Post on 12-Jan-2016
description
Accurate Real-Time Identification of Accurate Real-Time Identification of IP Prefix HijackingIP Prefix Hijacking
Z. Morley MaoZ. Morley MaoXin HuXin Hu
2007 IEEE Symposium on 2007 IEEE Symposium on Security and Privacy and Privacy Oakland, California Oakland, California
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
2
OutlineOutline Introduction
Taxonomy of IP prefix hijacking
Proposed approach of combining control and data plane information
Implementation and results
Conclusion
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
3
OutlineOutline Introduction
Taxonomy of IP prefix hijacking
Proposed approach of combining control and data plane information
Implementation and results
Conclusion
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
4
IP prefix hijackingIP prefix hijacking Fraudulent origin attack
Steal IP prefixes belonging to other networks
Announce unauthorized prefixes through BGP
Can also result from network misconfiguration
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
5
Motivation Motivation Existing solutions
Route filters Short-lived announcements [Boothe06] Anomalous routing information [Lad06]
Control plane + Data plane Control plane anomalies trigger real-time detection Data plane fingerprints provide confirmative evidence Real-time and accurate identification of prefix hijacking
Insufficient due to multi-homing
Solely rely on Control plane
High false positive and false negative
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
6
OutlineOutline Introduction
Taxonomy of IP prefix hijacking
Proposed approach of combining control and data plane information
Implementation and results
Conclusion
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
7
Prefix announcementsPrefix announcements
IEEE Symposium on Security and PrivacyMay 2007
AS 1 AS 2
AS 3
AS 4
AS 5
Prefix Path
1.2.0.0/16 1
Prefix Path
1.2.0.0/16 2, 1
Prefix Path
1.2.0.0/16 2, 1
Advertise 1.2.0.0/16
Prefix Path
1.2.0.0/16 4, 2, 1
1.2.0.0/16
Path: 1
1.2.0.0/16 Path: 2, 1
1.2.0.0/16 Path: 4, 2, 1
1.2.0.0/16 Path: 3, 2, 1
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
8
Type 1: Hijack a prefixType 1: Hijack a prefix
AS 1 AS 2
AS 3
AS 4
AS 5
Prefix Path
1.2.0.0/16 1
Prefix Path
1.2.0.0/16 2, 1
Prefix Path
1.2.0.0/16 2, 11.2.0.0/16 path: 5
Prefix Path
1.2.0.0/16 5
Prefix Path
1.2.0.0/16 4, 5MOAS (Multiple Origin AS)
Advertise 1.2.0.0/16
Advertise 1.2.0.0/16
1.2.0.0/16 path: 4, 5
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
9
Type 2: Hijack a prefix and its AS numberType 2: Hijack a prefix and its AS number
AS 1 AS 2
AS 3
AS 4
AS 5
Prefix Path
1.2.0.0/16 1
Prefix Path
1.2.0.0/16 2, 1
Prefix Path
1.2.0.0/16 2, 1
1.2.0.0/16
Path: 5, 1
Prefix Path
1.2.0.0/16 5, 1
1.2.0.0/16 Path: 4, 5, 1
NO MOAS!NO MOAS!
Advertise 1.2.0.0/16
Advertise a path to 1.2.0.0/16
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
10
Type 3: Hijack a subnet of a prefixType 3: Hijack a subnet of a prefix
AS 1 AS 2
AS 3
AS 4
AS 5
Prefix Path
1.2.0.0/16 1
Prefix Path
1.2.0.0/16 2, 1
Prefix Path
1.2.0.0/16 2, 11.2.3.0/24
path: 5
1.2.3.0/24 Path: 4, 5
Prefix Path
1.2.3.0/24 5
1.2.0.0/16 2, 1
Prefix Path
1.2.3.0/24 4,5
1.2.0.0/16 2,1
Prefix Path
1.2.3.0/24 4,5
1.2.0.0/16 1
No MOAS!No MOAS!
Advertise 1.2.3.0/24
SubMOAS!SubMOAS!
Advertise 1.2.0.0/16
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
11
Longest prefix matchingLongest prefix matching
IEEE Symposium on Security and PrivacyMay 2007
Attacker is able to attract all traffic
AS 1 AS 2
AS 3
AS 4
AS 5
Prefix Path
1.2.0.0/16 2, 1
Pefix Path
1.2.3.0/24 5
1.2.0.0/16 2, 1
Prefix Path
1.2.3.0/24 4,5
1.2.0.0/16 2, 1
Prefix Path
1.2.3.0/24 4,5
1.2.0.0/16 1
Send packet to 1.2.3.4 in AS 1
Longest Prefix Matching
Advertise 1.2.3.0/24
Advertise 1.2.0.0/16
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
12
Type 4: Hijack a subnet of a prefix and AS numberType 4: Hijack a subnet of a prefix and AS number
IEEE Symposium on Security and PrivacyMay 2007
AS 1 AS 2
AS 3
AS 4
AS 5
Prefix Path
1.2.0.0/16 1
Prefix Path
1.2.0.0/16 2, 1
Prefix Path
1.2.0.0/16 2, 11.2.3.0/24
path 5, 1
1.2.3.0/24 Path: 4, 5,1
Prefix Path
1.2.3.0/24 5,1
1.2.0.0/16 2, 1
Prefix Path
1.2.3.0/24 4,5,1
1.2.0.0/16 2, 1
Prefix Path
1.2.3.0/24 4,5,1
1.2.0.0/16 1
Neither MOAS Nor SubMOAS!
Advertise a path to 1.2.3.0/24
Advertise 1.2.0.0/16 Longest
Prefix Matching
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
13
OutlineOutline Introduction
Taxonomy of IP prefix hijacking
Proposed approach of combining control and data plane information
Implementation and results
Conclusion
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
14
Control plane information alone is insufficientControl plane information alone is insufficient
False positive Legitimate reasons for anomalous routing updates Multi-homing with static link
AS 3AS 2
1.2.3.0/24 path: 1
AS 1
1.2.3.0/24
static link or IGP route
1.2.3.0/24 path: 2,1
1.2.3.0/24 path: 3
aggregation
MOAS!MOAS!
AS 2 1.2.0.0/16
AS 1
1.2.3.0/24
AS 3 5.6.0.0/16
1.2.3.0/24 path: 1
1.2.0.0/16 path: 2
1.2.3.0/24 path: 1
1.2.3.0/24 path: 3, 1
subMOAS!subMOAS!
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
15
Control plane information alone is insufficientControl plane information alone is insufficient
False positive Legitimate reasons for anomalous routing updates Multi-homing with static link and aggregation
False negative AS-level path may not match the forwarding path Type 2 and type 4 attack do not lead to control pla
ne anomalies
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
16
Proposed approachProposed approach Combine control plane and data plane information
A successful hijacking will result in conflicting data plane fingerprints
A hijacking attempt cannot affect the entire network, especially the network topologically close to the victim
Fingerprinting-based consistency check For valid MOAS and subMOAS, there is only one owner
for the prefix For real hijacking, traffic from different locations may ar
rive at true owner or attackers
Same data plane fingerprints
conflicting fingerprints
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
17
Fingerprinting techniquesFingerprinting techniques Determine characteristics of remote hosts or networks by
sending probe packets Host-based fingerprinting
Host Operating System detection IP Identifier (IPID) probing Timestamp probing (ICMP and TCP timestamp) Reflect-scan
Network fingerprinting Firewall policies Resource properties (e.g., bandwidth) Edge router characteristics
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
18
Detection of prefix hijackDetection of prefix hijack
AS 1AS 2
AS 3
AS 4
AS 5
Prefix Path
1.2.0.0/16 2, 1
Prefix Path
1.2.0.0/16 2, 1
Advertise 1.2.0.0/16 Prefix Path
1.2.0.0/16 5
Prefix Path
1.2.0.0/16 4, 5Advertise 1.2.0.0/16
1.2.3.4
1.2.3.4
Prefix Path
1.2.0.0/16 1
Fingerprint 1.2.3.4
probing server
probing server
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
19
Detection of prefix and AS Detection of prefix and AS hijackinghijacking Problem
Attackers avoid MOAS conflicts by retaining correct origin AS Checking all updates is prohibitively expensive
