short lived prefix hijacking on the internet
play

Short-Lived Prefix Hijacking on the Internet Peter Boothe 1 James - PowerPoint PPT Presentation

Aug 27, 2022 •257 likes •450 views

Outline Problem Characterization Methodology Results Conclusion Short-Lived Prefix Hijacking on the Internet Peter Boothe 1 James Hiebert 1 Randy Bush 2 1 { peter , jamesmh } @ cs . uoregon . edu Computer Science/Computing Center University

  1. Outline Problem Characterization Methodology Results Conclusion Short-Lived Prefix Hijacking on the Internet Peter Boothe 1 James Hiebert 1 Randy Bush 2 1 { peter , jamesmh } @ cs . uoregon . edu Computer Science/Computing Center University of Oregon 2 randy @ psg . com IIJ NANOG 36 February 14, 2006 Peter Boothe, James Hiebert, Randy Bush Short-Lived Prefix Hijacking on the Internet

  2. Outline Problem Characterization Methodology Results Conclusion Problem Characterization Characterizing Hijacking Characterizing Short Lived Hijacking Methodology Initializing the Search Space Narrowing the Search Space Results Highly suspicious events How many hijackings in total? Conclusion Future Work Recap + some questions Acknowledgments Questions Peter Boothe, James Hiebert, Randy Bush Short-Lived Prefix Hijacking on the Internet

  3. Outline Problem Characterization Characterizing Hijacking Methodology Characterizing Short Lived Hijacking Results Conclusion What Is Prefix Hijacking? ◮ Announcing space that belongs to someone else without their permission ◮ Lots of reasons for doing so, almost all of them bad ◮ Different time-scales of hijackings may be used for different purposes. ◮ Short lived hijackings are good for getting IP space for spamming, launching attacks, or sharing illegal material anonymously. ◮ We are searching for short-lived hijackings Peter Boothe, James Hiebert, Randy Bush Short-Lived Prefix Hijacking on the Internet

  4. Outline Problem Characterization Characterizing Hijacking Methodology Characterizing Short Lived Hijacking Results Conclusion Short-lived announcements inside a long-lived netblock Uptime Distribution 200000 PDF of uptime percentages CDF of uptime precentages 180000 160000 Probable Legitimate Number of (ASN, Prefix) Pairs Network Operators 140000 120000 100000 80000 60000 40000 Possible Configuration Errors 20000 0 0 10 20 30 40 50 60 70 80 90 100 Uptime percentage (June 2005) ◮ Majority of the AS/prefix pairs are long lasting ◮ When an AS legitimately controls a netblock, any short lived announcement (by a different AS) inside that block is presumed to be either a misconfig or an invasion ◮ Announcements at the very beginning of a sample period are also presumed to be legit Peter Boothe, James Hiebert, Randy Bush Short-Lived Prefix Hijacking on the Internet

  5. Outline Problem Characterization Initializing the Search Space Methodology Narrowing the Search Space Results Conclusion The Routeviews Input Data ◮ Searched all UPDATE messages in Routeviews data ◮ Recorded all announced prefixes and the announcing AS TIME: 07/18/07 02:22:29 TYPE: BGP4MP/MESSAGE/Update FROM: 211.142.32.148 AS12950 TO: 128.223.67.2 AS6337 ORIGIN: IGP ASPATH: 11956 2114 3657 NEXT_HOP: 211.142.32.148 COMMUNITY: 2914:410 12956:27270 12956:27271 ANNOUNCE 60.8.238.0/24 200.21.232.0/24 Peter Boothe, James Hiebert, Randy Bush Short-Lived Prefix Hijacking on the Internet

  6. Outline Problem Characterization Initializing the Search Space Methodology Narrowing the Search Space Results Conclusion A Tree of the IP Address Space ◮ All announced netblocks are inserted into a tree ◮ A list of ASNs which announced the block are recorded at the proper node ◮ The tree is searched for overlap Peter Boothe, James Hiebert, Randy Bush Short-Lived Prefix Hijacking on the Internet

