An early warning system for BGP hijacking attacks Supervisor: Prof. - - PowerPoint PPT Presentation

An early warning system for BGP hijacking attacks

1

Network Architectures and Services, Georg Carle Faculty of Informatics Technische Universität München, Germany

An early warning system for BGP hijacking attacks

Supervisor: Prof. Dr.-Ing. Georg Carle Advisor: Dipl. Inf. Johann Schlamp Student: Patrick de Boer

An early warning system for BGP hijacking attacks

2

What if?  What if..

• .. it is possible to hijack whole networks of any

provider of the Internet?

• .. without so much as even touching any of the

machines of this provider?

• .. from any place on earth?

An early warning system for BGP hijacking attacks

3

BGP

 Networks = IP prefixes = Bundles of IP addresses

• Distributed by IANA -> RIR -> Provider

 AS = Autonomous system

• i.e. Upstream Provider or Customer
• are assigned prefixes by RIRs / other providers
• Letter of Authorization for prefix
• Forward to upstream provider to proof ownership

 BGP (Border Gateway Protocol)

• responsible for routing of IP-Prefixes between AS
• NO measures of verifying prefix ownership of AS

An early warning system for BGP hijacking attacks

4

BGP

The Internet Prefix A AS Alice

Announcement for prefix A

Upstream A

An early warning system for BGP hijacking attacks

5

BGP hijacking

The Internet Prefix A AS Alice

Announcement for prefix A

Prefix A AS Eve

Announcement for prefix A

Upstream A Upstream B

An early warning system for BGP hijacking attacks

6

BGP hijacking

The Internet Prefix A AS Alice

Announcement for prefix A

Prefix A AS Eve

Announcement for prefix A

Upstream A Upstream B

An early warning system for BGP hijacking attacks

7

Detection methods  Current means of detection

• PHAS: Passive using global BGP Updates
• Compare originating AS of prefix

announcement with previous announcers

• Trigger alarm if different
• iSpy: Active probing of reachability.
• Probe reachability of transit providers from

each prefix

• Topology scans
• If two AS announce the same prefix, compare

prefix topology

– Active hosts, host settings

An early warning system for BGP hijacking attacks

8

Known incidents  YouTube vs Pakistan Telecom (2008)

• Pakistan tried to block YouTube
• Leaked BGP table to upstream providers
• Provider didn‘t filter
• YouTube not reachable for ~2h

 Malaysia vs Yahoo (2004)  Turkey vs Internet (2004)  Spammer vs Northrop Grumman (2003)  Internap vs Link Telecom (2011)

An early warning system for BGP hijacking attacks

9

AS hijacking

The Internet Prefix A AS Alice Prefix A AS Alice Upstream A Upstream B

Eve forges Letter of Authorization

An early warning system for BGP hijacking attacks

10

Fake Letter of Authorization  Critical: How to fake the Letter of Authorization?

• E-Mailaddress of maintainer is referenced

with local RIR for AS / Prefix

• Domain of e-Mailaddress expires
• Reregistered by attacker
• Attacker fakes Letter of Authorization and

sends it to Upstream from hijacked e- Mailaddress

An early warning system for BGP hijacking attacks

11

Detection methods  Problems with current detection methods

• PHAS: Only MOAS. No MOAS with AS

hijacking

• iSpy: Needs to be installed locally by provider
• Topology scans: Very expensive

 We analyzed the Link Telecom incident and derived criteria which render AS vulnerable for this kind of attack  Inferred an early warning system: PHEW

An early warning system for BGP hijacking attacks

12

PHEW  Prefix Hijacking Early Warning  Front-End is a simple Web Interface, that grades each AS according to found criteria  Back-End is an easily extendable risk- assessment framework  Data updated once a day  Risk assessment performed once a day  Web Interface publicly accessible: phew.net.in.tum.de

An early warning system for BGP hijacking attacks

13

PHEW‘s Risk Assessment Cycle

 Every step adds +1 to the score

An early warning system for BGP hijacking attacks

14

PHEW‘s Risk Assessment Cycle

 Every step adds +1 to the score

find AS‘s unannounced prefixes check reverse DNS ISP‘s domain is going to expire Check for changes in network topology Associate domains to AS

An early warning system for BGP hijacking attacks

15

PHEW‘s Risk Assessment Cycle

 Every step adds +1 to the score

find AS‘s unannounced prefixes check reverse DNS ISP‘s domain is going to expire Check for changes in network topology Associate domains to AS

• Interface to active

verification methods

• EURECOM
• RIR DB (changed)
• WHOIS (ExpiryDate)
• RIR DB (mnt-by,

notify, changed)

• RIR DB (mnt-by,

route, inetnum)

• RouteViews data
• RIR DB (domain)

An early warning system for BGP hijacking attacks

16

Evaluation  Out of total 48’390 AS numbers, 24’695 are mentioned in RIPE DB  Domain mapping

• ~65% of Domains map only to 1 AS
• ~55% of the AS map only to 1 Domain
• 6670 AS-Domain pairs (AS -> 1 Domain -> 1 AS)
• 1128 of them have unannounced prefixes

 ~30 Domains expire per day  ~20% of distributed prefixes currently unannounced  ~5% reach score 4, <1% reach highest score 5

An early warning system for BGP hijacking attacks

17

Evaluation  Comteks.biz: Suspicious behavior after domain expiry on 30.08.2012

• Previously unannounced prefixes were

advertised just after expiry

• No evidence of spamming though

 Cyborg.pro: Abandoned domain, watch closely in future

• Has unannounced prefixes
• rDNS is set up (eases spamming)
• No spamming history

An early warning system for BGP hijacking attacks

18

Future work  Domain mapping can be used to infer clusters

• f AS (Accenture has 7 AS numbers)
• Clusters could be used to map prefixes to AS

 Connect active confirmation methods  Add more early warning criteria  Promote usage. Maybe send notification on domain expiry

An early warning system for BGP hijacking attacks

19

Thank you Check it out: phew.net.in.tum.de