Henry Birge-Lee,Maria Apostolaki,Jennifer Rexford

2024-08-19

Abstract:As the deployment of comprehensive Border Gateway Protocol (BGP) security measures is still in progress, BGP monitoring continues to play a critical role in protecting the Internet from routing attacks. Fundamentally, monitoring involves observing BGP feeds to detect suspicious announcements and taking defensive action. However, BGP monitoring relies on seeing the malicious BGP announcement in the first place! In this paper, we develop a novel attack that can hide itself from all state-of-the-art BGP monitoring systems we tested while affecting the entire Internet. The attack involves launching a sub-prefix hijack with the RFC-specified NO_EXPORT community attached to prevent networks with the malicious route installed from sending the route to BGP monitoring systems. We study the viability of this attack at four tier-1 networks and find all networks we studied were vulnerable to the attack. Finally, we propose a mitigation that significantly improves the robustness of the BGP monitoring ecosystem. Our paper aims to raise awareness of this issue and offer guidance to providers to protect against such attacks.

Cryptography and Security,Networking and Internet Architecture

Xingang Shi,Yang Xiang,Zhiliang Wang,Xia Yin,Jianping Wu

DOI: https://doi.org/10.1145/2398776.2398779

2012-01-01

Abstract:Border Gateway Protocol (BGP) plays a critical role in the Internet inter-domain routing reliability. Invalid routes generated by mis-configurations or forged by malicious attacks may hijack the traffic and devastate the Internet routing system, but it is unlikely that a secure BGP can be deployed in the near future to completely prevent them. Although many hijacking detection systems have been developed, they more or less have weaknesses such as long detection delay, high false alarm rate and deployment difficulty, and no systematic detection results have been studied. This paper proposes Argus, an agile system that can accurately detect prefix hijackings and deduce the underlying cause of route anomalies in a very fast way. Argus is based on correlating the control and data plane information closely and pervasively, and has been continuously monitoring the Internet for more than one year. During this period, around 40K routing anomalies were detected, from which 220 stable prefix hijackings were identified. Our analysis on these events shows that, hijackings that have only been theoretically studied before do exist in the Internet. Although the frequency of new hijackings is nearly stable, more specific prefixes are hijacked more frequently. Around 20% of the hijackings last less than ten minutes, and some can pollute 90% of the Internet in less than two minutes. These characteristics make \emph{Argus} especially useful in practice. We further analyze some representative cases in detail to help increase the understanding of prefix hijackings in the Internet.

Yan Yang,Xingang Shi,Xia Yin,Zhiliang Wang

DOI: https://doi.org/10.1109/trustcom.2016.0068

2016-01-01

Abstract:The correct functioning of inter-domain routing is of vital importance to the ever expanding Internet. As a common threat to the Internet, prefix hijackings often hijack traffic destined to some Autonomous Systems(ASes), leading to routing black holes or traffic interception. In this paper, we study two typical categories of prefix hijackings, namely false origin hijacking and man-in-the-middle interception, by extensive simulations. Our simulations are based on a new model which takes both the hierarchical Internet structure and the AS connectivity degrees into consideration. With this model, we explore the attacking/hijacking power of different ASes and their resisting power to this attack, where different categories of hijackings exhibit different characteristics. In addition, we also confirm that our results still hold considering various factors in the real Internet, including hidden links, prefix distribution, and RPKI, a countermeasure to prefix hijackings that is undergoing an active deployment in inter-domain routing. Some explanations and case studies are given to help better understanding of our results, which we hope will facilitate the deployment of RPKI and inspire new research.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Mohit Lad,Dan Massey,Dan Pei,Yiguo Wu,Beichuan Zhang,Lixia Zhang

2006-01-01

Abstract:In a BGP prefix hijacking event, a router originates a route to a prefix, but does not provide data delivery to the actual prefix. Prefix hijacking events have been widely reported and are a serious problem in the Internet. This paper presents a new Prefix Hijack Alert System (PHAS). PHAS is a real-time notification system that alerts prefix owners when their BGP origin changes. By providing reliable and timely notification of origin AS changes, PHAS allows prefix owners to quickly and easily detect prefix hijacking events and take prompt action to address the problem. We illustrate the effectiveness of PHAS and evaluate its overhead using BGP logs collected from RouteViews. PHAS is light-weight, easy to implement, and readily deployable. in addition to protecting against false BGP origins, the PHAS concept can be extended to detect prefix hijacking events that involve announcing more specific prefixes or modifying the last hop in the path.