  7. Outline Problem Characterization Initializing the Search Space Methodology Narrowing the Search Space Results Conclusion Percent Uptime ◮ Eliminated all ASN/Prefix pairs with a percent uptime above a given threshold ( thresh = 90%) ◮ percent uptime defined as: � [ t withdrawal 0 − t announcement 0 ... t withdrawal n − t announcement n ] t endOfMonth − t announcement 0 ◮ The graphed uptime below would be around 10% Peter Boothe, James Hiebert, Randy Bush Short-Lived Prefix Hijacking on the Internet

  8. Outline Problem Characterization Initializing the Search Space Methodology Narrowing the Search Space Results Conclusion Eliminate Mutually Exclusive Uptimes ◮ IP space is not always used at same time ◮ Sometimes prefixes are transferred from one AS to another ◮ The primary path goes down and their backup strategy involves statically routing through another AS ◮ Prefixes with mutually exclusive uptimes are eliminated as a possible invasion Peter Boothe, James Hiebert, Randy Bush Short-Lived Prefix Hijacking on the Internet

  9. Outline Problem Characterization Initializing the Search Space Methodology Narrowing the Search Space Results Conclusion Eliminate Customer/Provider Relationships ◮ Final step which is not yet automated ◮ Manually run a series of tests ◮ AS OWNS BLOCK : Is the entity who owns the AS in whois the same as the entity that owns the netblock in whois? ◮ SAME AS : the two ASs in question may be the entity using multiple ASNs; a variety of whois fields can be checked ◮ IMPORT EXPORT : some ASs explicitly say in the radb whose paths they import and export; if the invader and the invadee have some relationship, the announcement is more likely legitimate Peter Boothe, James Hiebert, Randy Bush Short-Lived Prefix Hijacking on the Internet

  10. Outline Problem Characterization Initializing the Search Space Methodology Narrowing the Search Space Results Conclusion Final Eliminations ◮ INVADEE ASSIST : we look at the announcement data and if the invadee passed along the invaded prefix, then it’s likely OK ◮ FAT FINGERING : if the the prefix in question lexicographically similar to something else that AS owns, then do not count the announcement as an invasion Peter Boothe, James Hiebert, Randy Bush Short-Lived Prefix Hijacking on the Internet

  11. Outline Problem Characterization Highly suspicious events Methodology How many hijackings in total? Results Conclusion Suspect case: a short lived /24 being used within an unrelated AS AS Netblock Uptime Profile in December 2005 2914 199.224.0.0/20 was invaded by 12124 199.224.14.0/24 ◮ The X-axis is time ◮ When the line is high, the AS/netblock pair is in the RIB ◮ When the line is low, the AS/netblock pair has been withdrawn (or the month is over) Peter Boothe, James Hiebert, Randy Bush Short-Lived Prefix Hijacking on the Internet

  12. Outline Problem Characterization Highly suspicious events Methodology How many hijackings in total? Results Conclusion Three /24s involved in a probable hijacking AS Netblock Uptime Profile in December 2005 6461 209.249.0.0/16 was invaded by 26228 209.249.45.0/24 26228 209.249.46.0/24 26228 209.249.47.0/24 ◮ 26228 is not the same entity as 6461 ◮ 26228 is not the owner of 209.249.4[567].0/24 ◮ 6461 does not have a relationship with 26228 in radb ◮ 6461 was not seen propagating 209.249.4[567].0/24 ◮ The hijacked prefixes are not lexicographically similar to 26228’s other legitimate prefixes Peter Boothe, James Hiebert, Randy Bush Short-Lived Prefix Hijacking on the Internet

  13. Outline Problem Characterization Highly suspicious events Methodology How many hijackings in total? Results Conclusion Fooled by a lag in whois data AS Netblock Uptime Profile in June 2005 701 63.80.0.0/12 was invaded by 17284 63.82.77.0/24 ◮ At the time of announcement 63.82.77.0/24 was not registered as having been sub-allocated ◮ 17284 announced nothing else in June ◮ Now whois data indicates that 17284 and the owner of 63.82.77.0/24 are the same entity ◮ Detection methods based on whois data will inevitably generate false positives until whois data catches up Peter Boothe, James Hiebert, Randy Bush Short-Lived Prefix Hijacking on the Internet

  14. Outline Problem Characterization Highly suspicious events Methodology How many hijackings in total? Results Conclusion Number of hijackings in December 2005 ◮ Population of 845 ASs which simultaneously announced a prefix inside another AS’s, and had a low percent uptime ◮ Randomly sampled 5% (42 AS-AS invasions) ◮ Investigated using the previously described manual tests ◮ 3 were not easily explained as misconfigurations ◮ Given our entire population, we calculate a 95% confidence interval of our sample. Result: between 26 and 95 successful prefix hijackings occurred in December 2005 Peter Boothe, James Hiebert, Randy Bush Short-Lived Prefix Hijacking on the Internet

  15. Outline Future Work Problem Characterization Recap + some questions Methodology Acknowledgments Results Questions Conclusion For us or others to do... ◮ Refine search criteria; there’s still too much intuition involved ◮ Automate the remaining manual steps ◮ Decrease reliance on whois or make whois more accurate ◮ Figure out a way to deal with AS post-pending being (potentially) used to disguise attacks ◮ What about long term hijackings? Peter Boothe, James Hiebert, Randy Bush Short-Lived Prefix Hijacking on the Internet

Recommend

A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis,

A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis,

A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis, Xinyang Zhang Presented by: Tony Z.C Huang, Adapted from slides by Hitesh Ballani Prefix Hijacking/ Interception Internet AS CIA AS U Owning

873 views • 38 slides
Accountable Internet Protocol David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen,

Accountable Internet Protocol David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen,

Accountable Internet Protocol David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker http://www.aip-arch.net/ Internet Full of Vulnerabilities Distributed DoS Million-Node Botnets Prefix Hijacking IP

785 views • 34 slides
Detecting inconsistencies in INRDB data to identify MOAS cases and possible illegitimate Internet

Detecting inconsistencies in INRDB data to identify MOAS cases and possible illegitimate Internet

Problem: Prefix/ASN Hijacking Research RIPE NCC Data Sources The algorithm: constructing unique trees Results Comments Detecting inconsistencies in INRDB data to identify MOAS cases and possible illegitimate Internet resource usage Peter

702 views • 16 slides
Border Gateway Protocol (BGP) Structure of the Internet Networks (ISPs, CDNs, etc.) group with

Border Gateway Protocol (BGP) Structure of the Internet Networks (ISPs, CDNs, etc.) group with

Border Gateway Protocol (BGP) Structure of the Internet Networks (ISPs, CDNs, etc.) group with IP prefixes Networks are richly interconnected, often using IXPs Prefix B1 Prefix D1 Prefix C1 ISP B CDN D IXP CDN C IXP Prefix E1

669 views • 27 slides
Border Gateway Protocol (BGP) Structure of the Internet Networks (ISPs, CDNs, etc.) group with

Border Gateway Protocol (BGP) Structure of the Internet Networks (ISPs, CDNs, etc.) group with

Border Gateway Protocol (BGP) Structure of the Internet Networks (ISPs, CDNs, etc.) group with IP prefixes Networks are richly interconnected, often using IXPs Prefix B1 Prefix D1 Prefix C1 ISP B CDN D IXP CDN C IXP Prefix E1

641 views • 33 slides
Variable-Lived Short-Run Selves Drew Fudenberg and David K. Levine September 8, 2009 The Problem

Variable-Lived Short-Run Selves Drew Fudenberg and David K. Levine September 8, 2009 The Problem

Variable-Lived Short-Run Selves Drew Fudenberg and David K. Levine September 8, 2009 The Problem Models of long-run planning and short-run impulsive selves provide a quantitative explanation of a wide variety of behavioral paradoxes,

583 views • 22 slides
This week, we are going to look again at another prefix. What is a prefix? Click on the right

This week, we are going to look again at another prefix. What is a prefix? Click on the right

This week, we are going to look again at another prefix. What is a prefix? Click on the right answer. A prefix is a word or A prefix is a group group of words that A prefix is a group of letters that goes comes at the start of of letters

462 views • 21 slides
Supporting Climate Resilience through Reduction of Short Lived Climate Pollutants (SLCP) and

Supporting Climate Resilience through Reduction of Short Lived Climate Pollutants (SLCP) and

Supporting Climate Resilience through Reduction of Short Lived Climate Pollutants (SLCP) and Organic Waste Management in Battambang Municipality Ran Yagasa Policy Researcher, IGES Centre Collaborating with UNEP on Environmental Technologies

501 views • 25 slides
within subject modules: a short-lived luxury or the way forward? Sarah Horrod Kingston

within subject modules: a short-lived luxury or the way forward? Sarah Horrod Kingston

Embedded with the troops. Teaching academic writing from within subject modules: a short-lived luxury or the way forward? Sarah Horrod Kingston University The Image Access and being in on the action Limitations of being

363 views • 24 slides
This week, we are going to look at another prefix. What is a prefix? Choose the right answer. A

This week, we are going to look at another prefix. What is a prefix? Choose the right answer. A

This week, we are going to look at another prefix. What is a prefix? Choose the right answer. A prefix is a word or A prefix is a group group of words that A prefix is a group of letters that goes comes at the start of of letters that goes

317 views • 21 slides
Short Lived Climate Pollutants (SLCP) avoidance and reduction approaches in municipal solid

Short Lived Climate Pollutants (SLCP) avoidance and reduction approaches in municipal solid

Short Lived Climate Pollutants (SLCP) avoidance and reduction approaches in municipal solid waste (MSW) management Janya Sang-Arun Senior policy researcher Sustainable Consumption and Production Group Institute for Global Environmental

632 views • 15 slides
PHOTOELECTRON SPECTROSCOPY OF TRANSIENT / SHORT LIVED SPECIES Arunava Maity (CY09C003) Indranath

PHOTOELECTRON SPECTROSCOPY OF TRANSIENT / SHORT LIVED SPECIES Arunava Maity (CY09C003) Indranath

PHOTOELECTRON SPECTROSCOPY OF TRANSIENT / SHORT LIVED SPECIES Arunava Maity (CY09C003) Indranath Chakraborty (CY09C016) Smrajit Pal (CY09C034) Subrata Mondal (CY09C037) Tufan Ghosh (CY09C039) Introduction: The most striking properties of

185 views • 14 slides
ARTEMIS: Neutralizing BGP Hijacking within a Minute Alberto Dainotti alberto@caida.org

ARTEMIS: Neutralizing BGP Hijacking within a Minute Alberto Dainotti alberto@caida.org

ARTEMIS: Neutralizing BGP Hijacking within a Minute Alberto Dainotti alberto@caida.org Center for Applied Internet Data Analysis University of California, San Diego Joint work with: Pavlos Sermpezis, Vasileios Kotronis, Petros

375 views • 23 slides
Market volatility slide library 2020 updates 1 Geopolitical sell-offs are short-lived 5.3%

Market volatility slide library 2020 updates 1 Geopolitical sell-offs are short-lived 5.3%

Market volatility slide library 2020 updates 1 Geopolitical sell-offs are short-lived 5.3% Cuban President Nixon Iranian Soviet invasion 27% missile impeachment hostage Average total return of Afghanistan 26% 26% 6 months from event

238 views • 12 slides
Short-Lived Climate-forcing Pollutants (SLCPs) in (South) Asia: Science, Impacts and Action

Short-Lived Climate-forcing Pollutants (SLCPs) in (South) Asia: Science, Impacts and Action

Short-Lived Climate-forcing Pollutants (SLCPs) in (South) Asia: Science, Impacts and Action Prof. Dr. Mark G. Lawrence With contributions from Maheswar Rupakheti, Birgit Lode and Kathleen Mar Managing Scientific Director Institute for

