavior Packet forwarding Packet differentiation (e.g., ACLs)

chiku
Download Presentation

Z. Morley Mao University of Michigan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Active correlation between the control and data plane:Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan

  2. Data plane and control plane • Data plane: determines data packet behavior • Packet forwarding • Packet differentiation (e.g., ACLs) • Buffering, link scheduling • Control plane: controls the state of network elements • Route selection • RSVP, capability signaling, etc.

  3. routes Control plane: exchange routes Fail over to alternate route : Routing session Dynamic adaptation Internet Data plane: forward traffic IP traffic www.cnn.com IP=64.236.16.52 Prefix=64.236.16.0/20 Bear.eecs.umich.edu IP=141.212.110.196 Prefix=141.212.0.0/16

  4. Consistency between them • Consistency • (Routing) state advertised by the control plane is enforced by the data plane • Inconsistency due to • Routing anomalies • Misconfigurations • Protocol anomalies • Malicious behavior • Main insight: use expected consistency to identify routing problems.

  5. IP hijacking • An example routing attack • Steal IP addresses belonging to other networks • Also known as BGP Hijacking • Achieved by announcing unauthorized prefixes on purpose or by accident

  6. Reasons for IP hijacking • Conduct malicious activities • Spamming, illegal file sharing, advertising • Disrupt communication of legitimate hosts • DoS attacks • Inherent advantage • Hide attacker’s identities • Difficult for trace back

  7. Hijacked IP Space for selling

  8. Prevention through route filtering • Analogous to ingress/egress filtering for traffic • Filter route announcements to preclude prefixes not owned by customers • Lack of knowledge of address blocks owned by customers • Difficult to enforce across all networks • Filtering impossible along peering edges

  9. Our approach • Goal: • Detect and thwart potential IP hijacking attempts • Reduce false positive/negative rate • Stale registry data • Other timing-based techniques • Light-weight and real-time detection • Approach: • Real-time monitoring and active/passive fingerprinting triggered by suspicious routing updates • Identify conflicting data-plane fingerprints indicating “successful” IP hijacking

  10. Comprehensive classification of hijacking • Hijack only the prefix • Hijack both the prefix and the AS number • Hijack a subnet of an existing prefix • Hijack a prefix subnet and the AS number

  11. Hijacking only the prefix • Attacker announces the prefixe belonging to other ASes using his own AS number. • Leading to MOAS (Multiple Origin AS) conflicts

  12. Hijack both the prefix and AS • Announce a path through itself to other ASes and their prefix • AS M announces a Path [AS M, AS 1] to reach prefix 141.212.110.0/24

  13. Hijack a subnet of an existing prefix • In previous attack models, the hijacker has to compete with victim to attract traffic. • Announcing only a subnet of other’s prefix avoids the competition altogether due to the Longest Prefix Matching rule of BGP • No apparent MOAS Conflicts in routing table! subMOAS!

  14. Hijack a subnet of a prefix and AS number • Announce a path to a subnet of one of victim AS’s Prefix • No subMOAS conflicts! Most stealthy with almost no abnormal symptom in routing table • Ability to receive all traffic because of longest prefix matching

  15. Methodology • Monitor all route updates in real time • Given suspicious updates, use data-plane fingerprinting to reduce false positive/negative rate • Our key insight: A real hijacking will result in conflicting fingerprints describing the edge networks

  16. Fingerprinting • Techniques for remotely determining the characteristics or identity of devices • Our system employs four type of fingerprints: • OS detection, IP ID probing, TCP timestamp and ICMP timestamp • Any other fingerprinting techniques can be used as well e.g. physical fingerprint

  17. Feasibility of fingerprinting • IP ID implementation in modern OS • Support for TCP/ICMP timestamp

  18. Probe place selection • From a single place, the probing packets can only reach either attacker’s or victim’s AS, not both. • To probe both, we need multiple probing points. • Use Planetlab, which consists of more than 600 machines all over the world. • Select probing places that are near the targets, in terms of AS path.

  19. Detecting hijacking a prefix • Candidates are prefixes that have MOAS conflicts. • Build path tree for the prefix: • Select Planetlab nodes near different origin ASes and probing live hosts in the prefix

  20. Detecting hijacking prefix and AS number • Candidates are BGP Updates that violates geographical constraint • ASes that are connected in AS path should be located in close vicinity. • The invalid path announced by attacker will be very likely to violate this constraint • Geographical location of prefixes and ASes can be obtained from a number of commercial and public database such as IP2Location, Netgeo • Netgeo Record for prefix 141.212.0.0/16 |141.212.0.0/16|237| COUNTRY: US NAME: UMNET2 CITY: ANN ARBOR STATE: MICHIGAN LAT: 42.29 LONG: -83.72

  21. Detecting hijacking a subnet of prefix -- reflect scan If not hijacking, the reflected SYN/ACK packet will be sent to H2 IP ID value of H2 will increase During hijacking, the reflected SYN/ACK packet will not reach H2 IP ID value of H2will not increase.

  22. Detect hijacking a prefix subnet and AS number • Candidate is every new prefix that is a subnet of some prefix in its origin AS. • Edge prevalence serves a heuristic to reduce target space • Combine geographical constraint and reflect scan

  23. System architecture

  24. Classifier • For each BGP update, classifier decides whether it is a valid update and classify those invalid updates into separate types • Then feed the classification results to probing module for selecting proper probing methods

  25. Different signatures, example: • 63.130.249.0/24|63.130.249.1|1273 3561|1273:planetlab-1.eecs.cwru.edu 3561:node1.lbnl.nodes.planet-lab.org planetlab-1.eecs.cwru.edu: Interesting ports on 63.130.249.1: (The 1664 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 23/tcp open telnet 1214/tcp filtered fasttrack 6346/tcp filtered gnutella 6699/tcp filtered napster No exact OS matches for host … node1.lbnl.nodes.planet-lab.org: Interesting ports on 63.130.249.1: (The 1663 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen 23/tcp open telnet No exact OS matches for host …

  26. DNS Anycast - valid hijacking • k.root-servers.net (193.0.14.129:25152) • Violation of geographic constraint: • 193.0.14.0/24|25152|UK:ENGLAND (country):LONDON:51.50:-0.17|1103|NL:SOUTH HOLLAND (province):THE HAGUE:52.08:4.27|312.4 • Fingerprint from one planetlab in China and my local machine in US

  27. K-root server results Local Machine [root@wing statistic]# nmap -O 193.0.14.129 Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting ports on k.root-servers.net (193.0.14.129): (The 1667 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 53/tcp open domain Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux 2.4.0 - 2.5.20 Uptime 26.048 days (since Thu Mar 23 06:17:24 2006) Nmap finished: 1 IP address (1 host up) scanned in 43.319 seconds Planetlab in China bash-2.05b# nmap -O 193.0.14.129 Interesting ports on k.root-servers.net (193.0.14.129): (The 1664 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 53/tcp open domain 179/tcp open bgp 2601/tcp open zebra 2605/tcp open bgpd Device type: general purpose Running: FreeBSD 5.X|6.X OS details: FreeBSD 5.2-CURRENT - 5.3 (x86) with pf scrub all, FreeBSD 5.2.1-RELEASE or 6.0-CURRENT Uptime 119.383 days (since Mon Dec 19 22:13:54 2005) Nmap finished: 1 IP address (1 host up) scanned in 15.899 seconds

  28. Conclusion • A comprehensive classification of IP hijacking • Implemented hijacking detection using active correlation of data and control plane • Other uses of correlation: • Routing anomaly detection • Other routing attacks: e.g., stealthy attacks. • Enforcement of routing behavior

More Related