Network Architectures and Services, Georg Carle Faculty of Informatics Technische Universität München, Germany An early warning system for BGP hijacking attacks Supervisor: Prof. Dr.-Ing. Georg Carle Advisor: Dipl. Inf. Johann Schlamp Student: Patrick de Boer An early warning system for BGP hijacking attacks 1
What if? What if.. .. it is possible to hijack whole networks of any provider of the Internet? .. without so much as even touching any of the machines of this provider? .. from any place on earth? An early warning system for BGP hijacking attacks 2
BGP Networks = IP prefixes = Bundles of IP addresses Distributed by IANA -> RIR -> Provider AS = Autonomous system i.e. Upstream Provider or Customer are assigned prefixes by RIRs / other providers • Letter of Authorization for prefix • Forward to upstream provider to proof ownership BGP (Border Gateway Protocol) responsible for routing of IP-Prefixes between AS NO measures of verifying prefix ownership of AS An early warning system for BGP hijacking attacks 3
BGP The Internet Upstream A Announcement for prefix A AS Alice Prefix A An early warning system for BGP hijacking attacks 4
BGP hijacking The Internet Upstream A Upstream B Announcement Announcement for prefix A for prefix A AS Alice AS Eve Prefix A Prefix A An early warning system for BGP hijacking attacks 5
BGP hijacking The Internet Upstream A Upstream B Announcement Announcement for prefix A for prefix A AS Alice AS Eve Prefix A Prefix A An early warning system for BGP hijacking attacks 6
Detection methods Current means of detection PHAS: Passive using global BGP Updates • Compare originating AS of prefix announcement with previous announcers • Trigger alarm if different iSpy: Active probing of reachability. • Probe reachability of transit providers from each prefix Topology scans • If two AS announce the same prefix, compare prefix topology – Active hosts, host settings An early warning system for BGP hijacking attacks 7
Known incidents YouTube vs Pakistan Telecom (2008) Pakistan tried to block YouTube Leaked BGP table to upstream providers Provider didn‘t filter YouTube not reachable for ~2h Malaysia vs Yahoo (2004) Turkey vs Internet (2004) Spammer vs Northrop Grumman (2003) Internap vs Link Telecom (2011) An early warning system for BGP hijacking attacks 8
AS hijacking The Internet Upstream A Upstream B Eve forges Letter of Authorization AS Alice AS Alice Prefix A Prefix A An early warning system for BGP hijacking attacks 9
Fake Letter of Authorization Critical: How to fake the Letter of Authorization? E-Mailaddress of maintainer is referenced with local RIR for AS / Prefix Domain of e-Mailaddress expires Reregistered by attacker Attacker fakes Letter of Authorization and sends it to Upstream from hijacked e- Mailaddress An early warning system for BGP hijacking attacks 10
Detection methods Problems with current detection methods PHAS: Only MOAS. No MOAS with AS hijacking iSpy: Needs to be installed locally by provider Topology scans: Very expensive We analyzed the Link Telecom incident and derived criteria which render AS vulnerable for this kind of attack Inferred an early warning system: PHEW An early warning system for BGP hijacking attacks 11
PHEW Prefix Hijacking Early Warning Front-End is a simple Web Interface, that grades each AS according to found criteria Back-End is an easily extendable risk- assessment framework Data updated once a day Risk assessment performed once a day Web Interface publicly accessible: phew.net.in.tum.de An early warning system for BGP hijacking attacks 12
PHEW‘s Risk Assessment Cycle Every step adds +1 to the score An early warning system for BGP hijacking attacks 13
PHEW‘s Risk Assessment Cycle Every step adds +1 to the score find AS‘s Associate unannounced domains to AS prefixes ISP‘s domain is going to expire check reverse Check for DNS changes in network topology An early warning system for BGP hijacking attacks 14
PHEW‘s Risk Assessment Cycle Every step adds +1 to the score - RIR DB ( mnt-by, - RIR DB ( mnt-by, notify, changed) route, inetnum ) find AS‘s Associate - RouteViews data unannounced domains to AS prefixes ISP‘s domain is going to expire check reverse - RIR DB ( changed ) Check for DNS - WHOIS ( ExpiryDate ) changes in - RIR DB ( domain ) network topology - Interface to active verification methods - EURECOM An early warning system for BGP hijacking attacks 15
Evaluation Out of total 48’390 AS numbers, 24’695 are mentioned in RIPE DB Domain mapping ~65% of Domains map only to 1 AS ~55% of the AS map only to 1 Domain 6670 AS-Domain pairs (AS -> 1 Domain -> 1 AS) 1128 of them have unannounced prefixes ~30 Domains expire per day ~20% of distributed prefixes currently unannounced ~5% reach score 4, <1% reach highest score 5 An early warning system for BGP hijacking attacks 16
Evaluation Comteks.biz: Suspicious behavior after domain expiry on 30.08.2012 Previously unannounced prefixes were advertised just after expiry No evidence of spamming though Cyborg.pro: Abandoned domain, watch closely in future Has unannounced prefixes rDNS is set up (eases spamming) No spamming history An early warning system for BGP hijacking attacks 17
Future work Domain mapping can be used to infer clusters of AS ( Accenture has 7 AS numbers ) Clusters could be used to map prefixes to AS Connect active confirmation methods Add more early warning criteria Promote usage. Maybe send notification on domain expiry An early warning system for BGP hijacking attacks 18
Thank you Check it out: phew.net.in.tum.de An early warning system for BGP hijacking attacks 19
Recommend
More recommend