157 views • 15 slides
.NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend

.NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend

1 .NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend PowerShell 2 MALWARE UNICORN Senior or Malware Researcher @ Endgame, Inc. Wo Works s as s a a Mal alware are Re Researc archer r at at

1.04k views • 47 slides
Short Lived Credential Service SLCS Tony J. Genovese Lawrence Berkeley National Laboratory USA

Short Lived Credential Service SLCS Tony J. Genovese Lawrence Berkeley National Laboratory USA

Short Lived Credential Service SLCS Tony J. Genovese Lawrence Berkeley National Laboratory USA November 29, 2005 Outline Background What is SLCS? Document overview Examples Issues and Status Future Profiles? Asian

638 views • 11 slides
Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston

Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston

Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston 1 Address hijacking unauthorized use of an address prefix as an advertised route object on the Internet Not a bogon address block has

309 views • 18 slides
Reducing the Latency-Tail of Short-Lived Flows: Adding Forward Error Correction in Data Centers

Reducing the Latency-Tail of Short-Lived Flows: Adding Forward Error Correction in Data Centers

ATP TCP Reducing the Latency-Tail of Short-Lived Flows: Adding Forward Error Correction in Data Centers Klaus-Tycho Foerster Demian Jaeger David Stolz Roger Wattenhofer ETH Zurich 1 Time is Money 2 Datacenter Traffic S. Kandula et al.,

138 views • 10 slides
Shibboleth Interoperability - Short-Lived Credential Service (SLCS) Valry Tschopp, SWITCH

Shibboleth Interoperability - Short-Lived Credential Service (SLCS) Valry Tschopp, SWITCH

Enabling Grids for E-sciencE - II Shibboleth Interoperability - Short-Lived Credential Service (SLCS) Valry Tschopp, SWITCH JRA1 All Hands Meeting, Abingdon, 9 Nov 2006 www.eu-egee.org INFSO-RI-031688 Presentation Outline Enabling Grids

452 views • 12 slides
Understanding the incentives for prefix aggregation in BGP ReArch 09: Re-Architecting the

Understanding the incentives for prefix aggregation in BGP ReArch 09: Re-Architecting the

Understanding the incentives for prefix aggregation in BGP ReArch 09: Re-Architecting the Internet, Rome, Italy . C. Kalogiros, M. Bagnulo, A. Kostopoulos December 1, 2009 Introduction Tussles may constitute a threat to FI content

573 views • 18 slides
IPCC TFI work on Short Lived Climate Forcers (SLCFs) UN Climate Change Conference 5 December

IPCC TFI work on Short Lived Climate Forcers (SLCFs) UN Climate Change Conference 5 December

IPCC TFI work on Short Lived Climate Forcers (SLCFs) UN Climate Change Conference 5 December 2019 Madrid, Spain Kiyoto Tanabe, IPCC TFI Co-Chair Background: Emerging Issue - SLCFs o Recently, the potential importance of reducing emissions of

277 views • 8 slides
Results for the mass di ff erence between the long- and short-lived K mesons for physical quark

Results for the mass di ff erence between the long- and short-lived K mesons for physical quark

Results for the mass di ff erence between the long- and short-lived K mesons for physical quark masses Bigeng Wang RBC-UKQCD Collaborations Department of Physics Columbia University in the City of New York Lattice 2018 Bigeng Wang (Columbia

487 views • 20 slides
16 October 2017 BZE Discussion Group A Short-lived Gas Shortfall Tim Forcey Dylan McConnell

16 October 2017 BZE Discussion Group A Short-lived Gas Shortfall Tim Forcey Dylan McConnell

16 October 2017 BZE Discussion Group A Short-lived Gas Shortfall Tim Forcey Dylan McConnell 1 Eastern Australia gas exports (LNG) dwarf domestic use Starting in 2015 disruption! The end of cheap gas in Eastern Australia. And the

721 views • 61 slides

More recommend