Article

Locating prefix hijackers using LOCK

Authors:

Hitesh BallaniAuthors Info & Claims

SSYM'09: Proceedings of the 18th conference on USENIX security symposium

Pages 135 - 150

Published: 10 August 2009 Publication History

Abstract

Prefix hijacking is one of the top known threats on today's Internet. A number of measurement based solutions have been proposed to detect prefix hijacking events. In this paper we take these solutions one step further by addressing the problem of locating the attacker in each of the detected hijacking event. Being able to locate the attacker is critical for conducting necessary mitigation mechanisms at the earliest possible time to limit the impact of the attack, successfully stopping the attack and restoring the service.

We propose a robust scheme named LOCK, for LOCating the prefix hijacKer ASes based on distributed Internet measurements. LOCK locates each attacker AS by actively monitoring paths (either in the control-plane or in the data-plane) to the victim prefix from a small number of carefully selected monitors distributed on the Internet. Moreover, LOCK is robust against various countermeasures that the hijackers may employ. This is achieved by taking advantage of two observations: that the hijacker cannot manipulate AS path before the path reaches the hijacker, and that the paths to victim prefix "converge" around the hijacker AS. We have deployed LOCK on a number of PlanetLab nodes and conducted several large scale measurements and experiments to evaluate the performance. Our results show that LOCK is able to pinpoint the prefix hijacker AS with an accuracy up to 94.3%.

References

[1]

http://www.ripe.net/news/ study-youtube-hijacking.html.

[2]

RIPE RIS Raw Data. http://www.ripe.net/projects/ ris/rawdata.html.

[3]

University of Oregon Route Views Archive Project. http:// www.routeview.org.

[4]

AIELLO, W., IOANNIDIS, J., AND MCDANIEL, P. Origin Authentication in Interdomain Routing. In Proc. of ACM CCS (Oct. 2003).

Digital Library

[5]

Alexa. http://www.alexa.com/.

[6]

BALLANI, H., FRANCIS, P., AND ZHANG, X. A Study of Prefix Hijacking and Interception in the Internet. In Proc. ACM SIGCOMM (Aug. 2007).

Digital Library

[7]

BARFORD, P., BESTAVROS, A., BYERS, J., AND CROVELLA, M. On the marginal utility of network topology measurements. In IMW '01 (New York, NY, USA, 2001), ACM, pp. 5-17.

Digital Library

[8]

BUTLER, K., MCDANIEL, P., AND AIELLO, W. Optimizing BGP Security by Exploiting Path Stability. In Proc. ACM CCS (Nov. 2006).

Digital Library

[9]

COHEN, R., AND RAZ, D. The Internet Dark Matter - on the Missing Links in the AS Connectivity Map. In INFOCOM (2006).

[10]

GAO, L. On Inferring Autonomous System Relationships in the Internet. IEEE/ACM Transactions on Networking (2001).

Digital Library

[11]

GOODELL, G., AIELLO, W., GRIFFIN, T., IOANNIDIS, J., MCDANIEL, P., AND RUBIN, A. Working Around BGP: An Incremental Approach to Improving Security and Accuracy of Interdomain Routing. In Proc. NDSS (Feb. 2003).

[12]

HU, X., AND MAO, Z. M. Accurate Real-time Identification of IP Prefix Hijacking. In Proc. IEEE Security and Privacy (May 2007).

Digital Library

[13]

HU, Y.-C., PERRIG, A., AND SIRBU, M. SPV: Secure Path Vector Routing for Securing BGP. In Proc. ACM SIGCOMM (Aug. 2004).

Digital Library

[14]

IAR. http://iar.cs.unm.edu/.

[15]

iPlane. http://iplane.cs.washington.edu/.

[16]

Internet topology collection. http://irl.cs.ucla.edu/ topology/.

[17]

JOHNSON, S. Hierarchical Clustering Schemes. In Psychometrika (1967).

[18]

KARLIN, J., FORREST, S., AND REXFORD, J. Pretty Good BGP: Protecting BGP by Cautiously Selecting Routes. In Proc. IEEE ICNP (Nov. 2006).

Digital Library

[19]

KENT, S., LYNN, C., AND SEO, K. Secure Border Gateway Protocol (S-BGP). IEEE JSAC Special Issue on Network Security (Apr. 2000).

[20]

KOMPELLA, R. R., YATES, J., GREENBERG, A., AND SNOEREN, A. C. Detection and Localization of Network Black Holes. In Proc. IEEE INFOCOM (2007).

[21]

KRUEGEL, C., MUTZ, D., ROBERTSON, W., AND VALEUR, F. Topology-based Detection of Anomalous BGP Messages. In Proc. RAID (Sept. 2003).

[22]

LAD, M., MASSEY, D., PEI, D., WU, Y., ZHANG, B., AND ZHANG, L. PHAS: A Prefix Hijack Alert System. In Proc. USENIX Security Symposium (Aug. 2006).

Digital Library

[23]

LAD, M., OLIVEIRA, R., ZHANG, B., AND ZHANG, L. Understanding Resiliency of Internet Topology Against Prefix Hijack Attacks. In Proc. IEEE/IFIP DSN (June 2007).

Digital Library

[24]

MAO, Z. M., QIU, L., WANG, J., AND ZHANG, Y. On AS-Level Path Inference. In Proc. ACM SIGMETRICS (2005).

Digital Library

[25]

MAO, Z. M., REXFORD, J., WANG, J., AND KATZ, R. Towards an Accurate AS-level Traceroute Tool. In Proc. ACM SIGCOMM (2003).

Digital Library

[26]

RIPE myASn System. http://www.ris.ripe.net/myasn.html.

[27]

NG, J. Extensions to BGP to Support Secure Origin BGP. ftp://ftp-eng.cisco.com/sobgp/drafts/draft-ng-sobgp-bgpextensions- 02.txt, April 2004.

[28]

NORDSTROM, O., AND DOVROLIS, C. Beware of BGP Attacks. ACM SIGCOMM Computer Communications Review (CCR) (Apr. 2004).

Digital Library

[29]

OLIVEIRA, R., LAD, M., ZHANG, B., PEI, D., MASSEY, D., AND ZHANG, L. Placing BGP Monitors in the Internet. UW Technical Report, 2006.

[30]

OLIVEIRA, R., PEI, D., WILLINGER, W., ZHANG, B., AND ZHANG, L. In Search of the elusive Ground Truth: The Internet's AS-level Connectivity Structure. In Proc. ACM SIGMETRICS (2008).

Digital Library

[31]

PlanetLab. http://www.planet-lab.org.

[32]

QIU, S. Y., MONROSE, F., TERZIS, A., AND MCDANIEL, P. D. Efficient Techniques for Detecting False Origin Advertisements in Inter-domain Routing. In Proc. IEEE NPsec (Nov. 2006).

Digital Library

[33]

RAMACHANDRAN, A., AND FEAMSTER, N. Understanding the Network-Level Behavior of Spammers. In Proceedings of ACM SIGCOMM (2006).

Digital Library

[34]

SIGANOS, G., AND FALOUTSOS, M. Neighborhood Watch for Internet Routing: Can We Improve the Robustness of Internet Routing Today? In Proc. IEEE INFOCOM (May 2007).

Digital Library

[35]

SMITH, B. R., AND GARCIA-LUNA-ACEVES, J. J. Securing the Border Gateway Routing Protocol. In Proc. Global Internet (Nov. 1996).

[36]

SUBRAMANIAN, L., ROTH, V., STOICA, I., SHENKER, S., AND KATZ, R. H. Listen and Whisper: Security Mechanisms for BGP. In Proc. USENIX NSDI (Mar. 2004).

Digital Library

[37]

WANG, L., ZHAO, X., PEI, D., BUSH, R., MASSEY, D., MANKIN, A., WU, S., AND ZHANG, L. Protecting BGP Routes to Top Level DNS Servers. In Proc. IEEE ICDCS (2003).

Digital Library

[38]

XU, W., AND REXFORD., J. Don't Secure Routing Protocols, Secure Data Delivery. In Proc. ACM HotNets (2006).

[39]

XU, W., AND REXFORD., J. MIRO: multi-path interdomain routing. In Proc. ACM SIGCOMM (2006).

Digital Library

[40]

ZHANG, B., LIU, R. A., MASSEY, D., AND ZHANG, L. Collecting the Internet AS-level Topology. Computer Communication Review 35, 1 (2004), 53-61.

Digital Library

[41]

ZHANG, Y., ZHANG, Z., MAO, Z. M., HU, Y. C., AND MAGGS, B. On the Impact of Route Monitor Selection. In Proceedings of ACM IMC (2007).

Digital Library

[42]

ZHANG, Z., YANG, Y., HU, Y. C., AND MAO, Z. M. Practical Defenses Against BGP Prefix Hijacking. In Proc. of CoNext (Dec. 2007).

Digital Library

[43]

ZHANG, Z., ZHANG, Y., HU, Y., MAO, Z., AND BUSH, R. iSPY: Detecting IP Prefix Hijacking on My Own. In Proc. ACM SIGCOMM (Aug. 2008).

Digital Library

[44]

ZHAO, X., PEI, D., WANG, L., MASSEY, D., MANKIN, A., WU, S., AND ZHANG, L. Dection of Invalid Routing Announcement in the Internet. In Proc. IEEE/IFIP DSN (June 2002).

Digital Library

[45]

ZHENG, C., JI, L., PEI, D., WANG, J., AND FRANCIS, P. A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time. In Proc. ACM SIGCOMM (Aug. 2007).

Digital Library

Cited By

Sermpezis PKotronis VGigis PDimitropoulos XCicalese DKing ADainotti A(2018)ARTEMISIEEE/ACM Transactions on Networking10.1109/TNET.2018.286979826:6(2471-2486)Online publication date: 1-Dec-2018
https://dl.acm.org/doi/10.1109/TNET.2018.2869798
Benton KCamp LMultari NSinghal AManz D(2016)Firewalling Scenic RoutesProceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense10.1145/2994475.2994477(31-36)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2994475.2994477
Schlamp JCarle GBiersack E(2013)A forensic case study on as hijackingACM SIGCOMM Computer Communication Review10.1145/2479957.247995943:2(5-12)Online publication date: 29-Apr-2013
https://dl.acm.org/doi/10.1145/2479957.2479959
Show More Cited By

Locating prefix hijackers using LOCK
1. Networks
  1. Network protocols
    1. Network layer protocols
  2. Network services

Recommendations

Profiling BGP Serial Hijackers: Capturing Persistent Misbehavior in the Global Routing Table
IMC '19: Proceedings of the Internet Measurement Conference

BGP hijacks remain an acute problem in today's Internet, with widespread consequences. While hijack detection systems are readily available, they typically rely on a priori prefix-ownership information and are reactive in nature. In this work, we take ...
Understanding Resiliency of Internet Topology against Prefix Hijack Attacks
DSN '07: Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks

A prefix hijack attack involves an attacker announcing victim networks' IP prefixes into the global routing system. As a result, data traffic from portions of the Internet can be diverted to attacker networks. Prefix hijack attacks are a serious ...
Stealthy IP prefix hijacking: don't bite off more than you can chew
GLOBECOM'09: Proceedings of the 28th IEEE conference on Global telecommunications

In prefix hijacking, an Autonomous System (AS) advertises routes for prefixes that are owned by another AS, and ends up hijacking traffic that is intended to the owner. While misconfigurations and/or misunderstandings of policies are the likely reasons ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

SSYM'09: Proceedings of the 18th conference on USENIX security symposium

August 2009

432 pages

Publisher

USENIX Association

United States

Publication History

Published: 10 August 2009

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sermpezis PKotronis VGigis PDimitropoulos XCicalese DKing ADainotti A(2018)ARTEMISIEEE/ACM Transactions on Networking10.1109/TNET.2018.286979826:6(2471-2486)Online publication date: 1-Dec-2018
https://dl.acm.org/doi/10.1109/TNET.2018.2869798
Benton KCamp LMultari NSinghal AManz D(2016)Firewalling Scenic RoutesProceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense10.1145/2994475.2994477(31-36)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2994475.2994477
Schlamp JCarle GBiersack E(2013)A forensic case study on as hijackingACM SIGCOMM Computer Communication Review10.1145/2479957.247995943:2(5-12)Online publication date: 29-Apr-2013
https://dl.acm.org/doi/10.1145/2479957.2479959
Chang JVenkatasubramanian KWest AKannan SLoo BSokolsky OLee I(2011)AS-TRUSTProceedings of the 4th international conference on Trust and trustworthy computing10.5555/2022245.2022273(262-276)Online publication date: 22-Jun-2011
https://dl.acm.org/doi/10.5555/2022245.2022273
Zhang ZZhang YHu YMao ZBush R(2010)iSPYIEEE/ACM Transactions on Networking10.1109/TNET.2010.206628418:6(1815-1828)Online publication date: 1-Dec-2010
https://dl.acm.org/doi/10.1109/TNET.2010.2066284

View Options

View options

Media

Figures

Other

Tables

View Table of Contents