Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University.

Published byAugust Sanders Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University."— Presentation transcript:

1 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University

2 2012/11/14IMC12@Boston2 Outline Introduction –Prefix Hijacking –Existing Detection Methods Argus –Key Observation & Algorithm –System Architecture & Implementation Internet Monitoring Practice –Evaluation –Statistics –Case Studies Conclusion

3 2012/11/14IMC12@Boston3 Outline Introduction –Prefix Hijacking –Existing Detection Methods Argus –Key Observation & Algorithm –System Architecture & Implementation Internet Monitoring Practice –Evaluation –Statistics –Case Studies Conclusion

4 2012/11/14IMC12@Boston4 Inter-domain Routing

5 2012/11/14IMC12@Boston5 Prefix Hijacking

6 2012/11/14IMC12@Boston6 Black-holing Hijackings Packets dropped by the attacker Also cased by unintentional mis-configurations –2010, China Tele. hijacked 15% of Internet –2008, Pakistan Tele. hijacked Youtube for 2 hours Other types such as imposture/interception –Harder to detect –E2E mechanisms, i.e., IPsec, HTTPS

7 2012/11/14IMC12@Boston7 Outline Introduction –Prefix Hijacking –Existing Detection Methods Argus –Key Observation & Algorithm –System Architecture & Implementation Internet Monitoring Practice –Evaluation –Statistics –Case Studies Conclusion

8 2012/11/14IMC12@Boston8 Challenges of Hijacking Detection Hijacking can pollute a large number of ASes in several seconds! Real system or service Monitoring the whole Internet Robust channel to notify the attacker Sub-prefix hijacking is more aggressive Multi-homing, TE, BGP anycast, Backup links, Route failure, Policy change short delay high accuracy easy to deploy high scalability attacker’s info sub-prefix hijacking

9 2012/11/14IMC12@Boston9 Existing Control or Data Plane Methods Complementary advantages Data-plane probing –iSPY [SIGCOMM ’08] –Reference Point [SIGCOMM ’07] Control-plane monitoring –BGPmon.net –PHAS, Cyclops –MyASN

10 2012/11/14IMC12@Boston10 Hybrid: control & data plane Hybrid solution [S&P ’07] –Control-plane driven: monitoring anomalous route –Data-plane verification: whether it is a hijacking Cons. –Minutes of detection delay Traceroute, nmap, IP/TCP timestamp, reflect scan, … –Hard to deploy Planetlab –BGP anycast Lack of correlation between control and data plane status

11 2012/11/14IMC12@Boston11 Our Approach Control plane Data plane Hybrid Correlation Argus

12 2012/11/14IMC12@Boston12 Outline Introduction –Prefix Hijacking –Existing Detection Methods Argus –Key Observation & Algorithm –System Architecture & Implementation Internet Monitoring Practice –Evaluation –Statistics –Case Studies Conclusion

13 2012/11/14IMC12@Boston13 Key Observations: Relationship between Control and Data Plane Only part of the Internet is polluted Distinguishable from other route events

14 C t = {C t,j } = [ 1, 0, 1, 0, 0 ] D t = {D t,j } = [ 1, 0, 1, 0, 0 ] 2012/11/14IMC12@Boston14 Status Matching eye 1 : eye 2 : eye 3 : eye 4 : eye 5 : Eyes of Argus: public route-servers, looking-glasses –Simple & fast commands: show ip bgp, ping Eye j at time t Control plane C tj : not affected by the anomalous route? Data plane D tj : live IP in the corresponding prefix can be reached? 1010010100 1010010100 C t,j D t,j 5 1 1 Fingerprint:

15 2012/11/14IMC12@Boston15 Identification of Prefix Hijacking Prefix hijacking: F t  1.0, (F t >= threshold μ)

16 2012/11/14IMC12@Boston16 Type of Anomalies AS-path p = –OA: Origin Anomaly Anomalous origin AS: p a = –AA: Adjacency Anomaly Anomalous AS pair in AS-path: p a = –PA: Policy Anomaly Anomalous AS triple in AS-path: p a =

