research-article

A forensic case study on as hijacking: the attacker's perspective

Authors:

Johann Schlamp,

Ernst W. BiersackAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 43, Issue 2

Pages 5 - 12

https://doi.org/10.1145/2479957.2479959

Published: 29 April 2013 Publication History

Abstract

The Border Gateway Protocol (BGP) was designed without security in mind. Until today, this fact makes the Internet vulnerable to hijacking attacks that intercept or blackhole Internet traffic. So far, significant effort has been put into the detection of IP prefix hijacking, while AS hijacking has received little attention. AS hijacking is more sophisticated than IP prefix hijacking, and is aimed at a long-term benefit such as over a duration of months.

In this paper, we study a malicious case of AS hijacking, carried out in order to send spam from the victim's network. We thoroughly investigate this AS hijacking incident using live data from both the control and the data plane. Our analysis yields insights into how an attacker proceeded in order to covertly hijack a whole autonomous system, how he misled an upstream provider, and how he used an unallocated address space. We further show that state of the art techniques to prevent hijacking are not fully capable of dealing with this kind of attack. We also derive guidelines on how to conduct future forensic studies of AS hijacking. Our findings show that there is a need for preventive measures that would allow to anticipate AS hijacking and we outline the design of an early warning system.

References

[1]

The Spamhaus project. http://www.spamhaus.org/.

[2]

University of Oregon RouteViews project. http://www.routeviews.org/.

[3]

L. Benkis. Practical BGP security: architecture, techniques and tools, 2008. http://www.renesys.com/tech/notes/WP_BGP_rev6.pdf.

[4]

N. Feamster, J. Jung, and H. Balakrishnan. An empirical study of "bogon" route advertisements. ACM SIGCOMM CCR '05, pages 63--70, 2005.

Digital Library

[5]

X. Hu and Z. M. Mao. Accurate real-time identification of IP prefix hijacking. In IEEE SP '07, pages 3--17, 2007.

Digital Library

[6]

G. Huston and R. Bush. Securing BGP and SIDR. IETF Journal, pages 1815--1828, 2011.

[7]

G. Huston and G. Michaelson. A profile for AS adjacency attestation objects. IETF, 2009.

[8]

S. Kent, C. Lynn, J. Mikkelson, and K. Seo. Secure border gateway protocol (S-BGP). IEEE J-SAC '00, pages 103--116, 2000.

Digital Library

[9]

M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang. PHAS: A prefix hijack alert system. In USENIX-Security '06, 2006.

Digital Library

[10]

M. Lepinski and S. Kent. An infrastructure to support secure internet routing. IETF, 2012. RFC6480.

[11]

M. Lepinski and S. Turner. An overview of BGPSEC. IETF, 2012.

[12]

T. Manderson, K. Sriram, and R. White. Use cases and interpretation of RPKI objects for issuers and relying parties. IETF, 2012.

[13]

P. v. Oorschot, T. Wan, and E. Kranakis. On interdomain routing security and pretty secure BGP (psBGP). ACM TISSEC '07, 2007.

Digital Library

[14]

J. Qiu and L. Gao. Detecting bogus BGP route information: going beyond prefix hijacking. In SecureComm '07, 2007.

[15]

T. Qiu, L. Ji, D. Pei, J. Wang, J. Xu, and H. Ballani. Locating prefix hijackers using LOCK. In USENIX-Security '09, pages 135--150, 2009.

Digital Library

[16]

A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. In SIGCOMM '10, pages 291--302, 2006.

Digital Library

[17]

R. White. Securing BGP through secure origin BGP. The Internet Protocol Journal, 2003.

[18]

Z. Zhang, Y. Zhang, Y. C. Hu, Z. M. Mao, and R. Bush. iSPY: Detecting IP prefix hijacking on my own. IEEE/ACM ToN, pages 1815--1828, 2010.

Digital Library

[19]

C. Zheng, L. Ji, D. Pei, J. Wang, and P. Francis. A light-weight distributed scheme for detecting IP prefix hijacks in real-time. In SIGCOMM '07, pages 277--288, 2007.

Digital Library

Cited By

Das SKim DAbbott JCamp LFarzan RLópez CCardoso Llach DQuercia DMustafa MNiu SWong-Villacrés M(2024)User-Centered Phishing Detection through Personalized Edge ComputingCompanion Publication of the 2024 Conference on Computer-Supported Cooperative Work and Social Computing10.1145/3678884.3681864(283-287)Online publication date: 11-Nov-2024
https://dl.acm.org/doi/10.1145/3678884.3681864
Hu YTian GJiang ALiu SWei JWang JTan S(2022)A Practical Heartbeat-based Defense Scheme Against Cloning Attacks in PoA BlockchainComputer Standards & Interfaces10.1016/j.csi.2022.10365683:COnline publication date: 19-Sep-2022
https://dl.acm.org/doi/10.1016/j.csi.2022.103656
Sinha PRai ABhushan B(2019)Information Security threats and attacks with conceivable counteraction2019 2nd International Conference on Intelligent Computing, Instrumentation and Control Technologies (ICICICT)10.1109/ICICICT46008.2019.8993384(1208-1213)Online publication date: Jul-2019
https://doi.org/10.1109/ICICICT46008.2019.8993384
Show More Cited By

