1 / 36

Accurate Real-Time Identification of IP Prefix Hijacking

Accurate Real-Time Identification of IP Prefix Hijacking. Z. Morley Mao. Xin Hu. 2007 IEEE Symposium on Security and Privacy Oakland, California. Outline. Introduction Taxonomy of IP prefix hijacking Proposed approach of combining control and data plane information

aradia
Download Presentation

Accurate Real-Time Identification of IP Prefix Hijacking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on Security and Privacy Oakland, California

  2. Outline • Introduction • Taxonomy of IP prefix hijacking • Proposed approach of combining control and data plane information • Implementation and results • Conclusion

  3. Outline • Introduction • Taxonomy of IP prefix hijacking • Proposed approach of combining control and data plane information • Implementation and results • Conclusion

  4. IP prefix hijacking • Fraudulent origin attack • Steal IP prefixes belonging to other networks • Announce unauthorized prefixes through BGP • Can also result from network misconfiguration

  5. Motivation • Existing solutions • Route filters • Short-lived announcements [Boothe06] • Anomalous routing information [Lad06] • Control plane + Data plane • Control plane anomalies trigger real-time detection • Data plane fingerprints provide confirmative evidence • Real-time and accurate identification of prefix hijacking Insufficient due to multi-homing  Solely rely on Control plane  High false positive and false negative

  6. Outline • Introduction • Taxonomy of IP prefix hijacking • Proposed approach of combining control and data plane information • Implementation and results • Conclusion

  7. Prefix announcements 1.2.0.0/16 Path: 4, 2, 1 AS 4 1.2.0.0/16 Path: 3, 2, 1 AS 5 AS 3 1.2.0.0/16 Path: 2, 1 1.2.0.0/16 Path: 1 Advertise 1.2.0.0/16 AS 1 AS 2 IEEE Symposium on Security and Privacy May 2007

  8. MOAS (Multiple Origin AS) Type 1: Hijack a prefix Advertise 1.2.0.0/16 1.2.0.0/16 path: 5 AS 4 AS 5 AS 3 1.2.0.0/16 path: 4, 5 Advertise 1.2.0.0/16 AS 1 AS 2

  9. Type 2: Hijack a prefix and its AS number Advertise a path to 1.2.0.0/16 1.2.0.0/16 Path: 5, 1 AS 4 AS 5 AS 3 1.2.0.0/16 Path: 4, 5, 1 NO MOAS! Advertise 1.2.0.0/16 AS 1 AS 2

  10. Type 3: Hijack a subnet of a prefix Advertise 1.2.3.0/24 1.2.3.0/24 path: 5 AS 4 AS 5 AS 3 1.2.3.0/24 Path: 4, 5 SubMOAS! No MOAS! Advertise 1.2.0.0/16 AS 1 AS 2

  11. Send packet to 1.2.3.4 in AS 1 Longest prefix matching • Attacker is able to attract all traffic Advertise 1.2.3.0/24 AS 4 AS 5 AS 3 Advertise 1.2.0.0/16 Longest Prefix Matching AS 1 AS 2 IEEE Symposium on Security and Privacy May 2007

  12. Type 4: Hijack a subnet of a prefix and AS number Advertisea path to 1.2.3.0/24 1.2.3.0/24 path 5, 1 AS 4 AS 5 AS 3 1.2.3.0/24 Path: 4, 5,1 Neither MOAS Nor SubMOAS! Advertise 1.2.0.0/16 Longest Prefix Matching AS 1 AS 2 IEEE Symposium on Security and Privacy May 2007

  13. Outline • Introduction • Taxonomy of IP prefix hijacking • Proposed approach of combining control and data plane information • Implementation and results • Conclusion

  14. 1.2.0.0/16 path: 2 1.2.3.0/24 path: 2,1 AS 3 5.6.0.0/16 AS 2 1.2.0.0/16 AS 3 AS 2 AS 1 AS 1 1.2.3.0/24 1.2.3.0/24 Control plane information alone is insufficient • False positive • Legitimate reasons for anomalous routing updates • Multi-homing with static link aggregation subMOAS! MOAS! 1.2.3.0/24 path: 3, 1 1.2.3.0/24 path: 3 1.2.3.0/24 path: 1 static link or IGP route 1.2.3.0/24 path: 1 1.2.3.0/24 path: 1

  15. Control plane information alone is insufficient • False positive • Legitimate reasons for anomalous routing updates • Multi-homing with static link and aggregation • False negative • AS-level path may not match the forwarding path • Type 2 and type 4 attack do not lead to control plane anomalies

  16. Proposed approach • Combine control plane and data plane information • A successful hijacking will result in conflicting data plane fingerprints • A hijacking attempt cannot affect the entire network, especially the network topologically close to the victim • Fingerprinting-based consistency check • For valid MOAS and subMOAS, there is only one owner for the prefix • For real hijacking, traffic from different locations may arrive at true owner or attackers Same data plane fingerprints conflicting fingerprints

  17. Fingerprinting techniques • Determine characteristics of remote hosts or networks by sending probe packets • Host-based fingerprinting • Host Operating System detection • IP Identifier (IPID) probing • Timestamp probing (ICMP and TCP timestamp) • Reflect-scan • Network fingerprinting • Firewall policies • Resource properties (e.g., bandwidth) • Edge router characteristics

  18. probing server 1.2.3.4 Fingerprint 1.2.3.4 1.2.3.4 probing server Detection of prefix hijack Advertise 1.2.0.0/16 AS 4 AS 5 AS 3 Advertise 1.2.0.0/16 AS 2 AS 1

  19. Detection of prefix and AS hijacking • Problem • Attackers avoid MOAS conflicts by retaining correct origin AS • Checking all updates is prohibitively expensive • Heuristics for detecting the fake AS edge • Edge popularity constraint • Geographic constraint • Relationship constraint [Kruegel2003] • Violation of these constraints triggers fingerprinting check

  20. 1.2.3.4 fingerprint 1.2.3.4 1.2.3.4 Detection of prefix subnet hijacking • Problem • Attackers avoid MOAS conflicts by hijacking a subnet • longest prefix matching Advertise 1.2.3.0/24 AS 4 AS 5 AS 3 Advertise 1.2.0.0/16 AS 2 AS 1

  21. Detection of prefix subnet hijacking (Cont.) • Identify subMOAS conflicts • Newly announced prefixes which is part of existing prefix • Customer-provider relationship check • Assume provider and customer will not hijack one another • Reflect-scan to detect subnet hijacking • IGP routing within victim AS is unaffected • Use IP spoofing to solicit traffic inside victim AS • Predictable IP ID increment in IP packet

  22. Summary of detection techniques • Limitations • Detection is triggered by anomalous updates • Limited number of vantage points • Firewall blocks probing packets • Ingress filtering IEEE Symposium on Security and Privacy May 2007

  23. Outline • Introduction • Taxonomy of IP prefix hijacking • Proposed approach of combining control and data plane information • Implementation and results • Conclusion

  24. Prototype Implementation • Data Set • BGP data set: RouteView + Our own BGP monitor • Probe location: Planetlab testbed • Live IP addresses: DNS and Web Server log + lightweight ping • Prefix Geographic information: NetGeo from CAIDA • Fingerprinting • OS detection and TCP timestamp: Nmap v 3.95 • IPID and ICMP timestamp: Ruby in planetlab • Reflect-scan: hping v2

  25. Results • 2 weeks’ monitoring period • Real time BGP data from our BGP monitor

  26. Potential attack (type 1)

  27. Potential attack (type 2)

  28. DNS anycast validation • IP anycast of root DNS server • Multiple server support same service under same IP address • 5 out of 13 DNS servers use anycast (C, F, I, J and K) • Legitimate type 2 hijack attack • Hijack both prefix and AS number • Our system successfully detect 4 of them • C-root server doesn’t violate EGR check

  29. Fingerprints for F root server

  30. Correlation with spam data • Hijacked IP prefixes are often used for spamming • Correlate identified suspicious updates with Spam source IPs • Non-negligible correlation between hijacking and spamming Correlation between detected suspicious prefixes and spam sources. Time interval between identification of suspicious updates and the arrival of spam

  31. Conclusion • Propose a framework for accurate real-time detection of IP prefix hijacking attacks • Exploit a novel insight that a real hijacking will result in conflicting data-plane fingerprints • Propose detailed classification of hijacking attacks and the detection algorithm for each type • Achieve significant reduction in both false positives and false negatives IEEE Symposium on Security and Privacy May 2007

  32. Paper-2 • A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time • In SIGCOMM’07

  33. Key observations • If a prefix is hijacked, the paths observed from certain vantage points to the prefix would likely exhibit significant changes. • The path from a source to a prefix is almost always a super-path of the path from the same source to a reference point along the previous path, as long as the reference point is topologically close to the prefix.

  34. High-level Methodology and Results • Detect the suspicious hijacking using the first observation • Confirm the real hijacking using the second observation • Result is surprising good, 0.5% false positive and false negative. (which is really beyond my expectation, why?)

  35. Comparison between the two paper

  36. My thinking (a 100% detection) • Observation ? (my guess) - hijacked prefixes and victim prefixes are not identically used. Hijacked addresses may be little used ? • Proposed Method - Why not use a very simple and 100% accurate method, PING!!! Just ping the sampled addresses, to detect reachable or unreachable. • Merits - Very simple, easy to deploy, no false positive and false negative, comparable overhead with previous work, no other assistance is need! • Opportunity - I search online, nobody do so! • Want to discuss with all of you - Why cannot we just do so?

More Related