research-article

Free access

Ispy: detecting ip prefix hijacking on my own

Authors:

Randy BushAuthors Info & Claims

SIGCOMM '08: Proceedings of the ACM SIGCOMM 2008 conference on Data communication

Pages 327 - 338

https://doi.org/10.1145/1402958.1402996

Published: 17 August 2008 Publication History

Abstract

IP prefix hijacking remains a major threat to the security of the Internet routing system due to a lack of authoritative prefix ownership information. Despite many efforts in designing IP prefix hijack detection schemes, no existing design can satisfy all the critical requirements of a truly effective system: real-time, accurate, light-weight, easily and incrementally deployable, as well as robust in victim notification. In this paper, we present a novel approach that fulfills all these goals by monitoring network reachability from key external transit networks to one's own network through lightweight prefix-owner-based active probing. Using the prefix-owner's view of reachability, our detection system, iSPY, can differentiate between IP prefix hijacking and network failures based on the observation that hijacking is likely to result in topologically more diverse polluted networks and unreachability. Through detailed simulations of Internet routing, 25-day deployment in 88 ASes (108 prefixes), and experiments with hijacking events of our own prefix from multiple locations, we demonstrate that iSPY is accurate with false negative ratio below 0.45% and false positive ratio below 0.17%. Furthermore, iSPY is truly real-time; it can detect hijacking events within a few minutes.

References

[1]

RIPE RIS. http://www.ripe.net/ris/.

[2]

University of Oregon Route Views Archive Project. http://www.routeviews.org.

[3]

B. Augustin, X. Cuvellier, B. Orgogozo, F. Viger, T. Friedman, M. Latapy, C. Magnien, and R. Teixeira. Avoiding traceroute anomalies with paris traceroute. In Proc. ACM SIGCOMM IMC, 2006.

Digital Library

[4]

H. Ballani, P. Francis, and X. Zhang. A Study of Prefix Hijacking and Interception in the Internet. In Proc. ACM SIGCOMM, August 2007.

Digital Library

[5]

P. Boothe, J. Hiebert, and R. Bush. How Prevalent is Prefix Hijacking on the Internet. NANOG36 Talk, February 2006.

[6]

R. Bush, J. Hiebert, O. Maennel, M. Roughan, and S. Uhlig. Testing the reachability of new address space. In Proc. ACM SIGCOMM INM, 2007.

Digital Library

[7]

D.-F. Chang, R. Govindan, and J. Heidemann. Exploring the Ability of Locating BGP Missing Routes from Multiple Looking Glasses. In Proc. ACM Workshop on Netw. Troubleshooting, 2004.

Digital Library

[8]

H. Chang, R. Govindan, S. Jamin, S. Shenker, and W. Willinger. Towards capturing representative AS-level Internet topologies. Computer Networks, 44 (6):737--755, April 2004.

Digital Library

[9]

A. Feldmann, O. Maennel, Z. M. Mao, A. Berger, and B. Maggs. Locating Internet Routing Instabilities. In Proc. ACM SIGCOMM, 2004.

Digital Library

[10]

L. Gao. On Inferring Autonomous System Relationships in the Internet. In Proc. IEEE Global Internet Symposium, 2000.

[11]

Y. He, G. Siganos, M. Faloutsos, and S. V. Krishnamurthy. A systematic framework for unearthing the missing links: Measurements and Impact. In Proc. NSDI, 2007.

Digital Library

[12]

X. Hu and Z. M. Mao. Accurate Real-time Identification of IP Prefix Hijacking. In Proc. IEEE Security and Privacy, 2007.

Digital Library

[13]

Y.-C. Hu, A. Perrig, and M. Sirbu. SPV: A Secure Path Vector Scheme for Securing BGP. In Proc. ACM SIGCOMM, 2004.

Digital Library

[14]

B. Huffaker. Caida as ranking project. July, 2006, http://ww.caida.org/analysis/topology/rank_as/.

[15]

J. Karlin, J. Karlin, S. Forrest, and J. Rexford. Pretty Good BGP: Improving BGP by Cautiously Adopting Routes. In Proc. ICNP, 2006.

Digital Library

[16]

E. Katz-Bassett, H. V. Madhyastha, J. P. John, A. Krishnamurthy, D. Wetherall, and T. Anderson. Studying Blackholes in the Internet with Hubble. In Proc. NSDI, 2008.

Digital Library

[17]

S. Kent, C. Lynn, and K. Seo. Secure Border Gateway Protocol (Secure-BGP). IEEE J. Selected Areas in Communications, 18 (4):582--592, April 2000.

Digital Library

[18]

M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang. PHAS: A Prefix Hijack Alert System. In Proc. USENIX Security Symposium, 2006.

Digital Library

[19]

M. Lad, R. Oliveira, B. Zhang, and L. Zhang. Understanding resiliency of Internet topology against prefix hijack attacks. In Proc. DSN, 2007.

Digital Library

[20]

H. V. Madhyastha, T. Anderson, A. Krishnamurthy, N. Spring, and A. Venkataramani. iPlane: An information plane for distributed services. In Proc. OSDI, Nov. 2006.

Digital Library

[21]

Z. M. Mao, J. Rexford, J. Wang, and R. Katz. Towards an accurate AS-level traceroute tool. In Proc. ACM SIGCOMM, 2003.

Digital Library

[22]

J. Ng. Extensions to BGP to Support Secure Origin BGP (soBGP). IETF Draft: draft-ng-sobgp-bgp-extensions-01.txt, November 2002.

[23]

R. Oliveira, D. Pei, W. Willinger, B. Zhang, and L. Zhang. In search of the elusive ground truth: The Internet's AS-level connectivity structure. In Proc. ACM SIGMETRICS, 2008.

Digital Library

[24]

R. Oliveira, B. Zhang, D. Pei, R. Izhak-Ratzin, and L. Zhang. Quantifying path exploration in the Internet. In Proc. ACM SIGCOMM IMC, 2006.

Digital Library

[25]

J. Qiu, L. Gao, S. Ranjan, and A. Nucci. Detecting Bogus BGP Route Information: Going Beyond Prefix Hijacking. In Proc. SECURECOMM, 2007.

[26]

A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. In Proc. of ACM SIGCOMM, 2006.

Digital Library

[27]

C. A. Shue, A. Kalafut, and M. Gupta. The web is smaller than it seems. In Proc. ACM SIGCOMM IMC, 2007.

Digital Library

[28]

N. Spring, R. Mahajan, D. Wetherall, and T. Anderson. Measuring ISP topologies with Rocketfuel. IEEE/ACM Trans. Netw., 12(1):2--16, 2004.

Digital Library

[29]

L. Subramanian, V. Roth, I. Stoica, S. Shenker, and R. H. Katz. Listen and Whisper: Security Mechanisms for BGP. In Proc. NSDI, 2004.

Digital Library

[30]

R. Teixeira and J. Rexford. A measurement framework for pin-pointing routing changes. In Proc. ACM Workshop on Netw. Troubleshooting, 2004.

Digital Library

[31]

D. Wendlandt, I. Avramopoulos, D. Andersen, and J. Rexford. Don't Secure Routing Protocols, Secure Data Delivery. In Proc. ACM HotNets, 2006.

Digital Library

[32]

J. Wu, Y. Zhang, Z. M. Mao, and K. Shin. Internet Routing Resilience to Failures: Analysis and Implications. In Proc. ACM CoNEXT, 2007.

Digital Library

[33]

W. Xu and J. Rexford. MIRO: multi-path interdomain routing. In Proc. ACM SIGCOMM, 2006.

Digital Library

[34]

M. Zhang, C. Zhang, V. Pai, L. Peterson, and R. Wang. PlanetSeer: Internet Path Failure Monitoring and Characterization in Wide-Area Services. In Proc. OSDI, Dec. 2004.

Digital Library

[35]

Y. Zhang, Z. Zhang, Z. M. Mao, Y. C. Hu, and B. Maggs. On the impact of route monitor selection. In Proc. ACM SIGCOMM IMC, 2007.

Digital Library

[36]

Z. Zhang, Y. Zhang, Y. C. Hu, and Z. M. Mao. Practical Defenses Against BGP Prefix Hijacking. In Proc. ACM CoNEXT, 2007.

Digital Library

[37]

C. Zheng, L. Ji, D. Pei, J. Wang, and P. Francis. A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Realtime. In Proc. ACM SIGCOMM, 2007.

Digital Library

Cited By

Wu LLin NZhang KWu Y(2024)Modeling the BGP Prefix Hijack via Pollution and Recovery ProcessesBig Data and Social Computing10.1007/978-981-97-5803-6_15(253-265)Online publication date: 1-Aug-2024
https://doi.org/10.1007/978-981-97-5803-6_15
He JLi YZhang HWang MAn CWang J(2023)Be Careful of Your Neighbors: Injected Sub-Prefix Hijacking Invisible to Public MonitorsICC 2023 - IEEE International Conference on Communications10.1109/ICC45041.2023.10278923(3774-3780)Online publication date: 28-May-2023
https://doi.org/10.1109/ICC45041.2023.10278923
Gouel MVermeulen KMouchet MRohrer JFourmaux OFriedman T(2022)Zeph & Iris map the internetACM SIGCOMM Computer Communication Review10.1145/3523230.352323252:1(2-9)Online publication date: 1-Mar-2022
https://dl.acm.org/doi/10.1145/3523230.3523232
Show More Cited By

Index Terms

Ispy: detecting ip prefix hijacking on my own
1. Networks
  1. Network protocols
    1. Network layer protocols
      1. Routing protocols
  2. Network services
    1. Network monitoring

Recommendations

A light-weight distributed scheme for detecting ip prefix hijacks in real-time

As more and more Internet IP prefix hijacking incidents are being reported, the value of hijacking detection services has become evident. Most of the current hijacking detection approaches monitor IP prefixes on the control plane and detect ...
A study of prefix hijacking and interception in the internet

There have been many incidents of prefix hijacking in the Internet. The hijacking AS can blackhole the hijacked traffic. Alternatively, it can transparently intercept the hijacked traffic by forwarding it onto the owner. This paper presents a study of ...
Ispy: detecting ip prefix hijacking on my own

IP prefix hijacking remains a major threat to the security of the Internet routing system due to a lack of authoritative prefix ownership information. Despite many efforts in designing IP prefix hijack detection schemes, no existing design can satisfy ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGCOMM '08: Proceedings of the ACM SIGCOMM 2008 conference on Data communication

August 2008

452 pages

ISBN:9781605581750

DOI:10.1145/1402958

General Chairs:
Victor Bahl
Microsoft Research
,
David Wetherall
Intel Research & University of Washington
,
Program Chairs:
Stefan Savage
University of California, San Diego
,
Ion Stoica
University of California, Berkeley

ACM SIGCOMM Computer Communication Review Volume 38, Issue 4
October 2008
436 pages
ISSN:0146-4833
DOI:10.1145/1402946
Issue’s Table of Contents

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SIGCOMM '08

Sponsor:

SIGCOMM '08: ACM SIGCOMM 2008 Conference

August 17 - 22, 2008

WA, Seattle, USA

Acceptance Rates

Overall Acceptance Rate 462 of 3,389 submissions, 14%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

112
Total Citations
View Citations
966
Total Downloads

Downloads (Last 12 months)131
Downloads (Last 6 weeks)27

Reflects downloads up to 25 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wu LLin NZhang KWu Y(2024)Modeling the BGP Prefix Hijack via Pollution and Recovery ProcessesBig Data and Social Computing10.1007/978-981-97-5803-6_15(253-265)Online publication date: 1-Aug-2024
https://doi.org/10.1007/978-981-97-5803-6_15
He JLi YZhang HWang MAn CWang J(2023)Be Careful of Your Neighbors: Injected Sub-Prefix Hijacking Invisible to Public MonitorsICC 2023 - IEEE International Conference on Communications10.1109/ICC45041.2023.10278923(3774-3780)Online publication date: 28-May-2023
https://doi.org/10.1109/ICC45041.2023.10278923
Gouel MVermeulen KMouchet MRohrer JFourmaux OFriedman T(2022)Zeph & Iris map the internetACM SIGCOMM Computer Communication Review10.1145/3523230.352323252:1(2-9)Online publication date: 1-Mar-2022
https://dl.acm.org/doi/10.1145/3523230.3523232
Peng SNie JShu XRuan ZWang LSheng YXuan Q(2022)A multi-view framework for BGP anomaly detection via graph attention networkComputer Networks10.1016/j.comnet.2022.109129214(109129)Online publication date: Sep-2022
https://doi.org/10.1016/j.comnet.2022.109129
Zeng MHuang XZhang PLi D(2022)Understanding the impact of outsourcing mitigation against BGP prefix hijackingComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2021.108650202:COnline publication date: 15-Jan-2022
https://dl.acm.org/doi/10.1016/j.comnet.2021.108650
Sermpezis PKotronis VArakadakis KVakali A(2021)Estimating the Impact of BGP Prefix Hijacking2021 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking52078.2021.9472813(1-10)Online publication date: 21-Jun-2021
https://doi.org/10.23919/IFIPNetworking52078.2021.9472813
Sun YApostolaki MBirge-Lee HVanbever LRexford JChiang MMittal P(2021)Securing internet applications from routing attacksCommunications of the ACM10.1145/342977564:6(86-96)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3429775
He GSu WGao SYue JDas S(2021)ROAchain: Securing Route Origin Authorization With Blockchain for Inter-Domain RoutingIEEE Transactions on Network and Service Management10.1109/TNSM.2020.301555718:2(1690-1705)Online publication date: Jun-2021
https://doi.org/10.1109/TNSM.2020.3015557
Dong YLi QSinnott RJiang YXia S(2021)ISP Self-Operated BGP Anomaly Detection Based on Weakly Supervised Learning2021 IEEE 29th International Conference on Network Protocols (ICNP)10.1109/ICNP52444.2021.9651957(1-11)Online publication date: 1-Nov-2021
https://doi.org/10.1109/ICNP52444.2021.9651957
Zeng MLi HLai JHuang X(2021)A BGP Hijacking Detection Method based on Multi-dimensional Historical Data Analysis2021 International Conference on Computer Communication and Artificial Intelligence (CCAI)10.1109/CCAI50917.2021.9447530(141-145)Online publication date: 7-May-2021
https://doi.org/10.1109/CCAI50917.2021.9447530
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents