Abstract
Previous research in interdomain routing security has often focused on prefix hijacking. However, several prefix interception events have happened lately, which poses a new security challenge to the interdomain routing system. Compared to prefix hijacking, prefix interception is much harder to detect, as it avoids black hole by forwarding the hijacked traffic back to the victim. In this paper, we present a novel method to detect prefix interception. Our approach exploits a key observation about prefix interception: during a prefix interception event, the attacker detours the intercepted traffic through its network, which turns it into a new important “transit point” for access to the victim. By collecting data plane information to detect the emerging “transit point” and using control plane information to verify it, our scheme can identify prefix interception in real time. The results of Internet experiments and Internet-scale simulations show that our method is accurate with low false alarm rate (0.28%) and false negative rate (2.26%).
摘要
创新点
-
(1)
对基于 BGP 路由劫持的前缀窃听进行综合分类, 并建立 BGP 前缀窃听攻击模型。
-
(2)
分析 BGP 前缀窃听事件, 提取 BGP 前缀窃听的重要攻击特征。
-
(3)
研究前缀窃听过程中 AS 入度和出度的变化,提出基于帕累托分布的检测异常 Upstart-AS 的分布式算法。
-
(4)
提出一种结合数据平面探测和控制平面监控的前缀窃听检测算法。
-
(5)
通过 Internet 实验和大规模仿真验证了检测算法的准确性。
Similar content being viewed by others
References
Karrenberg D. Youtube Hijacking: a Ripe Ncc Ris Case Study. RIPE NCC Technical Report. 2008
Hiran R, Carlsson N, Gill P. Characterizing large-scale routing anomalies: a case study of the China telecom incident. In: Proceedings of the 14th International Conference on Passive and Active Measurement, Hong Kong, 2013. 229–238
Cowie J. The New Threat: Targeted Internet Traffic Misdirection. Dyn Research Technical Report. 2013
Madory D. Uk Traffic Diverted Through Ukraine. Dyn Research Technical Report. 2015
Kent S, Lynn C, Seo K. Secure border gateway protocol (s-bgp). IEEE J Sel Area Commun, 2000; 18: 582–592
NgZ J. Extensions to BGP to support secure origin BGP (soBGP). IETF Draft draft-ng-sobgp-bgp-extensions-02. 2004
van Oorschot P C, Wan T, Kranakis E. On interdomain routing security and pretty secure bgp (psbgp). ACM Trans Inf Syst Secur, 2007, 10: 11
Lepinski M, Kent S. An Infrastructure to Support Secure Internet Routing. IETF RFC 6480. 2012
Xiang Y, Shi X, Wu J, et al. Sign what you really care about-secure bgp as-paths efficiently. Comput Netw, 2013; 57: 2250–2265
Lychev R, Goldberg S, Schapira M. BGP security in partial deployment: is the juice worth the squeeze? ACM SIGCOMM Comput Commun Rev, 2013; 43: 171–182
McPherson D, Osterweil E, Amante S, et al. Route-Leaks & MITM attacks against BGPSEC. IETF Draft draft-ietfgrow- simple-leak-attack-bgpsec-no-help-04. 2014
Li Q, Hu Y C, Zhang X. Even rockets cannot make pigs fly sustainably: can BGP be secured with BGPsec? In: Proceedings of the NDSS Workshop on Security of Emerging Networking Technologies, San Diego, 2014
Hu X, Mao Z M. Accurate real-time identification of IP prefix hijacking. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, Oakland, 2007. 3–17
Zhao X, Pei D, Wang L, et al. Detection of invalid routing announcement in the Internet. In: Proceedings of the International Conference on Dependable Systems and Networks, Bethesda, 2002. 59–68
Zhang Z, Zhang Y, Hu Y C, et al. Ispy: detecting ip prefix hijacking on my own. ACM SIGCOMM Comput Commun Rev, 2008; 38: 327–338
Xiang Y, Wang Z, Yin X, et al. Argus: an accurate and agile system to detecting IP prefix hijacking. In: Proceedings of the 19th IEEE International Conference on Network Protocols, Vancouver, 2011. 43–48
Ballani H, Francis P, Zhang X. A study of prefix hijacking and interception in the Internet. ACM SIGCOMM Comput Commun Rev, 2007; 37: 265–276
Gao L. On inferring autonomous system relationships in the Internet. IEEE/ACM Trans Netw (ToN), 2001; 9: 733–745
Gill P, Schapira M, Goldberg S. A survey of interdomain routing policies. ACM SIGCOMM Comput Commun Rev, 2013; 44: 28–34
Zhang Y, Pourzandi M. Studying impacts of prefix interception attack by exploring bgp as-path prepending. In: Proceedings of the IEEE 32nd International Conference on Distributed Computing Systems (ICDCS), Macau, 2012. 667–677
Zhao X, Pei D, Wang L, et al. An analysis of BGP multiple origin AS (MOAS) conflicts. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, San Francisco, 2001. 31–35
Pilosov A, Kapela T. Stealing the Internet: an Internet-Scale Man in the Middle Attack. Defcon Technical Report. 2008
Madhyastha H V, Isdal T, Piatek M, et al. iPlane: an information plane for distributed services. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, Seattle, 2006. 367–380
Faloutsos M, Faloutsos P, Faloutsos C. On power-law relationships of the internet topology. ACM SIGCOMM Comput Commun Rev, 1999; 29: 251–262
Siganos G, Faloutsos M, Faloutsos P, et al. Power laws and the AS-level internet topology. IEEE/ACM Trans Netw (TON), 2003; 11: 514–524
Luckie M, Huffaker B, Dhamdhere A, et al. AS relationships, customer cones, and validation. In: Proceedings of the 2013 Conference on Internet Measurement, Barcelona, 2013. 243–256
Xia J, Gao L. On the evaluation of AS relationship inferences [Internet reachability/traffic flow applications]. In: Proceedings of the Global Telecommunications Conference, Dallas, 2004. 1373–1377
Augustin B, Cuvellier X, Orgogozo B, et al. Avoiding traceroute anomalies with paris traceroute. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, Rio de Janeriro, 2006. 153–158
Quoitin B. Uhlig S. Modeling the routing of an autonomous system with C-BGP. IEEE Netw, 2005; 19: 12–19
Wählisch M, Maennel O, Schmidt T C. Towards detecting BGP route hijacking using the RPKI. ACM SIGCOMM Comput Commun Rev, 2012; 42: 103–104
Zheng C, Ji L, Pei D, et al. A light-weight distributed scheme for detecting IP prefix hijacks in real-time. ACM SIGCOMM Comput Commun Rev, 2007; 37: 277–288
Lad M, Massey D, Pei D, et al. Phas: a prefix hijack alert system. In: Proceedings of the 15th Conference on USENIX Security Symposium, Berkeley, 2006. 153–166
Karlin J, Forrest S, Rexford J. Pretty good BGP: improving BGP by cautiously adopting routes. In: Proceedings of the 14th IEEE International Conference on Network Protocols, Santa Barbara, 2006. 290–299
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Li, S., Duan, H., Wang, Z. et al. An accurate distributed scheme for detection of prefix interception. Sci. China Inf. Sci. 59, 052105 (2016). https://doi.org/10.1007/s11432-015-5490-8
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11432-015-5490-8