Seongcheol Hong, POSTECHPhD Thesis Defense 1/30 Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense - Seongcheol Hong Supervisor:

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Active correlation between the control and data plane: Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.
Privacy-Preserving Cross-Domain Network Reachability Quantification
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 4: Addressing in an Enterprise Network Introducing Routing and Switching in the.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
A LIGHT-WEIGHT DISTRIBUTED SCHEME FOR DETECTING IP PREFIX HIJACKS IN REAL TIME Changxi Zheng, Lusheng Ji, Dan Pei, Jia Wang and Paul Francis. Cornell University,
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
COEN 252 Computer Forensics
Chapter 6: Packet Filtering
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
VeriFlow: Verifying Network-Wide Invariants in Real Time
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
1 The Research on Analyzing Time- Series Data and Anomaly Detection in Internet Flow Yoshiaki HARADA Graduate School of Information Science and Electrical.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 4: Addressing in an Enterprise Network Introducing Routing and Switching in the.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time Lusheng Ji†, Joint work with Changxi Zheng‡, Dan Pei†, Jia Wang†, Paul Francis‡
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
1 A Framework for Measuring and Predicting the Impact of Routing Changes Ying Zhang Z. Morley Mao Jia Wang.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
Internet Routing Verification John “JI” Ioannidis AT&T Labs – Research Copyright © 2002 by John Ioannidis. All Rights Reserved.
Role Of Network IDS in Network Perimeter Defense.
Network Devices and Firewalls Lesson 14. It applies to our class…
BGP security some slides borrowed from Jen Rexford (Princeton U)
1 On the Impact of Route Monitor Selection Ying Zhang* Zheng Zhang # Z. Morley Mao* Y. Charlie Hu # Bruce M. Maggs ^ University of Michigan* Purdue University.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
– Chapter 6 – NAT and Security
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
RESOLVING IP ALIASES USING DISTRIBUTED SYSTEMS
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
Chapter 11: Network Address Translation for IPv4
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
Presentation transcript:

Seongcheol Hong, POSTECHPhD Thesis Defense 1/30 Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense - Seongcheol Hong Supervisor: Prof. James Won-Ki Hong December 16, 2011 Distributed Processing & Network Management Lab. Dept. of Computer Science and Engineering POSTECH, Korea

Seongcheol Hong, POSTECHPhD Thesis Defense 2/30 Presentation Outline  Introduction  Related Work  Research Approach  Reachability Based Hijacking Detection (RBHD)  Evaluation and Results  Conclusions

Seongcheol Hong, POSTECHPhD Thesis Defense 3/30 Introduction  Routing protocols communicate reachability information and perform path selection  BGP is the Internet’s de facto inter-domain routing protocol iBG P AS 1 AS 2 AS 300 advertise /16 AS 2 advertise /16 AS 1 AS 2 eBG P PrefixPath /162 PrefixPath /161 2

Seongcheol Hong, POSTECHPhD Thesis Defense 4/30  IP prefix hijacking incidents AS 7007 incident YouTube hijacking Chinese ISP hijacking Introduction  What is IP prefix hijacking? Stealing IP addresses belonging to other networks It can occur on purpose or by mistake Serious threat to the robustness and security of the Internet routing system  IP prefix hijacking attack types NLRI falsification AS path falsification AS 1 AS 2 AS 4 AS 5 AS 3 advertise /16 PrefixPath /162, 1 PrefixPath /165 PrefixPath /161 PrefixPath /162, 1 Victim Attacker

Seongcheol Hong, POSTECHPhD Thesis Defense 5/30 Research Motivation  IP prefix hijacking is a crucial problem in the Internet security  Number of efforts were introduced Security enabled BGP protocols Hijacking detection methods  Every existing BGP security solutions have limitations Security enabled BGP protocols are impractical to deploy Hijacking detection methods cannot detect every types of IP prefix hijacking threats  We need a novel approach which is practical and covers all types of IP prefix hijacking attacks

Seongcheol Hong, POSTECHPhD Thesis Defense 6/30 Research Goals  Target approach Security enabled BGP protocol IP prefix hijacking detection method  Developing a new approach which is practical and detects all types of IP prefix hijacking  IP hijacking detection system does not require cooperation of ASes and does not have to be located in a specific monitoring point  Proposed approach should be validated in simulated environments using real network data

Seongcheol Hong, POSTECHPhD Thesis Defense 7/30 Related Work  Security enabled BGP protocol Protecting the underlying TCP session and implementing BGP session defenses Not verifying the content of BGP messages BGP Session Protection Filters announcements which are bad and potentially malicious It is difficult for an ISP to identify invalid routes originated from several AS hops away Defensive Filtering Rely on a shared key between two parties Public Key Infrastructure (PKI) requires many resources Cryptographic Techniques Shared, global view of ‘correct’ routing information Registry itself must be secure, complete and accurate Routing Registries

Seongcheol Hong, POSTECHPhD Thesis Defense 8/30 Related Work  Existing IP hijacking detection methods Detection approach Victim-centric Infrastructure- based Peer-centric Type of used data Routing information (control-plane) Data probing (data-plane) Attack type NLRI falsification AS path falsification

Seongcheol Hong, POSTECHPhD Thesis Defense 9/30 Related Work Detection approachType of used dataAttack type Victim- centric Infrastructure- based Peer- centric Routing information Data probing NLRI falsification AS path falsification TopologyOOOO PHASOOO DistanceOOO Real-time Monitoring OOOOOO pgBGPOOO iSPYOOO StrobelightOOO Reachabilit y (Proposed) OOOOO  Comparison among IP hijacking detection methods

Seongcheol Hong, POSTECHPhD Thesis Defense 10/30 Research Approach  IP prefix hijacking detection based on network reachability AS 1 AS 2 AS 4 AS 5 AS /16 advertise /16 PrefixPath /162 1 PrefixPath /161 PrefixPath /162 1 Multiple origin AS? This update is IP hijacking case Reached the intended network? PrefixPath /165 Victim Attacker reachability test

Seongcheol Hong, POSTECHPhD Thesis Defense 11/30 Reachability-Based Hijacking Detection (RBHD)

Seongcheol Hong, POSTECHPhD Thesis Defense 12/30 Network Reachability Examination  IP prefix hijacking is an attack which influences the network reachability  We have developed network fingerprinting techniques for network reachability examination  Network fingerprinting is active or passive collection of characteristics from a target network (AS level) Network fingerprint should be unique to distinguish a certain network A A B B Fingerprint A Fingerprint B A = B if and only if Fingerprint A = Fingerprint B

Seongcheol Hong, POSTECHPhD Thesis Defense 13/30 Network Fingerprinting  What can uniquely characterize a network? IP prefix information Number of running servers in the network A static live host or device in the network (e.g., IDS or IPS) Firewall policy Geographical location of the network Etc.  We have selected static live host information and firewall policy as network fingerprints Static live host: Web server, mail server, DNS server, IPS device, and etc. Firewall policy: allowed port numbers or IP addresses  Not changed frequently

Seongcheol Hong, POSTECHPhD Thesis Defense 14/30 Static Live Host  Requirements of live hosts Operated in most ASes Easy to obtain IP addresses Always provide services for its AS Allow external connection and respond to active probing  DNS server satisfies all of these requirements Provide a conversion service between domain names and IP addresses Part of the core infrastructure of the Internet Always provide service and allow external connections from any host

Seongcheol Hong, POSTECHPhD Thesis Defense 15/30 DNS Server List Collection  BGP-RIB of RouteViews ‘RouteViews’ collects global routing information RIB consists of IP prefixes and AS paths  DNS server collection process 1 Perform reverse DNS lookup Obtain the authority server name with authority over a particular IP prefix 2 Perform DNS lookup with the authority server name Obtain the IP addresses of the DNS server 3 Repeat process 1 and 2 over all IP prefixes in BGP-RIB

Seongcheol Hong, POSTECHPhD Thesis Defense 16/30 DNS Server Fingerprinting  Host fingerprint of DNS server is used as network fingerprint  DNS server fingerprinting DNS protocol information DNS domain name information DNS server configuration information DNS Host Fingerprint DNS Server Configuratio n (DNSSEC…) DNS Domain Name (AA flag…) DNS Protocol (implementation …)

Seongcheol Hong, POSTECHPhD Thesis Defense 17/30 Firewall Policy as Alternative Fingerprint  DNS host fingerprints are not sufficient for reachability monitoring of all ASes in the Internet The ASes in which a DNS server is not found exist (such as IX)  Suitability of firewall policies as network fingerprints Number of possible combination is huge Protocol Port number IP address E.g.) ACCEPT TCP from anywhere to TCP Port:80 REJECT ICMP from anywhere to anywhere ICMP unreachable  Firewall policy fingerprinting is performed by active probing Target Network Target Network Direction Permission Probing packets

Seongcheol Hong, POSTECHPhD Thesis Defense 18/30 Reachability-Based Hijacking Detection (RBHD)  Identification of NLRI falsification  Identification of AS path falsification  DNS host fingerprinting  Firewall policy fingerprinting BGP update Collect DNS host fingerprints NLRI falsification? Collect firewall policy fingerprints AS path falsification? Valid updateInvalid update Match the existing fingerprints? An available DNS server in the target network? Valid update Y N Y N Y N Y N Y N

Seongcheol Hong, POSTECHPhD Thesis Defense 19/30 Evaluations and Results

Seongcheol Hong, POSTECHPhD Thesis Defense 20/30 DNS Server Collection Result  Current state of DNS server operation 304,106 IP prefixes (8,414,294 /24 prefixes) in BGP-RIB 77,530 DNS server’s information using DNS forward/reverse query to /24 prefixes * The number of IP prefixes owned by each AS

Seongcheol Hong, POSTECHPhD Thesis Defense 21/30 Host Fingerprint Groups * The number of distinguishable DNS server fingerprints  The total number of distinguishable fingerprints are 73,781 (total DNS server 77,530)

Seongcheol Hong, POSTECHPhD Thesis Defense 22/30 Uniqueness of Fingerprints  N : the total number of collected DNS servers  G : the total number of mutually exclusive fingerprints  For each group, n i is defined as the number of DNS servers that belong to i-th fingerprint group N i  The collision probability P C :  In our result, N is 77,530 and G is 73,781 P c in our experiment is 2.69 x We conclude that the sufficient level of distinction can be applied in our proposed host fingerprinting method.

Seongcheol Hong, POSTECHPhD Thesis Defense 23/30 Firewall Policy Examples

Seongcheol Hong, POSTECHPhD Thesis Defense 24/30 Differences of Firewall Policies * Network C * Network D * Network A * Network B

Seongcheol Hong, POSTECHPhD Thesis Defense 25/30 IP Prefix Hijacking Testbed Translate IP address ex) => Collect AS A’s fingerprints false announcement Collect current fingerprints two networks are randomly selected (IP address in this slide are anoymized)

Seongcheol Hong, POSTECHPhD Thesis Defense 26/30 1.Summary 2.Contributions 3.Future Work Conclusions

Seongcheol Hong, POSTECHPhD Thesis Defense 27/30 Summary  We proposed a new approach that practically detects IP prefix hijacking based on network reachability monitoring  We used a fingerprinting scheme in order to determine the network reachability of a specific network  We proposed DNS host and firewall policy fingerprinting methods for network reachability monitoring  We validated the effectiveness of the proposed method in the IP hijacking test-bed

Seongcheol Hong, POSTECHPhD Thesis Defense 28/30 Contributions  The problems of existing IP prefix hijacking detection techniques are addressed  The absence of detection techniques which deal with all IP prefix hijacking cases leads to the development of new methodologies which are suitable for the current Internet  Our approach provides the practical network fingerprinting method for the reachability test of all ASes DNS host fingerprinting Firewall policy fingerprinting  Novel and real-time IP prefix hijacking detection methods are described and validated with the real network data.

Seongcheol Hong, POSTECHPhD Thesis Defense 29/30 Future Work  Enhancement of our DNS server finding and fingerprinting method  Optimization of inferring the firewall policies with small probing packets  Analyzing the performance and feasibility of our fingerprinting approach on the Internet  Applying our hijacking detection system to a real research network

Seongcheol Hong, POSTECHPhD Thesis Defense 30/30 PhD Thesis Defense, Seongcheol Hong December 16, 2011 Q & A

Seongcheol Hong, POSTECHPhD Thesis Defense 31/30 Appendix

Seongcheol Hong, POSTECHPhD Thesis Defense 32/30 IP Prefix Hijacking Incidents  AS7007 incident April Caused by a misconfigured router that flooded the Internet with incorrect advertisement  YouTube Hijacking February Pakistan's attempt to block YouTube access within their country takes down YouTube entirely  Chinese ISP hijacks the Internet April China Telecom originated 37,000 prefixes not belonging to them

Seongcheol Hong, POSTECHPhD Thesis Defense 33/30 Related Work  Security enabled BGP protocol Protecting the underlying TCP session and implementing BGP session defenses Not verifying the content of BGP messages BGP Session Protection Filters announcements which are bad and potentially malicious It is difficult for an ISP to identify invalid routes originated from several AS hops away Defensive Filtering Rely on a shared key between two parties Public Key Infrastructure (PKI) requires many resources Cryptographic Techniques Shared, global view of ‘correct’ routing information Registry itself must be secure, complete and accurate Routing Registries

Seongcheol Hong, POSTECHPhD Thesis Defense 34/30 Related Work  Existing IP hijacking detection methods Detection approach Victim-centric Infrastructure- based Peer-centric Type of used data Routing information (control-plane) Data probing (data-plane) Attack type NLRI falsification AS path falsification

Seongcheol Hong, POSTECHPhD Thesis Defense 35/30 Solution Approach Research Hypothesis An independent system can perform real-time IP prefix hijacking detection using network reachability monitoring without any changes of existing Internet infrastructure

Seongcheol Hong, POSTECHPhD Thesis Defense 36/30 Legitimate Case AS 1 AS 2 AS 4 AS 5 AS /16 advertise /16 PrefixPath /162 1 PrefixPath /161 PrefixPath /162 1 Multiple origin AS? This update is valid Reached the intended network? PrefixPath /165 reachability test Static link O

Seongcheol Hong, POSTECHPhD Thesis Defense 37/30 Common Legitimate Cases  Xin Hu and Z. Morley Mao, “Accurate Real-time Identification of IP Prefix Hijacking”

Seongcheol Hong, POSTECHPhD Thesis Defense 38/30 DNS Server Collection Process

Seongcheol Hong, POSTECHPhD Thesis Defense 39/30 Distinguishable Groups of Each fingerprints * DNS protocol information * DNS domain name information * DNS server configuration

Seongcheol Hong, POSTECHPhD Thesis Defense 40/30 DNS Server Fingerprint * DNS server fingerprinting process * Structure of DNS server fingerprint

Seongcheol Hong, POSTECHPhD Thesis Defense 41/30 DNS Server Fingerprint Examples

Seongcheol Hong, POSTECHPhD Thesis Defense 42/30 The Use of Sweep Line for Firewall Policy Inference  Example of the sweep line algorithm on a 2- dimensional space

Seongcheol Hong, POSTECHPhD Thesis Defense 43/30 Inferring the Firewall Policy ProtocolResponse packetPermission ICMP echo replyaccept -deny TCP ICMP Time Exceededaccept ICMP Destination Unreachabledeny - UDP -accept ICMP Destination Unreachabledeny ProtocolDestination IPDestination PortOptionTTL ICMP /24-echorouter + 1 TCP /241:1023SYNrouter + 1 UDP /241:1023-router + 1

Seongcheol Hong, POSTECHPhD Thesis Defense 44/30 Inferring the Firewall Policy ProtocolResponse packetPermission ICMP echo replyaccept -deny TCP SYN/ACKaccept RST/ACKaccept RSTaccept ICMP Destination Unreachabledeny - UDP -accept ICMP Destination Unreachabledeny ProtocolDestination IPDestination PortOptionTTL ICMP /24-echo255 TCP /241:1023SYN255 UDP /241:

Seongcheol Hong, POSTECHPhD Thesis Defense 45/30 Suspicious Update Frequency  Suspicious update frequency During 2 weeks monitoring from BGP-RIB Anomalous update typeTotal number Average rate (/ min) NLRI AS path

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.