Boyang Zhou,Gaoning Pan,Chunming Wu,Kai Zhu,Wei Ruan

DOI: https://doi.org/10.1007/s11432-019-9921-7

2020-01-01

Science China Information Sciences

Abstract:Dear editor, Recently, crossfire attack has been witnessed as a new distributed denial-of-service (DDoS) weapon that can effectively cut off the data connections between the chosen target area (wd) of servers and the end hosts (H).The attack is launched by a network of bot (botnet) to drain bandwidth of persistent routes (PRs) in the indirect and lowrate data flooding towards the decoys that are located in upstream to the target, where the PRs are probed by the adversary who sends Internet control message protocol (ICMP) packets with different time-to-live (TTL) values, e.g., using traceroute [1].Such flooding is hard to be detected by firewalls or IDSes.

Dezhang Kong,Yi Shen,Xiang Chen,Qiumei Cheng,Hongyan Liu,Dong Zhang,Xuan Liu,Shuangxi Chen,Chunming Wu

DOI: https://doi.org/10.1109/tnet.2022.3203561

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:The topology discovery service in Software-Defined Networking (SDN) provides the controller with a global view of the substrate network topology, allowing for central management of the entire network. Unfortunately, emerging topology attacks can poison the network topology and result in unforeseeable disasters. Although researchers have made great efforts to mitigate this problem, security hazards still exist. In this paper, we propose Invisible Assailant Attack (IAA), the first combination topology attack capable of injecting and maintaining fake links even when 12 existing defense strategies are deployed simultaneously. IAA consists of 14 attack phases that apply multiple attack strategies. Attackers skillfully disguise the attack traffic in each phase so that it looks like normal network traffic, and perform these phases in a well-planned sequence, thereby bypassing existing defenses step by step. To mitigate this attack, we propose a Route Path Verification (RPV) mechanism that orchestrates multiple defense strategies to identify fake links. According to the experiments, RPV can successfully detect IAA with low overhead: its detection completes within 1 ms while its per-flow storage consumption is only a few KB.

Changxi Zheng,Lusheng Ji,Dan Pei,Jia Wang,Paul Francis

DOI: https://doi.org/10.1145/1282427.1282412

IF: 1.937

2007-01-01

ACM SIGCOMM Computer Communication Review

Abstract:As more and more Internet IP prefix hijacking incidents are being reported, the value of hijacking detection services has become evident. Most of the current hijacking detection approaches monitor IP prefixes on the control plane and detect inconsistencies in route advertisements and route qualities. We propose a different approach that utilizes information collected mostly from the data plane. Our method is motivated by two key observations: when a prefix is not hijacked, 1) the hop count of the path from a source to this prefix is generally stable; and 2) the path from a source to this prefix is almost always a super-path of the path from the same source to a reference point along the previous path, as long as the reference point is topologically close to the prefix. By carefully selecting multiple vantage points and monitoring from these vantage points for any departure from these two observations, our method is able to detect prefix hijacking with high accuracy in a light-weight, distributed, and real-time fashion. Through simulations constructed based on real Internet measurement traces, we demonstrate that our scheme is accurate with both false positive and false negative ratios below 0.5%.

Yang Xiang,Zhiliang Wang,Xia Yin,Jianping Wu

DOI: https://doi.org/10.1109/ICNP.2011.6089080

2011-01-01

Abstract:The de facto inter-domain routing protocol, Border Gateway Protocol (BGP), plays a critical role in the Internet routing reliability. Invalid routes generated by mis-configurations or malicious attacks will devastate the Internet routing system. In the near future, deploying a secure BGP in the Internet to completely prevent hijacking is impossible. As a result, lots of hijacking detection systems have emerged. However, they have more or less weaknesses such as long detection delay, high false alarm rate or deploy hardness. This paper proposes Argus, an agile system to fast and accurate detect prefix hijacking. Argus already keeps on running in the Internet for two months and identified several possible hijackings. Initial results show that it usually discovers a hijacking in less than ten seconds, and can significantly decrease the false alarm rate.

Song Li,Haixin Duan,Zhiliang Wang,Jinjin Liang,Xing Li

DOI: https://doi.org/10.1007/s11432-015-5490-8

2016-01-01

Science China Information Sciences

Abstract:Previous research in interdomain routing security has often focused on prefix hijacking. However,several prefix interception events have happened lately, which poses a new security challenge to the interdomain routing system. Compared to prefix hijacking, prefix interception is much harder to detect, as it avoids black hole by forwarding the hijacked traffic back to the victim. In this paper, we present a novel method to detect prefix interception. Our approach exploits a key observation about prefix interception: during a prefix interception event, the attacker detours the intercepted traffic through its network, which turns it into a new important"transit point" for access to the victim. By collecting data plane information to detect the emerging "transit point" and using control plane information to verify it, our scheme can identify prefix interception in real time.The results of Internet experiments and Internet-scale simulations show that our method is accurate with low false alarm rate(0.28%) and false negative rate(2.26%).

Yangyang Wang,Mingwei Xu

DOI: https://doi.org/10.1145/3405837.3411403

2020-01-01

Abstract:On the Internet, Border Gateway Protocol (BGP) is the standard to construct inter-domain routes among autonomous systems (ASes). Data traffic follows the inverse direction of BGP route propagation. For the outbound traffic, an AS can make its own selection in the range of the routes received from its peering neighbor ASes, and change the traffic outbound paths for better performance or bypassing failures. It is more difficult for ASes to control inbound traffic paths because it cannot determine the selection for remote ASes. An AS only has to manipulate BGP path attributes of the advertised prefixes it owns to trigger the potential path change from other ASes to itself.

Wenjie Xu,Deliang Chang,Xing Li

2019-01-01

Abstract:BGP is the default inter-domain routing protocol in today's Internet, but has serious security vulnerabilities [1]. One of them is (sub)prefix hijacking. IETF standardizes RPKI to validate the AS origin but RPKI has a lot of problems [2] [3] [4] [5], among which is potential false alarm. Although some previous work [4] [2] points it out explicitly or implicitly, further measurement and analysis remain to be done. Our work measures and analyzes the invalid prefixes systematically. We first classify the invalid prefixes into six different types and then analyze their stability. We show that a large proportion of the invalid prefixes very likely result from traffic engineering, IP address transfer and failing to aggregate rather than real hijackings.

Tongqing Qiu,Lusheng Ji,Dan Pei,Jia Wang,Jun (Jim) Xu,Hitesh Ballani

2009-01-01

Abstract:Prefix hijacking is one of the top known threats on today's Internet. A number of measurement based solutions have been proposed to detect prefix hijacking events. In this paper we take these solutions one step further by addressing the problem of locating the attacker in each of the detected hijacking event. Being able to locate the attacker is critical for conducting necessary mitigation mechanisms at the earliest possible time to limit the impact of the attack, successfully stopping the attack and restoring the service. We propose a robust scheme named LOCK, for LOCating the prefix hijacKer ASes based on distributed Internet measurements. LOCK locates each attacker AS by actively monitoring paths (either in the control-plane or in the data-plane) to the victim prefix from a small number of carefully selected monitors distributed on the Internet. Moreover, LOCK is robust against various countermeasures that the hijackers may employ. This is achieved by taking advantage of two observations: that the hijacker cannot manipulate AS path before the path reaches the hijacker, and that the paths to victim prefix "converge" around the hijacker AS. We have deployed LOCK on a number of PlanetLab nodes and conducted several large scale measurements and experiments to evaluate the performance. Our results show that LOCK is able to pinpoint the prefix hijacker AS with an accuracy up to 94.3%.

Yan Yang,Xia Yin,Xingang Shi,Zhiliang Wang,Jiong He,Tom Z. J. Fu,Marianne Winslett

DOI: https://doi.org/10.1016/j.comnet.2019.06.017

IF: 5.493

2019-01-01

Computer Networks

Abstract:As autonomous systems tend to forward packets along the path with minimal routing cost, Internet routes are unevenly distributed on physical links. Links which a large number of routes go through are called routing bottlenecks. Flooding such routing bottlenecks can degrade or even cut off the network connectivity in a large area, making them a serious vulnerability of the Internet. In this paper, we study the characteristics of inter-domain routing bottlenecks and point out that they can be further aggravated by manipulating BGP updates to launch prefix hijackings. We first simulate large quantities of AS-level routing paths to illustrate the pervasiveness of inter-domain routing bottlenecks, as well as their direction, topological location, distance and concentration. Then, we propose a method for measuring and aggravating inter-domain bottlenecks of some AS, such that link flooding on them can be effectively amplified in a stealthy way. Moreover, adversary can adjust the specific method according to its purpose of malicious behaviour. At last, we discuss how inter-domain routing bottlenecks may be affected as the Internet evolves, where we witness the new, or wider, deployment of some routing related mechanisms.

Tobias Bühler,Alexandros Milolidakis,Romain Jacob,Marco Chiesa,Stefano Vissicchio,Laurent Vanbever

DOI: https://doi.org/10.48550/arXiv.2301.12843

2023-01-30

Abstract:The lack of security of the Internet routing protocol (BGP) has allowed attackers to divert Internet traffic and consequently perpetrate service disruptions, monetary frauds, and even citizen surveillance for decades. State-of-the-art defenses rely on geo-distributed BGP monitors to detect rogue BGP announcements. As we show, though, attackers can easily evade detection by engineering their announcements. This paper presents Oscilloscope, an approach to accurately detect BGP hijacks by relying on real-time traffic analysis. As hijacks inevitably change the characteristics of the diverted traffic, the key idea is to track these changes in real time and flag them. The main challenge is that "normal" Internet events (e.g., network reconfigurations, link failures, load balancing) also change the underlying traffic characteristics - and they are way more frequent than hijacks. Naive traffic analyses would hence lead to too many false positives. We observe that hijacks typically target a subset of the prefixes announced by Internet service providers and only divert a subset of their traffic. In contrast, normal events lead to more uniform changes across prefixes and traffic. Oscilloscope uses this observation to filter out non-hijack events by checking whether they affect multiple related prefixes or not. Our experimental evaluation demonstrates that Oscilloscope quickly and accurately detects hijacks in realistic traffic traces containing hundreds of events.

Networking and Internet Architecture

Mingui Zhang,Bin Liu,Beichuan Zhang

DOI: https://doi.org/10.1109/infcom.2010.5462200

2010-01-01

Abstract:False routing announcements are a serious security problem, which can lead to widespread service disruptions in the Internet. A number of detection systems have been proposed and implemented recently, however, it takes time to detect attacks, notify operators, and stop false announcements. Thus detection systems should be complemented by a mitigation scheme that can protect data delivery before the attack is resolved. We propose such a mitigation scheme, QBGP, which decouples the propagation of a path and the adoption of a path for data forwarding. QBGP does not use suspicious paths to forward data traffic, but still propagates them in the routing system to facilitate attack detection. It can protect data delivery from routing announcements of false sub-prefixes, false origins, false nodes and false links. QBGP incurs overhead only when there are suspicious paths, which happen infrequently in real BGP traces. Results from large scale simulations and BGP trace analysis show that QBGP is light-weight yet effective, and it converges faster and incurs less overhead than Pretty Good BGP.

XL Zhao,D Pei,L Wang,D Massey,A Mankin,SF Wu,LX Zhang

DOI: https://doi.org/10.1109/dsn.2002.1028887

2002-01-01

Abstract:Network measurement has shown that a specific IP address prefix may be announced by more than one autonomous system (AS), a phenomenon commonly referred to as Multiple Origin AS, or MOAS. MOAS can be due to either operational need to support multi-homing, or false route announcements due to configuration or implementation errors, or even by intentional attacks. Packets following such bogus routes will be either dropped or, in the case of an intentional attack, delivered to a machine of the attacker's choosing.This paper presents a protocol enhancement to BGP which enables BGP to detect bogus route announcements from false origins. Rather than imposing cryptography-based authentication and encryption to secure routing message exchanges, our solution makes use of the rich connectivity among ASes that exists in the Internet. Simulation results show that this simple solution can effectively detect false routing announcements even in the presence of multiple compromised routers, become more robust in larger topologies, and can substantially reduce the impact of false routing announcements even with a partial deployment.

Johannes Krupp,Christian Rossow

DOI: https://doi.org/10.1109/eurosp51992.2021.00036

2021-09-01

Abstract:Amplification DDoS attacks inherently rely on IP spoofing to steer attack traffic to the victim. At the same time, IP spoofing undermines prosecution, as the originating attack infrastructure remains hidden. Researchers have therefore proposed various mechanisms to trace back amplification attacks (or IP-spoofed attacks in general). However, existing traceback techniques require either the cooperation of external parties or a priori knowledge about the attacker. We propose BGPEEK-A-Boo, a BGP-based approach to trace back amplification attacks to their origin network. BGPEEK-A-Boo monitors amplification attacks with honeypots and uses BGP Poisoning to temporarily shut down ingress traffic from selected Autonomous Systems. By systematically probing the entire AS space, we detect systems forwarding and originating spoofed traffic. We then show how a graph-based model of BGP route propagation can reduce the search space, resulting in a 5 x median speed-up and over 20x for ¼ of all cases. BGPEEK-A-Boo achieves a unique traceback result 60% of the time in a simulation-based evaluation supported by real-world experiments.

Xuewei Feng,Qi Li,Kun Sun,Zhiyun Qian,Gang Zhao,Xiaohui Kuang,Chuanpu Fu,Ke Xu

2022-01-01

Abstract:ICMP redirect is a mechanism that allows an end host to dynamically update its routing decisions for particular destinations. Previous studies show that ICMP redirect may be exploited by attackers to manipulate the routing of victim traffic. However, it is widely believed that ICMP redirect attacks are not a real-world threat since they can only occur under specific network topologies (e.g., LAN). In this paper, we conduct a systematic study on the legitimacy check mechanism of ICMP and uncover a fundamental gap between the check mechanism and stateless protocols, resulting in a wide range of vulnerabilities. In particular, we find that off-path attackers can utilize a suite of stateless protocols (e.g., UDP, ICMP, GRE, IPIP and SIT) to easily craft evasive ICMP error messages, thus revitalizing ICMP redirect attacks to cause serious damage in the real world, particularly, on the wide-area network. First, we show that off-path attackers can conduct a stealthy DoS attack by tricking various public servers on the Internet into mis-redirecting their traffic into black holes with a single forged ICMP redirect message. For example, we reveal that more than 43K popular websites on the Internet are vulnerable to this DoS attack. In addition, we identify 54.47K open DNS resolvers and 186 Tor nodes on the Internet are vulnerable as well. Second, we show that, by leveraging ICMP redirect attacks against NATed networks, off-path attackers in the same NATed network can perform a man-in-the-middle (MITM) attack to intercept the victim traffic. Finally, we develop countermeasures to throttle these attacks.

Tongqing Qiu,Lusheng Ji,Dan Pei,Jia Wang,Jun Xu

DOI: https://doi.org/10.1109/ICNP.2010.5762762

2010-01-01

Abstract:IP prefix hijacking is one of the top security threats targeting today's Internet routing protocol. Several schemes have been proposed to either detect or mitigate prefix hijacking events. However, none of these approaches is adopted and deployed on a large-scale on the Internet for reasons such as scalability, economical practicality, or unrealistic assumptions about the collaborations among ISPs. Thus there are no actionable and deployable solutions for dealing with prefix hijacking. In this paper, we study key issues related to deploying and operating an IP prefix hijacking detection and mitigation system. Our contributions include (i) deployment strategies for hijacking detection and mitigation system (named as TowerDefense): a practical service model for prefix hijacking protection and effective algorithms for selecting agent locations for detecting and mitigating prefix hijacking attacks; and (ii) large scale experiments on PlanetLab and extensive analysis on the performance of TowerDefense.