17 2012/11/14IMC12@Boston17 Outline Introduction –Prefix Hijacking –Existing Detection Methods Argus –Key Observation & Algorithm –System Architecture & Implementation Internet Monitoring Practice –Evaluation –Statistics –Case Studies Conclusion

18 2012/11/14IMC12@Boston18 Architecture of Argus Anomaly Monitoring Module Live-IP Retrieving Module Hijacking Identification Module

19 2012/11/14IMC12@Boston19 System Deployment From May 2011, launched >1 years Live BGP feed collected from ~130 peers –BGPmon: http://bgpmon.netsec.colostate.edu/http://bgpmon.netsec.colostate.edu/ –10GB BGP UPDATE /day, 20Mbps peak 389 eyes, in 41 transit AS Online notification services –(AS-4847) Mailing list –(AS-13414, AS-35995) Twitter –(AS-4538) Website, web service APIs

20 2012/11/14IMC12@Boston20 Outline Introduction –Prefix Hijacking –Existing Detection Methods Argus –Key Observation & Algorithm –System Architecture & Implementation Internet Monitoring Practice –Evaluation –Statistics –Case Studies Conclusion

21 2012/11/14IMC12@Boston21 Argus is Online 40k anomalous route events 220 stable hijackings –Duration of F t >=μ in more than T seconds –μ: fingerprint threshold of hijacking –T: duration threshold of stable hijacking Fingerprint (F t ) distribution of all stable hijackings.

22 2012/11/14IMC12@Boston22 False Positive Directly contact network operators (March-April, 2012) –10/31 confirmed our hijacking alarms –No objection ROA: Route Origin Authorization –266 anomalies with ROA records –False positive 0% (μ=0.6, T=10, #eyes=40) IRR: Internet Routing Registry –3988 anomalies with IRR records –False positive 0.2% (μ=0.6, T=10, #eyes=40)

23 2012/11/14IMC12@Boston23 Delay Detection delay –60% less than 10 seconds Identification delay –80% less than 10 seconds –50% less than 1 second

24 2012/11/14IMC12@Boston24 Outline Introduction –Prefix Hijacking –Existing Detection Methods Argus –Key Observation & Algorithm –System Architecture & Implementation Internet Monitoring Practice –Evaluation –Statistics –Case Studies Conclusion

25 2012/11/14IMC12@Boston25 Statistics - Overview Adjacency/Policy based hijacking do exists Weekly # of stable hijackings. TotalOA (origin AS) AA (Adjacency) PA (Policy) Anomalies40k20k6.7k13.3k Hijackings2201227127 Total # of route anomalies and stable hijackings in one year.

26 2012/11/14IMC12@Boston26 Statistics - Hijacking duration Stable hijacking duration: live time of anomalous route –20+% hijackings last <10 minutes –Long hijackings also exist

27 2012/11/14IMC12@Boston27 Statistics - Prefix length Stable hijackings with most specific prefix –91% hijacked prefixes are most specific –100% hijacked prefixes with length <= 18 are most specific 10% stable hijackings are sub-prefix hijacking

28 2012/11/14IMC12@Boston28 Statistics - Pollution scale 20% stable hijackings could pollute 80+ transit ASes

29 2012/11/14IMC12@Boston29 Statistics - Pollution speed 20+ transit ASes are polluted in 2 minutes For hijackings polluted 80+ transit ASes –50% Internet are polluted within 20 seconds –90% Internet are polluted within 2 minutes

30 2012/11/14IMC12@Boston30 Outline Introduction –Prefix Hijacking –Existing Detection Methods Argus –Key Observation & Algorithm –System Architecture & Implementation Internet Monitoring Practice –Evaluation –Statistics –Case Studies Conclusion

31 2012/11/14IMC12@Boston31 Case Studies OA hijackings (confirmed by email) –Missing route filters –Network maintenance misplay –Premature migration attempt –Sub-prefix hijacking AA hijackings (confirmed by email) –Mis-configuration in TE –AS-path poisoning experiment PA hijackings (verified in IRR) –Import policy violation –Export policy violation

32 2012/11/14IMC12@Boston32 OA Hijackings Missing route filters Network maintenance misplay TimePrefixNormal OriginAnomalous OriginDurationDelay Nov. 27, 2011166.111.32.0/24, …AS-4538 CERNET, CN AS-23910 CERNET-2, CN 10+ sec10 sec Mar. 20, 2012193.105.17.0/24AS-50407 Douglas, DE AS-15763 DOKOM, DE 12 min5 sec

33 2012/11/14IMC12@Boston33 OA Hijackings Premature migration attempt Sub-prefix hijacking TimePrefixNormal OriginAnomalous OriginDurationDelay Apr. 04, 201291.217.242.0/24AS-197279 WizjaNet, PL AS-48559 Infomex, PL 17 min9 Mar. 22, 201212.231.155.0/24 (in 12.128.0.0/9) AS-7018 AT&T, US AS-13490 Buckeye, US 16 min7

34 2012/11/14IMC12@Boston34 AA Hijackings Mis-configuration in TE –AS-38794 (BB-Broadband, TH) is a new provider of AS-24465 (Kasikorn, TH) AS-path poisoning experiment [SIGCOMM ’12] –BBN announces loop AS-paths for experimental purpose TimePrefixAS-pathDelay Apr. 12, 2012210.1.38.0/24 12 Mar. 31, 2012184.464.255.0/24 4

35 2012/11/14IMC12@Boston35 PA Hijackings Import policy violation Export policy violation TimePrefixAS-pathDelay Apr. 19, 201277.223.240.0/22 9 Apr. 16, 2012195.10.205.0/24 5 IRR info. of AS-21021 (Multimedia, PL) : IRR info. of AS-31484 (OOO Direct Tele., RU):

36 2012/11/14IMC12@Boston36 Non-hijacking Anomalies TE using BGP anycast –193.0.16.0/24 (DNS root-k) suddenly originated by AS-197000 (RIPE) –F t  0, D t = 1 TE with backup links –AS-12476 (Aster, PL) announced prefix to a new provider AS-6453 (Tata, CA) –F t  0, D t = 1 Route migration –Prefix owmer changed from AS-12653 (KB Impuls, GR) to AS-7700 (Singapore Tele) –F t  -1

37 2012/11/14IMC12@Boston37 Outline Introduction –Prefix Hijacking –Existing Detection Methods Argus –Key Observation & Algorithm –System Architecture & Implementation Internet Monitoring Practice –Evaluation –Statistics –Case Studies Conclusion

38 2012/11/14IMC12@Boston38 Conclusion of Our Contributions 80% delay <10 seconds 20% stable hijackings last <10 minutes, some can pollute 90% Internet in <2 minutes OA, AA, PA anomalies ROA, IRR, email confirmation show ip bgp, ping Public available external resources Anomaly driven probing Monitoring the whole Internet Live BGP feed from BGPmon Victims can be noticed through several channels 10% stable hijackings are sub-prefix hijacking One year’s Internet detection practice.

39 "Now Argus had a hundred eyes in his head, and never went to sleep with more than two at a time, so he kept watch of Io constantly.“ -- Thomas Bulfinch, The Age of Fable (Philadelphia: Henry altemus Company, 1897) 39 2012/11/14IMC12@Boston39 clip produced by the Florida Center for Instructional Technology, College of Education, University of South Florida

40 2012/11/14IMC12@Boston40 Thanks! Q & A Algorithm for realtime & accurate hijacking detection Online system that monitoring the whole Internet Online services for network operators / researchers One year Internet wide hijacking detection practice Root cause analysis of hijackings and anomalies twitter.com/sharangxy tli.tl/argus

41 2012/11/14IMC12@Boston41 Backups

42 2012/11/14IMC12@Boston42 We focus on black-hole hijackings Mis-configuration typically cause black-holing –2010, China Tele. hijacked 15% of Internet –2008, Pakistan Tele. hijacked Youtube for two hours ISP is trustworthy, malicious attack is relatively rare Perfect imposture/interception is difficult –Mimic all behaviors, forward all the traffic Detect interception is hard, any AS is a MITM E2E mechanism is more effective in preventing imposture/interception

43 2012/11/14IMC12@Boston43 Anomaly Monitoring Module Live BGP feed, colltected from ~130 peers –BGPmon: http://bgpmon.netsec.colostate.edu/http://bgpmon.netsec.colostate.edu/ 10GB BGP UPDATE /day, 20Mbps peak –4-stage pipeline processing –Parallel UPDATE parser –Mem-cached DB read, batch write

44 2012/11/14IMC12@Boston44 Live-IP Retrieving Module Live-IP candidates in prefix f –Traceroute results, DNS records –Possible gateways The first/last IP in every sub-prefix 512-parallel checking, find a live target in <1 second

45 2012/11/14IMC12@Boston45 Hijacking Identification Module Distinguish hijacking from other route events –Acquire C t and D t –Calculate F t –Last for W=120 seconds for every anomaly N=389 eyes, in 41 transit AS Online services –(AS-4847) Mailing list –(AS-13414, AS-35995) Twitter –(AS-4538) Website, web service APIs

Download ppt "Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University."

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
Data-Plane Accountability with In-Band Path Diagnosis Murtaza Motiwala, Nick Feamster Georgia Tech Andy Bavier Princeton University.

Data-Plane Accountability with In-Band Path Diagnosis Murtaza Motiwala, Nick Feamster Georgia Tech Andy Bavier Princeton University.
Locating Prefix Hijackers using LOCK Tongqing Qiu +, Lusheng Ji *, Dan Pei * Jia Wang *, Jun (Jim) Xu +, Hitesh Ballani ++ + College of Computing, Georgia.

Locating Prefix Hijackers using LOCK Tongqing Qiu +, Lusheng Ji *, Dan Pei * Jia Wang *, Jun (Jim) Xu +, Hitesh Ballani ++ + College of Computing, Georgia.
How Secure are Secure Interdomain Routing Protocols? B96209044 大氣四 鍾岳霖 B97703099 財金三 婁瀚升 1.

How Secure are Secure Interdomain Routing Protocols? B 大氣四 鍾岳霖 B 財金三 婁瀚升 1.
A Study of BGP Origin AS Changes and Partial Connectivity Ratul Mahajan David Wetherall Tom Anderson University of Washington Asta Networks † † ‡ † ‡ ‡

A Study of BGP Origin AS Changes and Partial Connectivity Ratul Mahajan David Wetherall Tom Anderson University of Washington Asta Networks † † ‡ † ‡ ‡
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.

Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.
Seongcheol Hong, POSTECHPhD Thesis Defense 1/30 Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense - Seongcheol Hong Supervisor:

Seongcheol Hong, POSTECHPhD Thesis Defense 1/30 Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense - Seongcheol Hong Supervisor:
1 BGP Anomaly Detection in an ISP Jian Wu (U. Michigan) Z. Morley Mao (U. Michigan) Jennifer Rexford (Princeton) Jia Wang (AT&T Labs)

1 BGP Anomaly Detection in an ISP Jian Wu (U. Michigan) Z. Morley Mao (U. Michigan) Jennifer Rexford (Princeton) Jia Wang (AT&T Labs)
Active correlation between the control and data plane: Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan.

Active correlation between the control and data plane: Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan.
1 Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network Jian Wu (University of Michigan) Z. Morley Mao (University.

1 Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network Jian Wu (University of Michigan) Z. Morley Mao (University.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
A Routing Control Platform for Managing IP Networks Jennifer Rexford Computer Science Department Princeton University

A Routing Control Platform for Managing IP Networks Jennifer Rexford Computer Science Department Princeton University
Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.

Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.

Similar presentations

Ads by Google