Yan Yang,Xia Yin,Xingang Shi,Zhiliang Wang,Jiong He,Tom Z. J. Fu,Marianne Winslett

DOI: https://doi.org/10.1016/j.comnet.2019.06.017

IF: 5.493

2019-01-01

Computer Networks

Abstract:As autonomous systems tend to forward packets along the path with minimal routing cost, Internet routes are unevenly distributed on physical links. Links which a large number of routes go through are called routing bottlenecks. Flooding such routing bottlenecks can degrade or even cut off the network connectivity in a large area, making them a serious vulnerability of the Internet. In this paper, we study the characteristics of inter-domain routing bottlenecks and point out that they can be further aggravated by manipulating BGP updates to launch prefix hijackings. We first simulate large quantities of AS-level routing paths to illustrate the pervasiveness of inter-domain routing bottlenecks, as well as their direction, topological location, distance and concentration. Then, we propose a method for measuring and aggravating inter-domain bottlenecks of some AS, such that link flooding on them can be effectively amplified in a stealthy way. Moreover, adversary can adjust the specific method according to its purpose of malicious behaviour. At last, we discuss how inter-domain routing bottlenecks may be affected as the Internet evolves, where we witness the new, or wider, deployment of some routing related mechanisms.

Jun He,Yahui Li,Han Zhang,Ming Wang,Changqing An,Jilong Wang

DOI: https://doi.org/10.1109/icc45041.2023.10278923

2023-01-01

Abstract:Prefix hijackings have always been a significant security issue in BGP and have continued to occur in recent years. Detecting prefix hijackings is a vital part of defending against them. Most detection approaches mainly rely on the feed from the monitors of public route collector infrastructures. We propose an injected sub-prefix hijacking that utilizes the BGP communities attribute and AS path poisoning to control the propagation of invalid sub-prefix routes. This attack only pollutes neighboring ASes, thus guaranteeing the invisibility to monitors. Then the attacker can stealthily hijack traffic passing through the polluted ASes. Through extensive simulations, we show that this attack has an enormous impact and propose the crucial indicator affecting the attacker's capability. Finally, we demonstrate that existing defenses are difficult to handle this attack and then propose several defense strategies against it.

Xingang Shi,Yang Xiang,Zhiliang Wang,Xia Yin,Jianping Wu

DOI: https://doi.org/10.1145/2398776.2398779

2012-01-01

Abstract:Border Gateway Protocol (BGP) plays a critical role in the Internet inter-domain routing reliability. Invalid routes generated by mis-configurations or forged by malicious attacks may hijack the traffic and devastate the Internet routing system, but it is unlikely that a secure BGP can be deployed in the near future to completely prevent them. Although many hijacking detection systems have been developed, they more or less have weaknesses such as long detection delay, high false alarm rate and deployment difficulty, and no systematic detection results have been studied. This paper proposes Argus, an agile system that can accurately detect prefix hijackings and deduce the underlying cause of route anomalies in a very fast way. Argus is based on correlating the control and data plane information closely and pervasively, and has been continuously monitoring the Internet for more than one year. During this period, around 40K routing anomalies were detected, from which 220 stable prefix hijackings were identified. Our analysis on these events shows that, hijackings that have only been theoretically studied before do exist in the Internet. Although the frequency of new hijackings is nearly stable, more specific prefixes are hijacked more frequently. Around 20% of the hijackings last less than ten minutes, and some can pollute 90% of the Internet in less than two minutes. These characteristics make \emph{Argus} especially useful in practice. We further analyze some representative cases in detail to help increase the understanding of prefix hijackings in the Internet.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Song Li,Haixin Duan,Zhiliang Wang,Jinjin Liang,Xing Li

DOI: https://doi.org/10.1007/s11432-015-5490-8

2016-01-01

Science China Information Sciences

Abstract:Previous research in interdomain routing security has often focused on prefix hijacking. However,several prefix interception events have happened lately, which poses a new security challenge to the interdomain routing system. Compared to prefix hijacking, prefix interception is much harder to detect, as it avoids black hole by forwarding the hijacked traffic back to the victim. In this paper, we present a novel method to detect prefix interception. Our approach exploits a key observation about prefix interception: during a prefix interception event, the attacker detours the intercepted traffic through its network, which turns it into a new important"transit point" for access to the victim. By collecting data plane information to detect the emerging "transit point" and using control plane information to verify it, our scheme can identify prefix interception in real time.The results of Internet experiments and Internet-scale simulations show that our method is accurate with low false alarm rate(0.28%) and false negative rate(2.26%).

Changxi Zheng,Lusheng Ji,Dan Pei,Jia Wang,Paul Francis

DOI: https://doi.org/10.1145/1282427.1282412

IF: 1.937

2007-01-01

ACM SIGCOMM Computer Communication Review

Abstract:As more and more Internet IP prefix hijacking incidents are being reported, the value of hijacking detection services has become evident. Most of the current hijacking detection approaches monitor IP prefixes on the control plane and detect inconsistencies in route advertisements and route qualities. We propose a different approach that utilizes information collected mostly from the data plane. Our method is motivated by two key observations: when a prefix is not hijacked, 1) the hop count of the path from a source to this prefix is generally stable; and 2) the path from a source to this prefix is almost always a super-path of the path from the same source to a reference point along the previous path, as long as the reference point is topologically close to the prefix. By carefully selecting multiple vantage points and monitoring from these vantage points for any departure from these two observations, our method is able to detect prefix hijacking with high accuracy in a light-weight, distributed, and real-time fashion. Through simulations constructed based on real Internet measurement traces, we demonstrate that our scheme is accurate with both false positive and false negative ratios below 0.5%.

Tianxiang Dai,Philipp Jeitner,Haya Shulman,Michael Waidner

DOI: https://doi.org/10.48550/arXiv.2205.05473

2022-05-11

Cryptography and Security

Abstract:Internet resources form the basic fabric of the digital society. They provide the fundamental platform for digital services and assets, e.g., for critical infrastructures, financial services, government. Whoever controls that fabric effectively controls the digital society. In this work we demonstrate that the current practices of Internet resources management, of IP addresses, domains, certificates and virtual platforms are insecure. Over long periods of time adversaries can maintain control over Internet resources which they do not own and perform stealthy manipulations, leading to devastating attacks. We show that network adversaries can take over and manipulate at least 68% of the assigned IPv4 address space as well as 31% of the top Alexa domains. We demonstrate such attacks by hijacking the accounts associated with the digital resources. For hijacking the accounts we launch off-path DNS cache poisoning attacks, to redirect the password recovery link to the adversarial hosts. We then demonstrate that the adversaries can manipulate the resources associated with these accounts. We find all the tested providers vulnerable to our attacks. We recommend mitigations for blocking the attacks that we present in this work. Nevertheless, the countermeasures cannot solve the fundamental problem - the management of the Internet resources should be revised to ensure that applying transactions cannot be done so easily and stealthily as is currently possible.

Wenjie Xu,Deliang Chang,Xing Li

2019-01-01

Abstract:BGP is the default inter-domain routing protocol in today's Internet, but has serious security vulnerabilities [1]. One of them is (sub)prefix hijacking. IETF standardizes RPKI to validate the AS origin but RPKI has a lot of problems [2] [3] [4] [5], among which is potential false alarm. Although some previous work [4] [2] points it out explicitly or implicitly, further measurement and analysis remain to be done. Our work measures and analyzes the invalid prefixes systematically. We first classify the invalid prefixes into six different types and then analyze their stability. We show that a large proportion of the invalid prefixes very likely result from traffic engineering, IP address transfer and failing to aggregate rather than real hijackings.

Khwaja Zubair Sediqi,Lars Prehn,Oliver Gasser

DOI: https://doi.org/10.1145/3544912.3544916

2022-06-28

Abstract:Autonomous Systems (ASes) exchange reachability information between each other using BGP -- the de-facto standard inter-AS routing protocol. While IPv4 (IPv6) routes more specific than /24 (/48) are commonly filtered (and hence not propagated), route collectors still observe many of them. In this work, we take a closer look at those "hyper-specific" prefixes (HSPs). In particular, we analyze their prevalence, use cases, and whether operators use them intentionally or accidentally. While their total number increases over time, most HSPs can only be seen by route collector peers. Nonetheless, some HSPs can be seen constantly throughout an entire year and propagate widely. We find that most HSPs represent (internal) routes to peering infrastructure or are related to address block relocations or blackholing. While hundreds of operators intentionally add HSPs to well-known routing databases, we observe that many HSPs are possibly accidentally leaked routes.

Networking and Internet Architecture

Tongqing Qiu,Lusheng Ji,Dan Pei,Jia Wang,Jun Xu

DOI: https://doi.org/10.1109/ICNP.2010.5762762

2010-01-01

Abstract:IP prefix hijacking is one of the top security threats targeting today's Internet routing protocol. Several schemes have been proposed to either detect or mitigate prefix hijacking events. However, none of these approaches is adopted and deployed on a large-scale on the Internet for reasons such as scalability, economical practicality, or unrealistic assumptions about the collaborations among ISPs. Thus there are no actionable and deployable solutions for dealing with prefix hijacking. In this paper, we study key issues related to deploying and operating an IP prefix hijacking detection and mitigation system. Our contributions include (i) deployment strategies for hijacking detection and mitigation system (named as TowerDefense): a practical service model for prefix hijacking protection and effective algorithms for selecting agent locations for detecting and mitigating prefix hijacking attacks; and (ii) large scale experiments on PlanetLab and extensive analysis on the performance of TowerDefense.

Man Zeng,Xiaohong Huang,Pei Zhang,Dandan Li,Kun Xie

DOI: https://doi.org/10.1109/tdsc.2024.3371644

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Resource Public Key Infrastructure (RPKI) defends against BGP prefix hijacking by signing Route Origin Authorizations (ROAs) and filtering malicious BGP routes with ROAs. However, RPKI's low deployment weakens its defense against prefix hijacking. In the absence of a large fraction of Autonomous Systems (ASes) signing ROAs, the incentive to use filtering to eliminate hijacked prefixes commensurately decreases. There is a cyclic dependency here because reduced filtering in turn lessens the incentive for non-adoptees to become adoptees. Previous studies on RPKI deployment are mainly from the measurement perspective or focus on the deployment of large Internet Service Providers (ISPs). The above circular dependency problem inside the RPKI has not been fully studied. To improve RPKI's defense, this paper studies the circular dependency problem from an evolutionary game theory perspective. We model the strategy evolution of ASes choosing to deploy signing alone, deploy filtering alone, or deploy both signing and filtering. The results show that when the deployment rates of signing and filtering reach a certain range, the evolution can reach an ideal deployment state at a faster speed. Therefore, to increase the probability of evolution reaching the ideal deployment state, we propose RPKIN to widen this interval and reduce the minimum deployment rate required for signing and filtering.

computer science, information systems, software engineering, hardware & architecture

Tongqing Qiu,Lusheng Ji,Dan Pei,Jia Wang,Jun (Jim) Xu,Hitesh Ballani

2009-01-01

Abstract:Prefix hijacking is one of the top known threats on today's Internet. A number of measurement based solutions have been proposed to detect prefix hijacking events. In this paper we take these solutions one step further by addressing the problem of locating the attacker in each of the detected hijacking event. Being able to locate the attacker is critical for conducting necessary mitigation mechanisms at the earliest possible time to limit the impact of the attack, successfully stopping the attack and restoring the service. We propose a robust scheme named LOCK, for LOCating the prefix hijacKer ASes based on distributed Internet measurements. LOCK locates each attacker AS by actively monitoring paths (either in the control-plane or in the data-plane) to the victim prefix from a small number of carefully selected monitors distributed on the Internet. Moreover, LOCK is robust against various countermeasures that the hijackers may employ. This is achieved by taking advantage of two observations: that the hijacker cannot manipulate AS path before the path reaches the hijacker, and that the paths to victim prefix "converge" around the hijacker AS. We have deployed LOCK on a number of PlanetLab nodes and conducted several large scale measurements and experiments to evaluate the performance. Our results show that LOCK is able to pinpoint the prefix hijacker AS with an accuracy up to 94.3%.

Yang Xiang,Zhiliang Wang,Xia Yin,Jianping Wu

DOI: https://doi.org/10.1109/ICNP.2011.6089080

2011-01-01

Abstract:The de facto inter-domain routing protocol, Border Gateway Protocol (BGP), plays a critical role in the Internet routing reliability. Invalid routes generated by mis-configurations or malicious attacks will devastate the Internet routing system. In the near future, deploying a secure BGP in the Internet to completely prevent hijacking is impossible. As a result, lots of hijacking detection systems have emerged. However, they have more or less weaknesses such as long detection delay, high false alarm rate or deploy hardness. This paper proposes Argus, an agile system to fast and accurate detect prefix hijacking. Argus already keeps on running in the Internet for two months and identified several possible hijackings. Initial results show that it usually discovers a hijacking in less than ten seconds, and can significantly decrease the false alarm rate.

Tomas Hlavacek,Haya Shulman,Niklas Vogel,Michael Waidner

2023-03-21

Abstract:IP prefix hijacks allow adversaries to redirect and intercept traffic, posing a threat to the stability and security of the Internet. To prevent prefix hijacks, networks should deploy RPKI and filter bogus BGP announcements with invalid routes. In this work we evaluate the impact of RPKI deployments on the security and resilience of the Internet. We aim to understand which networks filter invalid routes and how effective that filtering is in blocking prefix hijacks. We extend previous data acquisition and analysis methodologies to obtain more accurate identification of networks that filter invalid routes with RPKI. We find that more than 27% of networks enforce RPKI filtering and show for the first time that deployments follow the business incentives of inter-domain routing: providers have an increased motivation to filter in order to avoid losing customers' traffic. Analyzing the effectiveness of RPKI, we find that the current trend to deploy RPKI on routeservers of Internet Exchange Points (IXPs) only provides a localized protection against hijacks but has negligible impact on preventing their spread globally. In contrast, we show that RPKI filtering in Tier-1 providers greatly benefits the security of the Internet as it limits the spread of hijacks to a localized scope. Based on our observations, we provide recommendations on the future roadmap of RPKI deployment. We make our datasets available for public use [<a class="link-external link-https" href="https://sit4.me/rpki" rel="external noopener nofollow">this https URL</a>].

Networking and Internet Architecture,Cryptography and Security

Mohit Lad,Dan Massey,Dan Pei,Yiguo Wu,Beichuan Zhang,Lixia Zhang

2006-01-01

Abstract:In a BGP prefix hijacking event, a router originates a route to a prefix, but does not provide data delivery to the actual prefix. Prefix hijacking events have been widely reported and are a serious problem in the Internet. This paper presents a new Prefix Hijack Alert System (PHAS). PHAS is a real-time notification system that alerts prefix owners when their BGP origin changes. By providing reliable and timely notification of origin AS changes, PHAS allows prefix owners to quickly and easily detect prefix hijacking events and take prompt action to address the problem. We illustrate the effectiveness of PHAS and evaluate its overhead using BGP logs collected from RouteViews. PHAS is light-weight, easy to implement, and readily deployable. in addition to protecting against false BGP origins, the PHAS concept can be extended to detect prefix hijacking events that involve announcing more specific prefixes or modifying the last hop in the path.

Dan Wu,Zhiliang Wang,Xia Yin,Xingang Shi,Jianping Wu,Wenlong Chen

DOI: https://doi.org/10.1109/icccn.2014.6911730

2014-01-01

Abstract:Nowadays, due to the rapid growing popularity of Internet, the global routing system suffers from great scalability problem. Many solutions are proposed to solve the problem, including FIB aggregation, core/edge separation solutions, et al. The limitation of these existing solutions is that they all make the assumption that all addresses in the Internet must be globally visible and these routing information must be spread worldwide. We propose to make some network prefixes globally invisible and eliminate the routing information of these prefixes from the global routing system to further improve the scalability of the Internet. Our solution distinguishes content provider networks (containing content providers) from content consumer networks (containing only content consumers) and removes the routing information of content consumer networks. In order to cope with the communication between content consumer networks and content provider networks, we propose HSR (Hybrid Source Routing), in which source routing is used to assist network-based routing to achieve end-to-end reachability. We carry out performance evaluation by simulation, and experimental results show that if only top 1 million websites are globally visible, the visible ASes, prefixes in forwarding table and received updates can be reduced to 40%, 12% and 10%.

Honglin Ye,Shuai Wang,Dan Li

DOI: https://doi.org/10.1109/infocom53939.2023.10229024

2023-01-01

Abstract:International submarine cables (ISCs) connect various countries/regions worldwide, and serve as the foundation of Internet routing. However, little attention has been paid to studying the impact of ISCs on Internet routing. This study addresses two questions to bridge the gap between ISCs and Internet routing: (1) For a given ISC, which Autonomous Systems (ASes) are using it, and (2) How dependent is Internet routing on ISCs. To tackle the first question, we propose Topology to Topology (or T2T), a framework for the large-scale measurement of static mapping between ASes and ISCs, and apply T2T to the Internet to reveal the status, trends, and preferences of ASes using ISCs. We find that ISCs used by Tier-1 ASes are more than 30× of stub ASes. For the second question, we design an Internet routing simulator, and evaluate the behavior change of Internet routing when an ISC fails based on the mapping between ASes and ISCs. The results show that benefited from the complex mesh of ISCs, the failures of most ISCs have limited impact on Internet routing, while a few ISCs can have a significant impact. Finally, we analyze severely affected ASes and recommend how to improve the resilience of the Internet.

Lv Ting,Donghong Qin,Lina Ge

DOI: https://doi.org/10.1007/978-981-15-0118-0_20

2019-01-01

Abstract:The network architecture has undergone great changes. For example, the network topology of autonomous system level tends to be flattened. In this paper, actual network topology map is constructed through actual network routing data, to study and analyze the network structure changes of the Internet recently and the dependence of the Internet on the core AS. In order to achieve the above goals, the experimental analysis framework and some related algorithms were designed. Experimental results show that the Internet architectures gradually become flattening, and the dependence of the Internet on core AS is gradually reduced but the importance of the core ASes is still indispensable. Most traffic between local ASes can be transited through the local infrastructure (such as IXP) rather than the upper ISPs. The observations may guide the design of inter-domain routing protocols and Internet exchange architectures to achieve higher performance and reliability.

Wei Zhang,Jun Bi,Jianping Wu,Sen Wang,Hongcheng Tian

DOI: https://doi.org/10.1145/2089016.2089040

2011-01-01

Abstract:The Internet is becoming the global digital infrastructure; however, its current architecture faces many challenges in terms of scalability, security and other aspects. For example, the BGP routing table keeps growing rapidly as the Internet scales up; Source IP address spoofing and prefix hijacking undermine the security of fundamental Internet applications. Motivated by seeking evolvable architecture solutions, we propose an enhanced inter-domain routing architecture to address these problems. In our architecture, we first introduce two routing hierarchies: local routing on specific network layer protocols/addresses and global routing on a coarser granularity in order to improve the routing scalability. The end-to-end routes are composed of local IP-level forwarding and global transit tunnels on higher routing hierarchy. Secondly we propose "pair-wise" routing on the coarser granularity which may facilitate source authentication and inter-domain accountability. On the data plane, an inter-domain path is composed of concatenated local transit tunnels within administration boundaries which should comply with corresponding local transit policies. In addition to enhanced scalability, security and accountability, our new routing architecture may facilitate Internet-wide deployment of new network layer protocols and leverage IP evolution in the long run.

Yihao Jia,Ying Liu,Gang Ren,Lin He

DOI: https://doi.org/10.1109/pccc.2017.8280451

2017-01-01

Abstract:IP spoofing, which is prevalently used for anonymity and reflection attacks, has shown increasing destructive power in recent years. Although certain source address validation solutions have been standardized by the Internet Engineering Task Force, few networks are willing to adopt them in view of the deficiency of deployment benefits. Actually, all the source address validation solutions face the problem of a lack of deployability. In this paper, we summarize the key points describing deployability and propose a new security service-inter-autonomous-system (AS) Source Address Protection (iSAP). Technically, by increasing the possibility of keeping the source address belonging to one AS from being the victim of reflection flooding, iSAP improves the deployers ability to prevent IP spoofing and increases incremental deployability. In reality, such a service can also be regarded as a new profit opportunity for ASes and it could progress gradually once it is well commercialized. Based on simulations with real Internet topology data, the results illustrate that iSAP can protect ASes from being reflected with only a few deployers, exhibiting a high potential to mitigate reflection flooding with modest resource consumption.