Presentation is loading. Please wait.

Presentation is loading. Please wait.

Seongcheol Hong, POSTECHPhD Thesis Defense 1/30 Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense - Seongcheol Hong Supervisor:

Published byChristian Cummings Modified over 9 years ago

Similar presentations

Presentation on theme: "Seongcheol Hong, POSTECHPhD Thesis Defense 1/30 Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense - Seongcheol Hong Supervisor:"— Presentation transcript:

1 Seongcheol Hong, POSTECHPhD Thesis Defense 1/30 Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense - Seongcheol Hong Supervisor: Prof. James Won-Ki Hong December 16, 2011 Distributed Processing & Network Management Lab. Dept. of Computer Science and Engineering POSTECH, Korea

2 Seongcheol Hong, POSTECHPhD Thesis Defense 2/30 Presentation Outline  Introduction  Related Work  Research Approach  Reachability Based Hijacking Detection (RBHD)  Evaluation and Results  Conclusions

3 Seongcheol Hong, POSTECHPhD Thesis Defense 3/30 Introduction  Routing protocols communicate reachability information and perform path selection  BGP is the Internet’s de facto inter-domain routing protocol iBG P AS 1 AS 2 AS 300 advertise 1.10.0.0/16 AS 2 advertise 1.10.0.0/16 AS 1 AS 2 eBG P PrefixPath 1.2.0.0/162 PrefixPath 1.2.0.0/161 2

4 Seongcheol Hong, POSTECHPhD Thesis Defense 4/30  IP prefix hijacking incidents AS 7007 incident YouTube hijacking Chinese ISP hijacking Introduction  What is IP prefix hijacking? Stealing IP addresses belonging to other networks It can occur on purpose or by mistake Serious threat to the robustness and security of the Internet routing system  IP prefix hijacking attack types NLRI falsification AS path falsification AS 1 AS 2 AS 4 AS 5 AS 3 advertise 1.2.0.0/16 PrefixPath 1.2.0.0/162, 1 PrefixPath 1.2.0.0/165 PrefixPath 1.2.0.0/161 PrefixPath 1.2.0.0/162, 1 Victim Attacker

5 Seongcheol Hong, POSTECHPhD Thesis Defense 5/30 Research Motivation  IP prefix hijacking is a crucial problem in the Internet security  Number of efforts were introduced Security enabled BGP protocols Hijacking detection methods  Every existing BGP security solutions have limitations Security enabled BGP protocols are impractical to deploy Hijacking detection methods cannot detect every types of IP prefix hijacking threats  We need a novel approach which is practical and covers all types of IP prefix hijacking attacks

6 Seongcheol Hong, POSTECHPhD Thesis Defense 6/30 Research Goals  Target approach Security enabled BGP protocol IP prefix hijacking detection method  Developing a new approach which is practical and detects all types of IP prefix hijacking  IP hijacking detection system does not require cooperation of ASes and does not have to be located in a specific monitoring point  Proposed approach should be validated in simulated environments using real network data

7 Seongcheol Hong, POSTECHPhD Thesis Defense 7/30 Related Work  Security enabled BGP protocol Protecting the underlying TCP session and implementing BGP session defenses Not verifying the content of BGP messages BGP Session Protection Filters announcements which are bad and potentially malicious It is difficult for an ISP to identify invalid routes originated from several AS hops away Defensive Filtering Rely on a shared key between two parties Public Key Infrastructure (PKI) requires many resources Cryptographic Techniques Shared, global view of ‘correct’ routing information Registry itself must be secure, complete and accurate Routing Registries

8 Seongcheol Hong, POSTECHPhD Thesis Defense 8/30 Related Work  Existing IP hijacking detection methods Detection approach Victim-centric Infrastructure- based Peer-centric Type of used data Routing information (control-plane) Data probing (data-plane) Attack type NLRI falsification AS path falsification

9 Seongcheol Hong, POSTECHPhD Thesis Defense 9/30 Related Work Detection approachType of used dataAttack type Victim- centric Infrastructure- based Peer- centric Routing information Data probing NLRI falsification AS path falsification TopologyOOOO PHASOOO DistanceOOO Real-time Monitoring OOOOOO pgBGPOOO iSPYOOO StrobelightOOO Reachabilit y (Proposed) OOOOO  Comparison among IP hijacking detection methods

10 Seongcheol Hong, POSTECHPhD Thesis Defense 10/30 Research Approach  IP prefix hijacking detection based on network reachability AS 1 AS 2 AS 4 AS 5 AS 3 1.2.0.0/16 advertise 1.2.0.0/16 PrefixPath 1.2.0.0/162 1 PrefixPath 1.2.0.0/161 PrefixPath 1.2.0.0/162 1 Multiple origin AS? This update is IP hijacking case Reached the intended network? PrefixPath 1.2.0.0/165 Victim Attacker reachability test

11 Seongcheol Hong, POSTECHPhD Thesis Defense 11/30 Reachability-Based Hijacking Detection (RBHD)

12 Seongcheol Hong, POSTECHPhD Thesis Defense 12/30 Network Reachability Examination  IP prefix hijacking is an attack which influences the network reachability  We have developed network fingerprinting techniques for network reachability examination  Network fingerprinting is active or passive collection of characteristics from a target network (AS level) Network fingerprint should be unique to distinguish a certain network A A B B Fingerprint A Fingerprint B A = B if and only if Fingerprint A = Fingerprint B

13 Seongcheol Hong, POSTECHPhD Thesis Defense 13/30 Network Fingerprinting  What can uniquely characterize a network? IP prefix information Number of running servers in the network A static live host or device in the network (e.g., IDS or IPS) Firewall policy Geographical location of the network Etc.  We have selected static live host information and firewall policy as network fingerprints Static live host: Web server, mail server, DNS server, IPS device, and etc. Firewall policy: allowed port numbers or IP addresses  Not changed frequently

14 Seongcheol Hong, POSTECHPhD Thesis Defense 14/30 Static Live Host  Requirements of live hosts Operated in most ASes Easy to obtain IP addresses Always provide services for its AS Allow external connection and respond to active probing  DNS server satisfies all of these requirements Provide a conversion service between domain names and IP addresses Part of the core infrastructure of the Internet Always provide service and allow external connections from any host

15 Seongcheol Hong, POSTECHPhD Thesis Defense 15/30 DNS Server List Collection  BGP-RIB of RouteViews ‘RouteViews’ collects global routing information RIB consists of IP prefixes and AS paths  DNS server collection process 1 Perform reverse DNS lookup Obtain the authority server name with authority over a particular IP prefix 2 Perform DNS lookup with the authority server name Obtain the IP addresses of the DNS server 3 Repeat process 1 and 2 over all IP prefixes in BGP-RIB

16 Seongcheol Hong, POSTECHPhD Thesis Defense 16/30 DNS Server Fingerprinting  Host fingerprint of DNS server is used as network fingerprint  DNS server fingerprinting DNS protocol information DNS domain name information DNS server configuration information DNS Host Fingerprint DNS Server Configuratio n (DNSSEC…) DNS Domain Name (AA flag…) DNS Protocol (implementation …)

17 Seongcheol Hong, POSTECHPhD Thesis Defense 17/30 Firewall Policy as Alternative Fingerprint  DNS host fingerprints are not sufficient for reachability monitoring of all ASes in the Internet The ASes in which a DNS server is not found exist (such as IX)  Suitability of firewall policies as network fingerprints Number of possible combination is huge Protocol Port number IP address E.g.) ACCEPT TCP from anywhere to 224.0.0.251 TCP Port:80 REJECT ICMP from anywhere to anywhere ICMP unreachable  Firewall policy fingerprinting is performed by active probing Target Network Target Network Direction Permission Probing packets

18 Seongcheol Hong, POSTECHPhD Thesis Defense 18/30 Reachability-Based Hijacking Detection (RBHD)  Identification of NLRI falsification  Identification of AS path falsification  DNS host fingerprinting  Firewall policy fingerprinting BGP update Collect DNS host fingerprints NLRI falsification? Collect firewall policy fingerprints AS path falsification? Valid updateInvalid update Match the existing fingerprints? An available DNS server in the target network? Valid update Y N Y N Y N Y N Y N

19 Seongcheol Hong, POSTECHPhD Thesis Defense 19/30 Evaluations and Results

20 Seongcheol Hong, POSTECHPhD Thesis Defense 20/30 DNS Server Collection Result  Current state of DNS server operation 304,106 IP prefixes (8,414,294 /24 prefixes) in BGP-RIB 77,530 DNS server’s information using DNS forward/reverse query to /24 prefixes * The number of IP prefixes owned by each AS

21 Seongcheol Hong, POSTECHPhD Thesis Defense 21/30 Host Fingerprint Groups * The number of distinguishable DNS server fingerprints  The total number of distinguishable fingerprints are 73,781 (total DNS server 77,530)

22 Seongcheol Hong, POSTECHPhD Thesis Defense 22/30 Uniqueness of Fingerprints  N : the total number of collected DNS servers  G : the total number of mutually exclusive fingerprints  For each group, n i is defined as the number of DNS servers that belong to i-th fingerprint group N i  The collision probability P C :  In our result, N is 77,530 and G is 73,781 P c in our experiment is 2.69 x 10 -6 We conclude that the sufficient level of distinction can be applied in our proposed host fingerprinting method.

23 Seongcheol Hong, POSTECHPhD Thesis Defense 23/30 Firewall Policy Examples

24 Seongcheol Hong, POSTECHPhD Thesis Defense 24/30 Differences of Firewall Policies * Network C * Network D * Network A * Network B

25 Seongcheol Hong, POSTECHPhD Thesis Defense 25/30 IP Prefix Hijacking Testbed Translate IP address ex) 192.168.1.0 => 192.168.31.0 Collect AS A’s fingerprints false announcement Collect current fingerprints two networks are randomly selected (IP address in this slide are anoymized)

26 Seongcheol Hong, POSTECHPhD Thesis Defense 26/30 1.Summary 2.Contributions 3.Future Work Conclusions

27 Seongcheol Hong, POSTECHPhD Thesis Defense 27/30 Summary  We proposed a new approach that practically detects IP prefix hijacking based on network reachability monitoring  We used a fingerprinting scheme in order to determine the network reachability of a specific network  We proposed DNS host and firewall policy fingerprinting methods for network reachability monitoring  We validated the effectiveness of the proposed method in the IP hijacking test-bed

28 Seongcheol Hong, POSTECHPhD Thesis Defense 28/30 Contributions  The problems of existing IP prefix hijacking detection techniques are addressed  The absence of detection techniques which deal with all IP prefix hijacking cases leads to the development of new methodologies which are suitable for the current Internet  Our approach provides the practical network fingerprinting method for the reachability test of all ASes DNS host fingerprinting Firewall policy fingerprinting  Novel and real-time IP prefix hijacking detection methods are described and validated with the real network data.

29 Seongcheol Hong, POSTECHPhD Thesis Defense 29/30 Future Work  Enhancement of our DNS server finding and fingerprinting method  Optimization of inferring the firewall policies with small probing packets  Analyzing the performance and feasibility of our fingerprinting approach on the Internet  Applying our hijacking detection system to a real research network

30 Seongcheol Hong, POSTECHPhD Thesis Defense 30/30 PhD Thesis Defense, Seongcheol Hong December 16, 2011 Q & A

31 Seongcheol Hong, POSTECHPhD Thesis Defense 31/30 Appendix

32 Seongcheol Hong, POSTECHPhD Thesis Defense 32/30 IP Prefix Hijacking Incidents  AS7007 incident April 25 1997 Caused by a misconfigured router that flooded the Internet with incorrect advertisement  YouTube Hijacking February 24 2008 Pakistan's attempt to block YouTube access within their country takes down YouTube entirely  Chinese ISP hijacks the Internet April 8 2010 China Telecom originated 37,000 prefixes not belonging to them

33 Seongcheol Hong, POSTECHPhD Thesis Defense 33/30 Related Work  Security enabled BGP protocol Protecting the underlying TCP session and implementing BGP session defenses Not verifying the content of BGP messages BGP Session Protection Filters announcements which are bad and potentially malicious It is difficult for an ISP to identify invalid routes originated from several AS hops away Defensive Filtering Rely on a shared key between two parties Public Key Infrastructure (PKI) requires many resources Cryptographic Techniques Shared, global view of ‘correct’ routing information Registry itself must be secure, complete and accurate Routing Registries

34 Seongcheol Hong, POSTECHPhD Thesis Defense 34/30 Related Work  Existing IP hijacking detection methods Detection approach Victim-centric Infrastructure- based Peer-centric Type of used data Routing information (control-plane) Data probing (data-plane) Attack type NLRI falsification AS path falsification

35 Seongcheol Hong, POSTECHPhD Thesis Defense 35/30 Solution Approach Research Hypothesis An independent system can perform real-time IP prefix hijacking detection using network reachability monitoring without any changes of existing Internet infrastructure

36 Seongcheol Hong, POSTECHPhD Thesis Defense 36/30 Legitimate Case AS 1 AS 2 AS 4 AS 5 AS 3 1.2.0.0/16 advertise 1.2.0.0/16 PrefixPath 1.2.0.0/162 1 PrefixPath 1.2.0.0/161 PrefixPath 1.2.0.0/162 1 Multiple origin AS? This update is valid Reached the intended network? PrefixPath 1.2.0.0/165 reachability test Static link O

37 Seongcheol Hong, POSTECHPhD Thesis Defense 37/30 Common Legitimate Cases  Xin Hu and Z. Morley Mao, “Accurate Real-time Identification of IP Prefix Hijacking”

38 Seongcheol Hong, POSTECHPhD Thesis Defense 38/30 DNS Server Collection Process

39 Seongcheol Hong, POSTECHPhD Thesis Defense 39/30 Distinguishable Groups of Each fingerprints * DNS protocol information * DNS domain name information * DNS server configuration

40 Seongcheol Hong, POSTECHPhD Thesis Defense 40/30 DNS Server Fingerprint * DNS server fingerprinting process * Structure of DNS server fingerprint

41 Seongcheol Hong, POSTECHPhD Thesis Defense 41/30 DNS Server Fingerprint Examples

42 Seongcheol Hong, POSTECHPhD Thesis Defense 42/30 The Use of Sweep Line for Firewall Policy Inference  Example of the sweep line algorithm on a 2- dimensional space

43 Seongcheol Hong, POSTECHPhD Thesis Defense 43/30 Inferring the Firewall Policy ProtocolResponse packetPermission ICMP echo replyaccept -deny TCP ICMP Time Exceededaccept ICMP Destination Unreachabledeny - UDP -accept ICMP Destination Unreachabledeny ProtocolDestination IPDestination PortOptionTTL ICMP192.168.10.0/24-echorouter + 1 TCP192.168.10.0/241:1023SYNrouter + 1 UDP192.168.10.0/241:1023-router + 1

44 Seongcheol Hong, POSTECHPhD Thesis Defense 44/30 Inferring the Firewall Policy ProtocolResponse packetPermission ICMP echo replyaccept -deny TCP SYN/ACKaccept RST/ACKaccept RSTaccept ICMP Destination Unreachabledeny - UDP -accept ICMP Destination Unreachabledeny ProtocolDestination IPDestination PortOptionTTL ICMP192.168.10.0/24-echo255 TCP192.168.10.0/241:1023SYN255 UDP192.168.10.0/241:1023-255

45 Seongcheol Hong, POSTECHPhD Thesis Defense 45/30 Suspicious Update Frequency  Suspicious update frequency During 2 weeks monitoring from BGP-RIB Anomalous update typeTotal number Average rate (/ min) NLRI12340.12 AS path126321.02

Download ppt "Seongcheol Hong, POSTECHPhD Thesis Defense 1/30 Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense - Seongcheol Hong Supervisor:"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006.

Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.

Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.

By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Active correlation between the control and data plane: Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan.

Active correlation between the control and data plane: Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level.

1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.

Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.
Privacy-Preserving Cross-Domain Network Reachability Quantification

Privacy-Preserving Cross-Domain Network Reachability Quantification
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Similar presentations

Ads by Google