Index Terms

A forensic case study on as hijacking: the attacker's perspective
1. Networks
  1. Network services
    1. Network monitoring

Recommendations

How to prevent AS hijacking attacks
CoNEXT Student '12: Proceedings of the 2012 ACM conference on CoNEXT student workshop

The Border Gateway Protocol (BGP) was designed without security aspects in mind. This fact makes the Internet vulnerable to attacks: complete networks can be hijacked to blackhole or intercept traffic. In this work, we extend the set of known hijacking ...
Understanding the impact of outsourcing mitigation against BGP prefix hijacking
Abstract
BGP prefix hijacking caused by a misconfiguration or malicious route announcements brings great trouble to today’s Internet. Outsourcing mitigation is a recently proposed automatic hijacking mitigation method. It mitigates hijacking incidents by ...
Computational complexity of traffic hijacking under BGP and S-BGP

Harmful Internet hijacking incidents put in evidence how fragile interdomain routing is. In particular, the Border Gateway Protocol (BGP), which is used to exchange routing information between Internet entities, called Autonomous Systems (ASes), proved ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 43, Issue 2

April 2013

72 pages

ISSN:0146-4833

DOI:10.1145/2479957

Issue’s Table of Contents

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 April 2013

Published in SIGCOMM-CCR Volume 43, Issue 2

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
446
Total Downloads

Downloads (Last 12 months)47
Downloads (Last 6 weeks)4

Reflects downloads up to 13 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Das SKim DAbbott JCamp LFarzan RLópez CCardoso Llach DQuercia DMustafa MNiu SWong-Villacrés M(2024)User-Centered Phishing Detection through Personalized Edge ComputingCompanion Publication of the 2024 Conference on Computer-Supported Cooperative Work and Social Computing10.1145/3678884.3681864(283-287)Online publication date: 11-Nov-2024
https://dl.acm.org/doi/10.1145/3678884.3681864
Hu YTian GJiang ALiu SWei JWang JTan S(2022)A Practical Heartbeat-based Defense Scheme Against Cloning Attacks in PoA BlockchainComputer Standards & Interfaces10.1016/j.csi.2022.10365683:COnline publication date: 19-Sep-2022
https://dl.acm.org/doi/10.1016/j.csi.2022.103656
Sinha PRai ABhushan B(2019)Information Security threats and attacks with conceivable counteraction2019 2nd International Conference on Intelligent Computing, Instrumentation and Control Technologies (ICICICT)10.1109/ICICICT46008.2019.8993384(1208-1213)Online publication date: Jul-2019
https://doi.org/10.1109/ICICICT46008.2019.8993384
Horsman G(2019)The challenges surrounding the regulation of anonymous communication provision in the United KingdomComputers and Security10.1016/j.cose.2015.06.00556:C(151-162)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1016/j.cose.2015.06.005
Xing QWang BWang X(2018)BGPcoin: Blockchain-Based Internet Number Resource Authority and BGP Security SolutionSymmetry10.3390/sym1009040810:9(408)Online publication date: 17-Sep-2018
https://doi.org/10.3390/sym10090408
Miramirkhani NBarron TFerdman MNikiforakis NChampin PGandon FMédini LLalmas MIpeirotis P(2018)Panning for gold.comProceedings of the 2018 World Wide Web Conference10.1145/3178876.3186092(257-266)Online publication date: 10-Apr-2018
https://dl.acm.org/doi/10.1145/3178876.3186092
Sermpezis PKotronis VGigis PDimitropoulos XCicalese DKing ADainotti A(2018)ARTEMISIEEE/ACM Transactions on Networking (TON)10.1109/TNET.2018.286979826:6(2471-2486)Online publication date: 1-Dec-2018
https://dl.acm.org/doi/10.1109/TNET.2018.2869798
Vissers TBarron TVan Goethem TJoosen WNikiforakis NThuraisingham BEvans DMalkin TXu D(2017)The Wolf of Name StreetProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security10.1145/3133956.3133988(957-970)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.1145/3133956.3133988
Al-Musawi BBranch PArmitage G(2017)BGP Anomaly Detection Techniques: A SurveyIEEE Communications Surveys & Tutorials10.1109/COMST.2016.262224019:1(377-396)Online publication date: Sep-2018
https://doi.org/10.1109/COMST.2016.2622240
Schlamp JHolz RJacquemart QCarle GBiersack E(2016)HEAP: Reliable Assessment of BGP Hijacking AttacksIEEE Journal on Selected Areas in Communications10.1109/JSAC.2016.255897834:6(1849-1861)Online publication date: Jun-2016
https://doi.org/10.1109/JSAC.2016.2558978
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents