an early warning system for bgp hijacking attacks
play

An early warning system for BGP hijacking attacks Supervisor: Prof. - PowerPoint PPT Presentation

Network Architectures and Services, Georg Carle Faculty of Informatics Technische Universitt Mnchen, Germany An early warning system for BGP hijacking attacks Supervisor: Prof. Dr.-Ing. Georg Carle Advisor: Dipl. Inf. Johann Schlamp


  1. Network Architectures and Services, Georg Carle Faculty of Informatics Technische Universität München, Germany An early warning system for BGP hijacking attacks Supervisor: Prof. Dr.-Ing. Georg Carle Advisor: Dipl. Inf. Johann Schlamp Student: Patrick de Boer An early warning system for BGP hijacking attacks 1

  2. What if?  What if..  .. it is possible to hijack whole networks of any provider of the Internet?  .. without so much as even touching any of the machines of this provider?  .. from any place on earth? An early warning system for BGP hijacking attacks 2

  3. BGP  Networks = IP prefixes = Bundles of IP addresses  Distributed by IANA -> RIR -> Provider  AS = Autonomous system  i.e. Upstream Provider or Customer  are assigned prefixes by RIRs / other providers • Letter of Authorization for prefix • Forward to upstream provider to proof ownership  BGP (Border Gateway Protocol)  responsible for routing of IP-Prefixes between AS  NO measures of verifying prefix ownership of AS An early warning system for BGP hijacking attacks 3

  4. BGP The Internet Upstream A Announcement for prefix A AS Alice Prefix A An early warning system for BGP hijacking attacks 4

  5. BGP hijacking The Internet Upstream A Upstream B Announcement Announcement for prefix A for prefix A AS Alice AS Eve Prefix A Prefix A An early warning system for BGP hijacking attacks 5

  6. BGP hijacking The Internet Upstream A Upstream B Announcement Announcement for prefix A for prefix A AS Alice AS Eve Prefix A Prefix A An early warning system for BGP hijacking attacks 6

  7. Detection methods  Current means of detection  PHAS: Passive using global BGP Updates • Compare originating AS of prefix announcement with previous announcers • Trigger alarm if different  iSpy: Active probing of reachability. • Probe reachability of transit providers from each prefix  Topology scans • If two AS announce the same prefix, compare prefix topology – Active hosts, host settings An early warning system for BGP hijacking attacks 7

  8. Known incidents  YouTube vs Pakistan Telecom (2008)  Pakistan tried to block YouTube  Leaked BGP table to upstream providers  Provider didn‘t filter  YouTube not reachable for ~2h  Malaysia vs Yahoo (2004)  Turkey vs Internet (2004)  Spammer vs Northrop Grumman (2003)  Internap vs Link Telecom (2011) An early warning system for BGP hijacking attacks 8

  9. AS hijacking The Internet Upstream A Upstream B Eve forges Letter of Authorization AS Alice AS Alice Prefix A Prefix A An early warning system for BGP hijacking attacks 9

  10. Fake Letter of Authorization  Critical: How to fake the Letter of Authorization?  E-Mailaddress of maintainer is referenced with local RIR for AS / Prefix  Domain of e-Mailaddress expires  Reregistered by attacker  Attacker fakes Letter of Authorization and sends it to Upstream from hijacked e- Mailaddress An early warning system for BGP hijacking attacks 10

  11. Detection methods  Problems with current detection methods  PHAS: Only MOAS. No MOAS with AS hijacking  iSpy: Needs to be installed locally by provider  Topology scans: Very expensive  We analyzed the Link Telecom incident and derived criteria which render AS vulnerable for this kind of attack  Inferred an early warning system: PHEW An early warning system for BGP hijacking attacks 11

  12. PHEW  Prefix Hijacking Early Warning  Front-End is a simple Web Interface, that grades each AS according to found criteria  Back-End is an easily extendable risk- assessment framework  Data updated once a day  Risk assessment performed once a day  Web Interface publicly accessible: phew.net.in.tum.de An early warning system for BGP hijacking attacks 12

  13. PHEW‘s Risk Assessment Cycle  Every step adds +1 to the score An early warning system for BGP hijacking attacks 13

  14. PHEW‘s Risk Assessment Cycle  Every step adds +1 to the score find AS‘s Associate unannounced domains to AS prefixes ISP‘s domain is going to expire check reverse Check for DNS changes in network topology An early warning system for BGP hijacking attacks 14

  15. PHEW‘s Risk Assessment Cycle  Every step adds +1 to the score - RIR DB ( mnt-by, - RIR DB ( mnt-by, notify, changed) route, inetnum ) find AS‘s Associate - RouteViews data unannounced domains to AS prefixes ISP‘s domain is going to expire check reverse - RIR DB ( changed ) Check for DNS - WHOIS ( ExpiryDate ) changes in - RIR DB ( domain ) network topology - Interface to active verification methods - EURECOM An early warning system for BGP hijacking attacks 15

  16. Evaluation  Out of total 48’390 AS numbers, 24’695 are mentioned in RIPE DB  Domain mapping  ~65% of Domains map only to 1 AS  ~55% of the AS map only to 1 Domain  6670 AS-Domain pairs (AS -> 1 Domain -> 1 AS)  1128 of them have unannounced prefixes  ~30 Domains expire per day  ~20% of distributed prefixes currently unannounced  ~5% reach score 4, <1% reach highest score 5 An early warning system for BGP hijacking attacks 16

  17. Evaluation  Comteks.biz: Suspicious behavior after domain expiry on 30.08.2012  Previously unannounced prefixes were advertised just after expiry  No evidence of spamming though  Cyborg.pro: Abandoned domain, watch closely in future  Has unannounced prefixes  rDNS is set up (eases spamming)  No spamming history An early warning system for BGP hijacking attacks 17

  18. Future work  Domain mapping can be used to infer clusters of AS ( Accenture has 7 AS numbers )  Clusters could be used to map prefixes to AS  Connect active confirmation methods  Add more early warning criteria  Promote usage. Maybe send notification on domain expiry An early warning system for BGP hijacking attacks 18

  19. Thank you Check it out: phew.net.in.tum.de An early warning system for BGP hijacking attacks 19

Recommend


More recommend