research-article

Detecting prefix hijackings in the internet with argus

Authors:

Jianping WuAuthors Info & Claims

IMC '12: Proceedings of the 2012 Internet Measurement Conference

Pages 15 - 28

https://doi.org/10.1145/2398776.2398779

Published: 14 November 2012 Publication History

Abstract

Border Gateway Protocol (BGP) plays a critical role in the Internet inter-domain routing reliability. Invalid routes generated by mis-configurations or forged by malicious attacks may hijack the traffic and devastate the Internet routing system, but it is unlikely that a secure BGP can be deployed in the near future to completely prevent them. Although many hijacking detection systems have been developed, they more or less have weaknesses such as long detection delay, high false alarm rate and deployment difficulty, and no systematic detection results have been studied.

This paper proposes Argus, an agile system that can accurately detect prefix hijackings and deduce the underlying cause of route anomalies in a very fast way. Argus is based on correlating the control and data plane information closely and pervasively, and has been continuously monitoring the Internet for more than one year. During this period, around 40K routing anomalies were detected, from which 220 stable prefix hijackings were identified. Our analysis on these events shows that, hijackings that have only been theoretically studied before do exist in the Internet. Although the frequency of new hijackings is nearly stable, more specific prefixes are hijacked more frequently. Around 20% of the hijackings last less than ten minutes, and some can pollute 90% of the Internet in less than two minutes. These characteristics make \emph{Argus} especially useful in practice. We further analyze some representative cases in detail to help increase the understanding of prefix hijackings in the Internet.

Supplementary Material

PDF File (11.pdf)

Summary Review Documentation for "Detecting Prefix Hijackings in the Internet with Argus", Authors: X. Shi, Y. Xiang, Z. Wang, X. Yin, and J. Wu

Download
118.47 KB

References

[1]

Ant censuses of the internet address space. http://www.isi.edu/ant/traces/index.html.

[2]

Archipelago Measurement Infrastructure. http://www.caida.org/projects/ark/.

[3]

The BGPmon project. http://bgpmon.netsec.colostate.edu.

[4]

BGPmon.net. http://bgpmon.net/.

[5]

Charter of the IETF Secure Inter-Domain Routing Working Group. http://tools.ietf.org/wg/sidr/charters.

[6]

DNS records collected by Hurricane Electric. http://bgp.he.net/net/166.111.0.0/16#_dns.

[7]

Irr - internet routing registry. http://www.irr.net/.

[8]

Ripe myasn system. http://www.ris.ripe.net/myasn.html.

[9]

H. Ballani, P. Francis, and X. Zhang. A study of prefix hijacking and interception in the internet. In SIGCOMM, 2007.

Digital Library

[10]

S. M. Bellovin, R. Bush, and D. Ward. Security requirements for bgp path validation. http://tools. ietf.org/html/draft-ymbk-bgpsec-reqs-02, 2011.

[11]

M. Caesar, L. Subramanian, and R. H. Katz. Towards root cause analysis of internet routing dynamics. In Berkeley EECS Annual Research Symposium, 2004.

[12]

Y.-J. Chi, R. Oliveira, and L. Zhang. Cyclops: The AS-level connectivity observatory. ACM SIGCOMM Computer Communication Review, pages 7--16, 2008.

Digital Library

[13]

N. Feamster, D. G. Andersen, H. Balakrishnan, and M. F. Kaashoek. Measuring the effects of internet path faults on reactive routing. In SIGMETRICS, 2003.

Digital Library

[14]

A. Feldmann, O. Maennel, Z. M. Mao, A. W. Berger, and B. M. Maggs. Locating internet routing instabilities. In SIGCOMM, 2004.

Digital Library

[15]

S. Goldberg, M. Schapira, P. Hummon, and J. Rexford. How secure are secure interdomain routing protocols? In SIGCOMM, 2010.

Digital Library

[16]

X. Hu and Z. M. Mao. Accurate real-time identification of ip prefix hijacking. In IEEE Symposium on Security and Privacy, pages 3--17, 2007.

Digital Library

[17]

G. Huston and G. Michaelson. RFC 6483: Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs). http://tools.ietf.org/html/rfc6483, 2012.

[18]

J. Karlin, S. Forrest, and J. Rexford. Pretty good BGP: Improving BGP by cautiously adopting routes. In ICNP, pages 290--299, 2006.

Digital Library

[19]

E. Katz-Bassett. Announcement of university of washington routing study. http://mailman.nanog.org/pipermail/nanog/2011-August/039337.html.

[20]

E. Katz-Bassett, H. V. Madhyastha, J. P. John, A. Krishnamurthy, D. Wetherall, and T. E. Anderson. Studying black holes in the internet with hubble. In NSDI, 2008.

Digital Library

[21]

S. Kent, C. Lynn, J. Mikkelson, and K. Seo. Secure border gateway protocol (S-BGP). IEEE Journal on Selected Areas in Communications, 18:103--116, 2000. {22} M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang. PHAS: A prefix hijack alert system. In USENIX, 2006.

Digital Library

[22]

M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang. PHAS: A prefix hijack alert system. In USENIX, 2006.

Digital Library

[23]

H. Madhyastha, T. Isdal, M. Piatek, C. Dixon, T. Anderson, and A. Krishnamurthy. iPlane: An information plane for distributed services. In OSDI, pages 367--380, 2006.

Digital Library

[24]

R. Mahajan, D. Wetherall, and T. Anderson. Understanding bgp misconfiguration. In SIGCOMM, pages 3--16, 2002.

Digital Library

[25]

S. Murphy. Rfc 4272: Bgp security vulnerabilities analysis. http://tools.ietf.org/html/rfc4272, 2006.

[26]

R. Oliveira, B. Zhang, D. Pei, R. Izhak-Ratzin, and L. Zhang. Quantifying path exploration in the Internet. In Proc. of the 6th ACM SIGCOMM Internet Measurement Conference (IMC), Rio de Janeriro, Brazil, 2006.

Digital Library

[27]

Y. Rekhter, T. Li, and S. Hares. RFC 4271: Border gateway protocol 4. http://tools.ietf.org/html/rfc4271, 2006.

[28]

Renesys. China's 18-minute mystery. http://www.renesys.com/blog/2010/11/chinas-18-minute-mystery.shtml, 2010.

[29]

RIPE. Youtube hijacking: A ripe ncc ris case study. http://www.ripe.net/news/study-youtube-hijacking.html, 2008.

[30]

L. Subramanian, V. Roth, I. Stoica, S. Shenker, and R. H. Katz. Listen and whisper: Security mechanisms for BGP. In NSDI, pages 127--140, 2004.

Digital Library

[31]

F. Wang, Z. M. Mao, J. Wang, L. Gao, and R. Bush. A measurement study on the impact of routing events on end-to-end internet path performance. In SIGCOMM, 2006.

Digital Library

[32]

Y. Xiang, Z. Wang, X. Yin, and J. Wu. Argus: An accurate and agile system to detecting ip prefix hijacking. In Workshop on Trust and Security in the Future Internet, 2011.

Digital Library

[33]

B. Zhang, R. Liu, D. Massey, and L. Zhang. Collecting the internet as-level topology. SIGCOMM Comput. Commun. Rev., 35(1):53--61, 2005.

Digital Library

[34]

Z. Zhang, Y. Zhang, Y. C. Hu, Z. M. Mao, and R. Bush. iSPY: Detecting ip prefix hijacking on my own. In SIGCOMM, pages 327--338, 2008.

Digital Library

[35]

X. Zhao, D. Pei, L. Wang, D. Massey, A. Mankin, S. F. Wu, and L. Zhang. An analysis of BGP multiple origin as (MOAS) conflicts. In 1st ACM SIGCOMM Workshop on Internet Measurement, 2001.

Digital Library

[36]

C. Zheng, L. Ji, D. Pei, J. Wang, and P. Francis. A light-weight distributed scheme for detecting ip prefix hijacks in real-time. In SIGCOMM, pages 324--334, 2007.

Digital Library

Cited By

Rodday NCunha ÍBush RKatz-Bassett ERodosek GSchmidt TWählisch M(2024)The Resource Public Key Infrastructure (RPKI): A Survey on Measurements and Future ProspectsIEEE Transactions on Network and Service Management10.1109/TNSM.2023.332745521:2(2353-2373)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2023.3327455
Wu LLin NZhang KWu Y(2024)Modeling the BGP Prefix Hijack via Pollution and Recovery ProcessesBig Data and Social Computing10.1007/978-981-97-5803-6_15(253-265)Online publication date: 1-Aug-2024
https://doi.org/10.1007/978-981-97-5803-6_15
Muosa AAli A(2024)Detecting BGP Routing Anomalies Using Machine Learning: A ReviewForthcoming Networks and Sustainability in the AIoT Era10.1007/978-3-031-62871-9_13(145-164)Online publication date: 26-Jun-2024
https://doi.org/10.1007/978-3-031-62871-9_13
Show More Cited By

Index Terms

Detecting prefix hijackings in the internet with argus
1. Networks
  1. Network services
    1. Network monitoring

Recommendations

Understanding the impact of outsourcing mitigation against BGP prefix hijacking
Abstract
BGP prefix hijacking caused by a misconfiguration or malicious route announcements brings great trouble to today’s Internet. Outsourcing mitigation is a recently proposed automatic hijacking mitigation method. It mitigates hijacking ...
Sign what you really care about --- secure BGP AS paths efficiently
IFIP'12: Proceedings of the 11th international IFIP TC 6 conference on Networking - Volume Part I

The inter-domain routing protocol, Border Gateway Protocol (BGP), plays a critical role in the reliability of the Internet routing system, but forged routes generated by malicious attacks or mis-configurations may devastate the system. The security ...
How to prevent AS hijacking attacks
CoNEXT Student '12: Proceedings of the 2012 ACM conference on CoNEXT student workshop

The Border Gateway Protocol (BGP) was designed without security aspects in mind. This fact makes the Internet vulnerable to attacks: complete networks can be hijacked to blackhole or intercept traffic. In this work, we extend the set of known hijacking ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '12: Proceedings of the 2012 Internet Measurement Conference

November 2012

572 pages

ISBN:9781450317054

DOI:10.1145/2398776

General Chairs:
John Byers
Boston University
,
Jim Kurose
University of Massachusetts Amherst
,
Program Chairs:
Ratul Mahajan
Microsoft Research
,
Alex C. Snoeren
UC San Diego

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation
SIGCOMM: ACM Special Interest Group on Data Communication
USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 November 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

IMC '12

Sponsor:

SIGMETRICS
SIGCOMM
USENIX Assoc

IMC '12: Internet Measurement Conference

November 14 - 16, 2012

Massachusetts, Boston, USA

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

77
Total Citations
View Citations
875
Total Downloads

Downloads (Last 12 months)76
Downloads (Last 6 weeks)10

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rodday NCunha ÍBush RKatz-Bassett ERodosek GSchmidt TWählisch M(2024)The Resource Public Key Infrastructure (RPKI): A Survey on Measurements and Future ProspectsIEEE Transactions on Network and Service Management10.1109/TNSM.2023.332745521:2(2353-2373)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2023.3327455
Wu LLin NZhang KWu Y(2024)Modeling the BGP Prefix Hijack via Pollution and Recovery ProcessesBig Data and Social Computing10.1007/978-981-97-5803-6_15(253-265)Online publication date: 1-Aug-2024
https://doi.org/10.1007/978-981-97-5803-6_15
Muosa AAli A(2024)Detecting BGP Routing Anomalies Using Machine Learning: A ReviewForthcoming Networks and Sustainability in the AIoT Era10.1007/978-3-031-62871-9_13(145-164)Online publication date: 26-Jun-2024
https://doi.org/10.1007/978-3-031-62871-9_13
Huang JOdiathevar MValera ASahni JFrean MSeah W(2024)Realtime BGP Anomaly Detection Using Graph Centrality FeaturesAdvanced Information Networking and Applications10.1007/978-3-031-57870-0_20(222-233)Online publication date: 10-Apr-2024
https://doi.org/10.1007/978-3-031-57870-0_20
Arouna ALivadariu IKhanyari AElmokashfi A(2023)On Large-Scale IP Service Disruptions Dependencies2023 19th International Conference on Network and Service Management (CNSM)10.23919/CNSM59352.2023.10327794(1-5)Online publication date: 30-Oct-2023
https://doi.org/10.23919/CNSM59352.2023.10327794
He ZLi CWang X(2023)BiRNNs-SAT for Detecting BGP Traffic Anomalies in Communication NetworksProceedings of the 6th International Conference on Machine Learning and Machine Intelligence10.1145/3635638.3635659(143-150)Online publication date: 27-Oct-2023
https://dl.acm.org/doi/10.1145/3635638.3635659
Farasat TRathore MKhan AKim JPosegga J(2023)Machine Learning-based BGP Traffic Prediction2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00262(1925-1934)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00262
Zhang CMiao CAn CHong AWang NWang ZWang J(2023)Metis: Detecting Fake AS-PATHs Based on Link Prediction2023 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC58397.2023.10218104(656-662)Online publication date: 9-Jul-2023
https://doi.org/10.1109/ISCC58397.2023.10218104
He JLi YZhang HWang MAn CWang J(2023)Be Careful of Your Neighbors: Injected Sub-Prefix Hijacking Invisible to Public MonitorsICC 2023 - IEEE International Conference on Communications10.1109/ICC45041.2023.10278923(3774-3780)Online publication date: 28-May-2023
https://doi.org/10.1109/ICC45041.2023.10278923
Milolidakis ABühler TWang KChiesa MVanbever LVissicchio S(2023)On the Effectiveness of BGP Hijackers That Evade Public Route CollectorsIEEE Access10.1109/ACCESS.2023.326112811(31092-31124)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3261128
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents