a study of prefix hijacking and interception in the
play

A Study of Prefix Hijacking and Interception in the internet - PowerPoint PPT Presentation

Mar 19, 2023 •474 likes •873 views

A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis, Xinyang Zhang Presented by: Tony Z.C Huang, Adapted from slides by Hitesh Ballani Prefix Hijacking/ Interception Internet AS CIA AS U Owning

  1. A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis, Xinyang Zhang Presented by: Tony Z.C Huang, Adapted from slides by Hitesh Ballani

  2. Prefix Hijacking/ Interception Internet AS ¡CIA AS ¡U Owning Prefix p

  3. Prefix Hijacking/ Interception Internet AS ¡CIA AS ¡U Owning Prefix p

  4. Prefix Hijacking/ Interception Internet AS ¡CIA AS ¡U Owning Prefix p

  5. Prefix Hijacking/ Interception • Prefix ¡Hijacking:AS ¡CIA ¡ adver8ses ¡a ¡prefix ¡ Internet owned ¡by ¡AS ¡U. • Creates ¡a ¡black-­‑ hole ¡in ¡the ¡internet AS ¡CIA AS ¡U Owning Prefix p

  6. Prefix Hijacking/ Interception • Prefix ¡Hijacking:AS ¡CIA ¡ adver8ses ¡a ¡prefix ¡ Internet owned ¡by ¡AS ¡U. • Creates ¡a ¡black-­‑ hole ¡in ¡the ¡internet AS ¡CIA AS ¡U Owning Prefix p

  7. Prefix Hijacking/ Interception • Prefix ¡Hijacking:AS ¡CIA ¡ adver8ses ¡a ¡prefix ¡ Internet owned ¡by ¡AS ¡U. • Creates ¡a ¡black-­‑ You can route to hole ¡in ¡the ¡internet AS U through me AS ¡CIA AS ¡U Owning Prefix p

  8. Prefix Hijacking/ Interception • Prefix ¡Hijacking:AS ¡CIA ¡ adver8ses ¡a ¡prefix ¡ Internet owned ¡by ¡AS ¡U. • Creates ¡a ¡black-­‑ You can route to hole ¡in ¡the ¡internet AS U through me AS ¡CIA AS ¡U Owning Prefix p

  9. Prefix Hijacking/ Interception • Prefix ¡Hijacking:AS ¡CIA ¡ adver8ses ¡a ¡prefix ¡ Internet owned ¡by ¡AS ¡U. • Creates ¡a ¡black-­‑ You can route to hole ¡in ¡the ¡internet AS U through me AS ¡CIA AS ¡U Owning Prefix p

  10. Prefix Hijacking/ Interception • Prefix ¡Hijacking:AS ¡CIA ¡ adver8ses ¡a ¡prefix ¡ Internet owned ¡by ¡AS ¡U. • Creates ¡a ¡black-­‑ You can route to hole ¡in ¡the ¡internet AS U through me AS ¡CIA • Prefix ¡Intercep8on:AS ¡ AS ¡U CIA ¡routes ¡the ¡ intercepted ¡traffic ¡back ¡ Owning Prefix p to ¡AS ¡U • AS ¡U ¡would ¡not ¡find ¡ out ¡the ¡traffic ¡has ¡ been ¡intercepted.

  11. Prefix Hijacking/ Interception • Prefix ¡Hijacking:AS ¡CIA ¡ adver8ses ¡a ¡prefix ¡ Internet owned ¡by ¡AS ¡U. • Creates ¡a ¡black-­‑ You can route to hole ¡in ¡the ¡internet AS U through me AS ¡CIA • Prefix ¡Intercep8on:AS ¡ AS ¡U CIA ¡routes ¡the ¡ intercepted ¡traffic ¡back ¡ Owning Prefix p to ¡AS ¡U • AS ¡U ¡would ¡not ¡find ¡ out ¡the ¡traffic ¡has ¡ been ¡intercepted.

  12. Focus of the paper • 1) Analyze the probability of traffic hijacking/ Interception. • 2) Use routing tables from Route-Views, estimate the actual probability that an AS can hijack/ intercept traffics from other ASes. • 3) Implement interception methodology and intercept real traffic. • 4) Try to detect actual interception in the internet.

  13. Hijacking Analysis owner of prefix p AS-PATH = [... , CIA] AS-PATH = [... A] AS ¡al-­‑ AS ¡CIA Qaeda AS ¡C AS ¡B AS ¡Z AS ¡U AS- AS-PATH AS-PATH PATH = = [Z, ... = [C, [B, ... ,A] CIA] B, ... ,A] • Question: Can CIA hijacks prefix p’s traffic from AS al-Qaeda? • AS U Needs to choose between two routes • Valid routes: AS-Path = [C,B,... A], length = n; • Invalid routes: AS-Path = [Z, ... CIA], length = i; • Assumption: AS U has typical policies: • customer routes > peer routes > provider routes

  14. owner of prefix p AS-PATH = [... , CIA] AS-PATH = [... A] AS ¡al-­‑ AS ¡CIA Daeda AS ¡C AS ¡B AS ¡Z AS ¡U AS- AS-PATH AS-PATH PATH = = [Z, ... = [B, [B, ... ,A] CIA] C, ... ,A] Length Customer Peer Provider i<n X X X Customer Customer Customer i=n -- X X i>n Y X X i<n Y X X Peer Peer Peer i=n Y -- X i>n Y Y X i<n Y Y X Provider Provider Provider i=n Y Y -- i>n Y Y Y • X: The traffic can not be hijacked. • Y: The traffic can be hijacked.

  15. Discussion

  16. Discussion • Better way to hijack the traffic?

  17. Discussion • Better way to hijack the traffic? • Yes, by announcing a more specific prefix.

  18. Discussion • Better way to hijack the traffic? • Yes, by announcing a more specific prefix. • But in practice, BGP filter out prefixes more specific than /24. So analysis in this paper is still useful.

  19. Interception Analysis owner of prefix p AS ¡al-­‑ AS ¡CIA Qaeda AS ¡C AS ¡B AS ¡Z AS ¡U • The problem is routing the traffic back to the original As. • The problem is, if AS CIA’s existing routes also switches to the invalid routes, then AS CIA can not route the traffic back to AS al-Qaeda. • Safety Condition: AS CIA should have a valid route for prefix p during the Interception.

  20. Interception Analysis owner of prefix p AS ¡al-­‑ AS ¡CIA Qaeda AS ¡C AS ¡B AS ¡Z AS ¡U Some ¡Ases... • The problem is routing the traffic back to the original As. • The problem is, if AS CIA’s existing routes also switches to the invalid routes, then AS CIA can not route the traffic back to AS al-Qaeda. • Safety Condition: AS CIA should have a valid route for prefix p during the Interception.

  21. Interception Analysis • Two assumptions • customer routes > peer routes > provider routes • “Valley-free” property i.e, after traversing a provider-to- customer edge or a peer edge, the path cannot traverse another customer-to- prover or peer edge.

  22. Interception Analysis • Case 1, AS CIA’s AS ¡CIA current route is a Customer-to-Provider edge customer routes. Peer edge Namely, AS al- Qaeda is a customer of AS- AS ¡Z CIA. • Conclusion: AS- CIA can advertise the invalid route AS ¡al-­‑ to all its Qaeda neighbors, and still satisfies the safety condition.

  23. Interception Analysis • Case 1, AS CIA’s AS ¡CIA current route is a Customer-to-Provider edge customer routes. Peer edge Namely, AS al- Qaeda is a customer of AS- AS ¡Z CIA. • Conclusion: AS- CIA can advertise the invalid route AS ¡al-­‑ to all its Qaeda neighbors, and still satisfies the safety condition.

  24. Interception Analysis • Customer-to-Provider edge Case II, AS CIA’s Peer edge current route is a peer routes. Namely, AS al- AS ¡CIA AS ¡Z Qaeda is a peer of AS-CIA. • Conclusion: Similar to Case I, AS CIA can AS ¡Z1 propagate to any of the ASes along the path without violating the safety AS ¡al-­‑ condition. Qaeda

  25. Interception Analysis • Customer-to-Provider edge Case II, AS CIA’s Peer edge current route is a peer routes. Namely, AS al- AS ¡CIA AS ¡Z Qaeda is a peer of AS-CIA. • Conclusion: Similar to Case I, AS CIA can AS ¡Z1 propagate to any of the ASes along the path without violating the safety AS ¡al-­‑ condition. Qaeda

  26. Interception Analysis • Customer-to-Provider edge Case III, AS AS ¡Z1 AS ¡Z Peer edge CIA’s current route is a provider AS ¡CIA routes. AS ¡Z2 • Conclusion: AS CIA can only advertises the path to its AS ¡al-­‑ Qaeda customer and peers, but not to its provider.

  27. Interception Analysis • Customer-to-Provider edge Case III, AS AS ¡Z1 AS ¡Z Peer edge CIA’s current route is a provider AS ¡CIA routes. AS ¡Z2 • Conclusion: AS CIA can only advertises the path to its AS ¡al-­‑ Qaeda customer and peers, but not to its provider.

  28. Hijacking/Interception Estimate • Analysis results applied to Route-Views ASes • Route-view repository comprised of 34 ASes (RV- Set) • 7 tier-1 ASes, 19 tier-2, 8 others. • Parameter of Interest • Probability of Hijacking: Fraction of ASes whose traffic is hijacked by the hijacking AS, averaged across all ASes and all prefixes. • Probability of Interception is defined similarly.

  29. 100 100 Hijacking (LB) Hijacking (LB) Hijacking (UB) Hijacking (UB) Interception (LB) Interception (LB) 80 80 Interception (UB) Interception (UB) Probability (%) Probability (%) 60 60 40 40 20 20 0 0 All All T-1 T-1 T-2 T-2 T>=3 T>=3 Type of Intercepting AS Type of Intercepting AS

  30. 100 100 Hijacking (LB) Hijacking (LB) Hijacking (UB) Hijacking (UB) Interception (LB) Interception (LB) 80 80 Interception (UB) Interception (UB) Probability (%) Probability (%) 60 60 40 40 20 20 0 0 All All T-1 T-1 T-2 T-2 T>=3 T>=3 Type of Intercepting AS Type of Intercepting AS • Probability of hijacking ~ 40-60% • Probability of interception ~ 30-50%

  31. 100 100 Hijacking (LB) Hijacking (LB) Hijacking (UB) Hijacking (UB) Interception (LB) Interception (LB) 80 80 Interception (UB) Interception (UB) Probability (%) Probability (%) 60 60 40 40 20 20 0 0 All All T-1 T-1 T-2 T-2 T>=3 T>=3 Type of Intercepting AS Type of Intercepting AS • Probability of hijacking for tier-1 ISPs ~ 50-80% • Probability of interception for tier-1 ISPs ~ 50-80%

Recommend

Short-Lived Prefix Hijacking on the Internet Peter Boothe 1 James Hiebert 1 Randy Bush 2 1 { peter

Short-Lived Prefix Hijacking on the Internet Peter Boothe 1 James Hiebert 1 Randy Bush 2 1 { peter

Outline Problem Characterization Methodology Results Conclusion Short-Lived Prefix Hijacking on the Internet Peter Boothe 1 James Hiebert 1 Randy Bush 2 1 { peter , jamesmh } @ cs . uoregon . edu Computer Science/Computing Center University

450 views • 18 slides
This week, we are going to look again at another prefix. What is a prefix? Click on the right

This week, we are going to look again at another prefix. What is a prefix? Click on the right

This week, we are going to look again at another prefix. What is a prefix? Click on the right answer. A prefix is a word or A prefix is a group group of words that A prefix is a group of letters that goes comes at the start of of letters

462 views • 21 slides
Lawful Interception in German VoIP-Networks 22C3, Berlin Hendrik Scholz hscholz@raisdorf.net

Lawful Interception in German VoIP-Networks 22C3, Berlin Hendrik Scholz hscholz@raisdorf.net

Lawful Interception in German VoIP-Networks 22C3, Berlin Hendrik Scholz hscholz@raisdorf.net http://www.wormulon.net/ Agenda What is Lawful Interception (LI)? Terms, Laws Lawful Interception in PSTN networks Lawful Interception

658 views • 27 slides
This week, we are going to look at another prefix. What is a prefix? Choose the right answer. A

This week, we are going to look at another prefix. What is a prefix? Choose the right answer. A

This week, we are going to look at another prefix. What is a prefix? Choose the right answer. A prefix is a word or A prefix is a group group of words that A prefix is a group of letters that goes comes at the start of of letters that goes

317 views • 21 slides
.NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend

.NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend

1 .NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend PowerShell 2 MALWARE UNICORN Senior or Malware Researcher @ Endgame, Inc. Wo Works s as s a a Mal alware are Re Researc archer r at at

1.04k views • 47 slides
Generic Library Interception Generic Library Interception for Improved Performance Measurement

Generic Library Interception Generic Library Interception for Improved Performance Measurement

Generic Library Interception Generic Library Interception for Improved Performance Measurement for Improved Performance Measurement and Insight and Insight Ronny Brendel, Bert Wesarg, Ronny Tschter, Matthias Weber, Thomas Ilsche, Sebastian

419 views • 13 slides
Parallel prefix adders Kostas Vitoroulis, 2006. Presented to Dr. A. J. Al-Khalili. Concordia

Parallel prefix adders Kostas Vitoroulis, 2006. Presented to Dr. A. J. Al-Khalili. Concordia

Parallel prefix adders Kostas Vitoroulis, 2006. Presented to Dr. A. J. Al-Khalili. Concordia University. Overview of presentation Parallel prefix operations Binary addition as a parallel prefix operation Prefix graphs Adder

764 views • 35 slides
JSON hijacking For the modern web About me Im a researcher at PortSwigger I love

JSON hijacking For the modern web About me Im a researcher at PortSwigger I love

JSON hijacking For the modern web About me Im a researcher at PortSwigger I love hacking JavaScript let : let { let :[x=1]}=[alert(1)] I love breaking browsers @garethheyes History of JSON hijacking Array constructor attack

630 views • 44 slides
IP Prefix Advertisement in EVPN draft-rabadan-l2vpn-evpn-prefix-advertisement-01 Jorge Rabadan

IP Prefix Advertisement in EVPN draft-rabadan-l2vpn-evpn-prefix-advertisement-01 Jorge Rabadan

IP Prefix Advertisement in EVPN draft-rabadan-l2vpn-evpn-prefix-advertisement-01 Jorge Rabadan Wim Hendericks Florin Balus Senad Palislamovic Aldrin Isaac IETF 88, November 2013 Vancouver, Canada The prefix-advertisement route (route-type

244 views • 8 slides
Recap: Prefix Sums Given A : set of n integers Find B : prefix sums A: 3 1 1 7 2 5

Recap: Prefix Sums Given A : set of n integers Find B : prefix sums A: 3 1 1 7 2 5

Recap: Prefix Sums Given A : set of n integers Find B : prefix sums A: 3 1 1 7 2 5 9 2 4 3 3 B: 3 4 5 12 14 19 28 30 34 37 40 1 / 86 Recap: Parallel Prefix Sums Recursive algorithm Recursively computes sums Use

3.11k views • 86 slides
Demo: BGP Path Hijacking Vimal Stanford University August 18

Demo: BGP Path Hijacking Vimal Stanford University August 18

Demo: BGP Path Hijacking Vimal Stanford University August 18 th 2014 Goals of the Assignment Understand how BGP path hijacking aGacks might happen in

322 views • 11 slides
TRAINING PROGRAMME Lawful Interception &amp; Data Retention ETSI/TC LI Lawful Interception

TRAINING PROGRAMME Lawful Interception &amp; Data Retention ETSI/TC LI Lawful Interception

Statements on Standardisation (handover interface) Without standardisation each Service Provider can define its own mechanism / format for the delivery of the data (LI and/or DR) to the Monitoring Facility Without standardisation the

684 views • 57 slides
SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of

SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of

The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust Ga etan Leurent (INRIA - France) Thomas Peyrin (NTU

650 views • 29 slides
Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Practical Aspects of Security Prof. Michael Backes Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2 Control hijacking attacks Attackers goal: Take over target machine (e.g. web server)

921 views • 57 slides
Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild Elie Bursztein, Borbala

Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild Elie Bursztein, Borbala

Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild Elie Bursztein, Borbala Benko, Daniel Margolis, Tadek Pietraszek Andy Archer, Allan Aquino, Andreas Pitsillidis (UCSD), Stefan Savage (UCSD) Hijacking is a pervasive problem

318 views • 27 slides
Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we

Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we

Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we detect BGP IP hijacking by probing the at risk subnets to detect suspect change to hosts and subnets. 2 Intro Fingerprinting Avoiding

795 views • 31 slides
Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route Hijacking~ Mar 1 2007 in APRICOT 2007 NTT Communications Corp. Taka Mizuguchi Tomoya Yoshida What s BGP Route Hijacking? s BGP Route

583 views • 40 slides
and Transitive Trust Jeff Jarmoc Sr. Security Researcher Dell SecureWorks About this talk

and Transitive Trust Jeff Jarmoc Sr. Security Researcher Dell SecureWorks About this talk

SSL Interception Proxies and Transitive Trust Jeff Jarmoc Sr. Security Researcher Dell SecureWorks About this talk History &amp; brief overview of SSL/TLS Interception proxies How and Why Risks introduced by interception

744 views • 36 slides
Finding good prefix networks using Haskell Mary Sheeran (Chalmers) 1 Prefix Given inputs x1,

Finding good prefix networks using Haskell Mary Sheeran (Chalmers) 1 Prefix Given inputs x1,

Finding good prefix networks using Haskell Mary Sheeran (Chalmers) 1 Prefix Given inputs x1, x2, x3 xn Compute x1, x1*x2, x1*x2*x3, , x1*x2** xn where * is an arbitrary associative (but not necessarily commutative)

745 views • 39 slides
THE BLACK ART OF BINARY HIJACKING HIJACKING Agenda Agenda Agenda Agenda 2 2 Overview of

THE BLACK ART OF BINARY HIJACKING HIJACKING Agenda Agenda Agenda Agenda 2 2 Overview of

Principal Consultant Nick Harbour nick.harbour@mandiant.com ick.harbour@mandiant.com @ THE BLACK ART OF BINARY HIJACKING HIJACKING Agenda Agenda Agenda Agenda 2 2 Overview of Persistence Techniques Overview of Persistence

153 views • 14 slides
Parallel Computation Patterns Scan (Prefix Sum) Objective To master parallel scan (prefix

Parallel Computation Patterns Scan (Prefix Sum) Objective To master parallel scan (prefix

Lecture Lecture 4.4 4.4 Parallel Computation Patterns Scan (Prefix Sum) Objective To master parallel scan (prefix sum) algorithms frequently used for parallel work assignment and resource allocation A key primitive in many

498 views • 10 slides
The Security Impact of HTTPS Interception NDSS 17 Z. Durumeric, Z. Ma, D. Springall, R.

The Security Impact of HTTPS Interception NDSS 17 Z. Durumeric, Z. Ma, D. Springall, R.

The Security Impact of HTTPS Interception NDSS 17 Z. Durumeric, Z. Ma, D. Springall, R. Barnes, N. Sullivan, E. Bursztein, M. Bailey, J. Alex Halderman, V. Paxson ! G R S N Presented by: Sanjeev Reddy o g Some Background How to TLS

696 views • 37 slides
ETSI &amp; Lawful Interception of IP ETSI &amp; Lawful Interception of IP Traffic Traffic Jaya

ETSI &amp; Lawful Interception of IP ETSI &amp; Lawful Interception of IP Traffic Traffic Jaya

ETSI &amp; Lawful Interception of IP ETSI &amp; Lawful Interception of IP Traffic Traffic Jaya Baloo RIPE 48 Jaya Baloo RIPE 48 May 3 Amsterdam, The May 3 Amsterdam, The Netherlands Netherlands Contents Contents Introduction to

1.08k views • 41 slides
Detecting inconsistencies in INRDB data to identify MOAS cases and possible illegitimate Internet

Detecting inconsistencies in INRDB data to identify MOAS cases and possible illegitimate Internet

Problem: Prefix/ASN Hijacking Research RIPE NCC Data Sources The algorithm: constructing unique trees Results Comments Detecting inconsistencies in INRDB data to identify MOAS cases and possible illegitimate Internet resource usage Peter

702 views • 16 slides

More recommend