Accurate Real-Time Identification of IP Prefix Hijacking - PowerPoint PPT Presentation

Loading...

PPT – Accurate Real-Time Identification of IP Prefix Hijacking PowerPoint presentation | free to download - id: 68a79d-Y2I4M



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Accurate Real-Time Identification of IP Prefix Hijacking

Description:

Accurate Real-Time Identification of IP Prefix Hijacking Xin Hu Z. Morley Mao 2007 IEEE Symposium on Security and Privacy Oakland, California – PowerPoint PPT presentation

Number of Views:2
Avg rating:3.0/5.0
Date added: 22 August 2019
Slides: 37
Provided by: kai157
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Accurate Real-Time Identification of IP Prefix Hijacking


1
Accurate Real-Time Identification of IP Prefix
Hijacking
Xin Hu
  • Z. Morley Mao

2007 IEEE Symposium on Security and Privacy
Oakland, California
2
Outline
  • Introduction
  • Taxonomy of IP prefix hijacking
  • Proposed approach of combining control and data
    plane information
  • Implementation and results
  • Conclusion

3
Outline
  • Introduction
  • Taxonomy of IP prefix hijacking
  • Proposed approach of combining control and data
    plane information
  • Implementation and results
  • Conclusion

4
IP prefix hijacking
  • Fraudulent origin attack
  • Steal IP prefixes belonging to other networks
  • Announce unauthorized prefixes through BGP
  • Can also result from network misconfiguration

5
Motivation
  • Existing solutions
  • Route filters
  • Short-lived announcements Boothe06
  • Anomalous routing information Lad06
  • Control plane Data plane
  • Control plane anomalies trigger real-time
    detection
  • Data plane fingerprints provide confirmative
    evidence
  • Real-time and accurate identification of prefix
    hijacking

?Insufficient due to multi-homing
? Solely rely on Control plane
? High false positive and false negative
6
Outline
  • Introduction
  • Taxonomy of IP prefix hijacking
  • Proposed approach of combining control and data
    plane information
  • Implementation and results
  • Conclusion

7
Prefix announcements
Prefix Path
1.2.0.0/16 4, 2, 1
Prefix Path
1.2.0.0/16 2, 1
1.2.0.0/16 Path 4, 2, 1
AS 4
1.2.0.0/16 Path 3, 2, 1
AS 5
AS 3
1.2.0.0/16 Path 2, 1
Prefix Path
1.2.0.0/16 2, 1
1.2.0.0/16 Path 1
Advertise 1.2.0.0/16
Prefix Path
1.2.0.0/16 1
AS 1
AS 2
IEEE Symposium on Security and Privacy
May 2007
8
Type 1 Hijack a prefix
Prefix Path
1.2.0.0/16 2, 1
Prefix Path
1.2.0.0/16 5
Advertise 1.2.0.0/16
1.2.0.0/16 path 5
AS 4
AS 5
AS 3
1.2.0.0/16 path 4, 5
Prefix Path
1.2.0.0/16 2, 1
Prefix Path
1.2.0.0/16 4, 5
Advertise 1.2.0.0/16
Prefix Path
1.2.0.0/16 1
AS 1
AS 2
9
Type 2 Hijack a prefix and its AS number
Advertise a path to 1.2.0.0/16
Prefix Path
1.2.0.0/16 2, 1
Prefix Path
1.2.0.0/16 5, 1
1.2.0.0/16 Path 5, 1
AS 4
AS 5
AS 3
1.2.0.0/16 Path 4, 5, 1
Prefix Path
1.2.0.0/16 2, 1
NO MOAS!
Advertise 1.2.0.0/16
Prefix Path
1.2.0.0/16 1
AS 1
AS 2
10
Type 3 Hijack a subnet of a prefix
Prefix Path
1.2.3.0/24 5
1.2.0.0/16 2, 1
Prefix Path
1.2.0.0/16 2, 1
Advertise 1.2.3.0/24
1.2.3.0/24 path 5
AS 4
AS 5
AS 3
1.2.3.0/24 Path 4, 5
Prefix Path
1.2.3.0/24 4,5
1.2.0.0/16 2,1
Prefix Path
1.2.0.0/16 2, 1
SubMOAS!
No MOAS!
Advertise 1.2.0.0/16
Prefix Path
1.2.0.0/16 1
Prefix Path
1.2.3.0/24 4,5
1.2.0.0/16 1
AS 1
AS 2
11
Longest prefix matching
  • Attacker is able to attract all traffic

Pefix Path
1.2.3.0/24 5
1.2.0.0/16 2, 1
Advertise 1.2.3.0/24
AS 4
AS 5
AS 3
Prefix Path
1.2.3.0/24 4,5
1.2.0.0/16 2, 1
Prefix Path
1.2.0.0/16 2, 1
Advertise 1.2.0.0/16
Longest Prefix Matching
AS 1
AS 2
Prefix Path
1.2.3.0/24 4,5
1.2.0.0/16 1
IEEE Symposium on Security and Privacy
May 2007
12
Type 4 Hijack a subnet of a prefix and AS number
Prefix Path
1.2.3.0/24 5,1
1.2.0.0/16 2, 1
Prefix Path
1.2.0.0/16 2, 1
Advertise a path to 1.2.3.0/24
1.2.3.0/24 path 5, 1
AS 4
AS 5
AS 3
1.2.3.0/24 Path 4, 5,1
Prefix Path
1.2.3.0/24 4,5,1
1.2.0.0/16 2, 1
Prefix Path
1.2.0.0/16 2, 1
Neither MOAS Nor SubMOAS!
Advertise 1.2.0.0/16
Longest Prefix Matching
Prefix Path
1.2.0.0/16 1
Prefix Path
1.2.3.0/24 4,5,1
1.2.0.0/16 1
AS 1
AS 2
IEEE Symposium on Security and Privacy
May 2007
13
Outline
  • Introduction
  • Taxonomy of IP prefix hijacking
  • Proposed approach of combining control and data
    plane information
  • Implementation and results
  • Conclusion

14
Control plane information alone is insufficient
  • False positive
  • Legitimate reasons for anomalous routing updates
  • Multi-homing with static link

aggregation
subMOAS!
MOAS!
1.2.3.0/24 path 3, 1
1.2.3.0/24 path 3
1.2.3.0/24 path 1
static link or IGP route
1.2.3.0/24 path 1
1.2.3.0/24 path 1
15
Control plane information alone is insufficient
  • False positive
  • Legitimate reasons for anomalous routing updates
  • Multi-homing with static link and aggregation
  • False negative
  • AS-level path may not match the forwarding path
  • Type 2 and type 4 attack do not lead to control
    plane anomalies

16
Proposed approach
  • Combine control plane and data plane information
  • A successful hijacking will result in conflicting
    data plane fingerprints
  • A hijacking attempt cannot affect the entire
    network, especially the network topologically
    close to the victim
  • Fingerprinting-based consistency check
  • For valid MOAS and subMOAS, there is only one
    owner for the prefix
  • For real hijacking, traffic from different
    locations may arrive at true owner or attackers

?Same data plane fingerprints
?conflicting fingerprints
17
Fingerprinting techniques
  • Determine characteristics of remote hosts or
    networks by sending probe packets
  • Host-based fingerprinting
  • Host Operating System detection
  • IP Identifier (IPID) probing
  • Timestamp probing (ICMP and TCP timestamp)
  • Reflect-scan
  • Network fingerprinting
  • Firewall policies
  • Resource properties (e.g., bandwidth)
  • Edge router characteristics

18
Detection of prefix hijack

Advertise 1.2.0.0/16
Prefix Path
1.2.0.0/16 2, 1
Prefix Path
1.2.0.0/16 5
AS 4
AS 5
AS 3
Prefix Path
1.2.0.0/16 4, 5
Prefix Path
1.2.0.0/16 2, 1
Advertise 1.2.0.0/16
Prefix Path
1.2.0.0/16 1
AS 2
AS 1
19
Detection of prefix and AS hijacking
  • Problem
  • Attackers avoid MOAS conflicts by retaining
    correct origin AS
  • Checking all updates is prohibitively expensive
  • Heuristics for detecting the fake AS edge
  • Edge popularity constraint
  • Geographic constraint
  • Relationship constraint Kruegel2003
  • Violation of these constraints triggers
    fingerprinting check

20
Detection of prefix subnet hijacking
  • Problem
  • Attackers avoid MOAS conflicts by hijacking a
    subnet
  • longest prefix matching

Advertise 1.2.3.0/24
Prefix Path
1.2.3.0/24 5
1.2.0.0/16 2, 1
AS 4
Prefix Path
1.2.3.0/24 4,5
1.2.0.0/16 2, 1
AS 5
AS 3
Advertise 1.2.0.0/16
Prefix Path
1.2.3.0/24 4,5
1.2.0.0/16 1
AS 2
AS 1
21
Detection of prefix subnet hijacking (Cont.)
  • Identify subMOAS conflicts
  • Newly announced prefixes which is part of
    existing prefix
  • Customer-provider relationship check
  • Assume provider and customer will not hijack one
    another
  • Reflect-scan to detect subnet hijacking
  • IGP routing within victim AS is unaffected
  • Use IP spoofing to solicit traffic inside victim
    AS
  • Predictable IP ID increment in IP packet

22
Summary of detection techniques
Attack Type Monitored Routing Updates Detection Technique
Hijack prefix MOAS updates Fingerprinting-based consistency check (FP check)
Hijack prefix AS All updates Edge, geographic, and relationship (EGR) constraints, FP check
Hijack subnet prefix subMOAS updates Customer-provider (C-P) check, reflect-scan
Hijack subnet prefix AS New, non-subMOAS updates EGR constraints, reflect-scan
  • Limitations
  • Detection is triggered by anomalous updates
  • Limited number of vantage points
  • Firewall blocks probing packets
  • Ingress filtering

IEEE Symposium on Security and Privacy
May 2007
23
Outline
  • Introduction
  • Taxonomy of IP prefix hijacking
  • Proposed approach of combining control and data
    plane information
  • Implementation and results
  • Conclusion

24
Prototype Implementation
  • Data Set
  • BGP data set RouteView Our own BGP monitor
  • Probe location Planetlab testbed
  • Live IP addresses DNS and Web Server log
    lightweight ping
  • Prefix Geographic information NetGeo from CAIDA
  • Fingerprinting
  • OS detection and TCP timestamp Nmap v 3.95
  • IPID and ICMP timestamp Ruby in planetlab
  • Reflect-scan hping v2

25
Results
  • 2 weeks monitoring period
  • Real time BGP data from our BGP monitor

Attack Type Anomalous updates Total number Avg rate /15 min Suspicious updates (After F-P check)
1 MOAS conflicts 3685 0.52 332
2 Violate EGR constraints 17205 2.43 594
3 subMOAS conflicts (after C-P check) 3380 0.47 594
4 New non-subMOAS prefix that viiolate EGR constraints 1195 0.17 85
26
Potential attack (type 1)
27
Potential attack (type 2)
28
DNS anycast validation
  • IP anycast of root DNS server
  • Multiple server support same service under same
    IP address
  • 5 out of 13 DNS servers use anycast (C, F, I, J
    and K)
  • Legitimate type 2 hijack attack
  • Hijack both prefix and AS number
  • Our system successfully detect 4 of them
  • C-root server doesnt violate EGR check

29
Fingerprints for F root server
30
Correlation with spam data
  • Hijacked IP prefixes are often used for spamming
  • Correlate identified suspicious updates with Spam
    source IPs
  • Non-negligible correlation between hijacking and
    spamming

Type of suspicious prefix of matched prefix of matched prefixes within the time window of matched prefixes within the time window of matched prefixes within the time window
Type of suspicious prefix of matched prefix 1 h 6 h 1 d
1 332 28 19 25 25
2 594 91 34 74 87
3 151 10 4 8 10
4 85 11 5 10 11
Correlation between detected suspicious prefixes
and spam sources.
Time interval between identification of
suspicious updates and the arrival of spam
31
Conclusion
  • Propose a framework for accurate real-time
    detection of IP prefix hijacking attacks
  • Exploit a novel insight that a real hijacking
    will result in conflicting data-plane
    fingerprints
  • Propose detailed classification of hijacking
    attacks and the detection algorithm for each type
  • Achieve significant reduction in both false
    positives and false negatives

IEEE Symposium on Security and Privacy
May 2007
32
Paper-2
  • A Light-Weight Distributed Scheme for Detecting
    IP Prefix Hijacks in Real-Time
  • In SIGCOMM07

33
Key observations
  • If a prefix is hijacked, the paths observed from
    certain vantage points to the prefix would likely
    exhibit significant changes.
  • The path from a source to a prefix is almost
    always a super-path of the path from the same
    source to a reference point along the previous
    path, as long as the reference point is
    topologically close to the prefix.

34
High-level Methodology and Results
  • Detect the suspicious hijacking using the first
    observation
  • Confirm the real hijacking using the second
    observation
  • Result is surprising good, 0.5 false positive
    and false negative. (which is really beyond my
    expectation, why?)

35
Comparison between the two paper
Paper 1 Paper 2
Simplicity control data v data
Real-time effect analysis -gt probing v online probing
Accuracy v
Probing overhead v targeted brute-force
36
My thinking (a 100 detection)
  • Observation ? (my guess)
  • - hijacked prefixes and victim prefixes are
    not identically used. Hijacked addresses may be
    little used ?
  • Proposed Method
  • - Why not use a very simple and 100 accurate
    method, PING!!! Just ping the sampled addresses,
    to detect reachable or unreachable.
  • Merits
  • - Very simple, easy to deploy, no false
    positive and false negative, comparable overhead
    with previous work, no other assistance is need!
  • Opportunity
  • - I search online, nobody do so!
  • Want to discuss with all of you
  • - Why cannot we just do so?
About PowerShow.com