Heuristics for detecting the fake AS edge Edge popularity constraint Geographic constraint Relationship constraint [Kruegel2003]
Violation of these constraints triggers fingerprinting check
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
20
Detection of prefix subnet Detection of prefix subnet hijackinghijacking
Problem Attackers avoid MOAS conflicts by hijacking a subnet longest prefix matching
AS 1AS 2
AS 3
AS 4
AS 5
Advertise 1.2.3.0/24
Advertise 1.2.0.0/16
1.2.3.4
1.2.3.4
fingerprint 1.2.3.4
Prefix Path
1.2.3.0/24 5
1.2.0.0/16 2, 1Prefix Path
1.2.3.0/24 4,5
1.2.0.0/16 2, 1
Prefix Path
1.2.3.0/24 4,5
1.2.0.0/16 1
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
21
Detection of prefix subnet hijacking Detection of prefix subnet hijacking (Cont.)(Cont.) Identify subMOAS conflicts
Newly announced prefixes which is part of existing prefix
Customer-provider relationship check Assume provider and customer will not hijack one another
Reflect-scan to detect subnet hijacking IGP routing within victim AS is unaffected Use IP spoofing to solicit traffic inside victim AS Predictable IP ID increment in IP packet
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
22
Summary of detection Summary of detection techniquestechniques
IEEE Symposium on Security and PrivacyMay 2007
Limitations Detection is triggered by anomalous updates Limited number of vantage points Firewall blocks probing packets Ingress filtering
Attack TypeAttack Type Monitored Routing UpdatesMonitored Routing Updates Detection TechniqueDetection Technique
Hijack prefix MOAS updatesFingerprinting-based consistency check (FP check)
Hijack prefix & AS All updatesEdge, geographic, and relationship (EGR) constraints, FP check
Hijack subnet prefix subMOAS updatesCustomer-provider (C-P) check, reflect-scan
Hijack subnet prefix & AS New, non-subMOAS updates EGR constraints, reflect-scan
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
23
OutlineOutline Introduction
Taxonomy of IP prefix hijacking
Proposed approach of combining control and data plane information
Implementation and results
Conclusion
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
24
Prototype ImplementationPrototype Implementation
Data Set BGP data set: RouteView + Our own BGP monitor Probe location: Planetlab testbed Live IP addresses: DNS and Web Server log + lightweight ping Prefix Geographic information: NetGeo from CAIDA
Fingerprinting OS detection and TCP timestamp: Nmap v 3.95 IPID and ICMP timestamp: Ruby in planetlab Reflect-scan: hping v2
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
25
ResultsResults
2 weeks’ monitoring period Real time BGP data from our BGP monitor
Attack Type
Anomalous updates Total number
Avg rate /15 min
Suspicious updates (After F-P check)
1 MOAS conflicts 3685 0.52 332
2 Violate EGR constraints 17205 2.43 594
3subMOAS conflicts (after C-P check)
3380 0.47 594
4New non-subMOAS prefix that viiolate EGR constraints
1195 0.17 85
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
26
Potential attack (type 1)Potential attack (type 1)
planetlab1.cambridge.intel-research.net:
Starting nmap 3.93 at 2006-04-25 10:02 EDTHost 192.6.10.2 appears to be upInteresting ports on 192.6.10.2:PORT STATE SERVICE25/tcp open smtp53/tcp open domain119/tcp open nntp1080/tcp open socks5001/tcp open commplex-linkDevice type: general purposeRunning: Linux 2.6.XOS details: Linux 2.6.5 - 2.6.11
Uptime 33.102 days (since Thu Mar 23 06:35:01 2006)
Nmap finished: 1 IP address (1 host up) scanned in 13.882 seconds
pli1-br-1.hpl.hp.com:
Starting nmap 3.93 at 2006-04-25 10:02 EDT
Initiating ARP Ping Scan against 192.6.10.2 [1 port] at 10:02
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 0.656 seconds
Different liveness of the target host in an MOAS conflict 192.6.10.0/24 is announced by AS 2856 and AS 786.
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
27
Potential attack (type 2)Potential attack (type 2)plab1.nec-labs.com:
Starting nmap 3.93 at 2006-05-02 15:11 EDTInitiating SYN Stealth Scan against 82.146.60.1 [1668 ports] at 15:11Host 82.146.60.1 appears to be up ...
Interesting ports on 82.146.60.1:PORT STATE SERVICE22/tcp open ssh179/tcp open bgp
Device type: general purposeRunning: FreeBSD 4.XOS details: FreeBSD 4.7 - 4.8-RELEASE
Uptime 76.681 days (since Tue Feb 14 21:51:21 2006)
Nmap finished: 1 IP address (1 host up) scanned in 38.420 seconds
planetlab01.erin.utoronto.ca:
Starting nmap 3.93 at 2006-05-02 15:11 EDTInitiating SYN Stealth Scan against 82.146.60.1 [1668 ports] at 15:11Host 82.146.60.1 appears to be up...
Interesting ports on 82.146.60.1:PORT STATE SERVICE22/tcp open ssh
Device type: firewallRunning: Symantec Solaris 8OS details: Symantec Enterprise Firewall v7.0.4 (on Solaris 8)
Nmap finished: 1 IP address (1 host up) scanned in 11.390 seconds
Difference in response fingerprints of suspicious type 2 attack 82.146.60.0/23 is announced by AS 25486. The first hop <8804 2548> is used only by 6 prefixes and the edge distance is 8968 kilometers
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
28
DNS anycast validationDNS anycast validation IP anycast of root DNS server
Multiple server support same service under same IP address
5 out of 13 DNS servers use anycast (C, F, I, J and K)
Legitimate type 2 hijack attack Hijack both prefix and AS number Our system successfully detect 4 of them C-root server doesn’t violate EGR check
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
29
Fingerprints for F root Fingerprints for F root serverserver
planetlab-1.eecs.cwru.edu:
Starting nmap 3.93 at 2006-05-03 21:42 EDT
Interesting ports on 192.5.5.241:PORT STATE SERVICE53/tcp open domain
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi)
Uptime 14.963 days (since Tue Apr 18 22:35:51 2006)
Nmap finished: 1 IP address (1 host up) scanned in 23.554 seconds
crt1.planetlab.umontreal.ca:
Starting nmap 3.93 at 2006-05-03 21:42 EDT
Interesting ports on 192.5.5.241:PORT STATE SERVICE53/tcp open domain
Device type: general purposeRunning: FreeBSD 5.XOS details: FreeBSD 5.3
Uptime 11.573 days (since Sat Apr 22 07:56:43 2006)
Nmap finished: 1 IP address (1 host up) scanned in 26.225 seconds
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
30
Correlation with spam dataCorrelation with spam data Hijacked IP prefixes are often used for spamming
Correlate identified suspicious updates with Spam source IPs Non-negligible correlation between hijacking and spamming
Time interval between identification of suspicious updates and the arrival of spam
Type # of suspicious prefix
# of matched prefix
# of matched prefixes within the time window
1 h 6 h 1 d
1 332 28 19 25 25
2 594 91 34 74 87
3 151 10 4 8 10
4 85 11 5 10 11Correlation between detected suspiciousprefixes and spam sources.
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
31
ConclusionConclusion
IEEE Symposium on Security and PrivacyMay 2007
Propose a framework for accurate real-time detection of IP prefix hijacking attacks
Exploit a novel insight that a real hijacking will result in conflicting data-plane fingerprints
Propose detailed classification of hijacking attacks and the detection algorithm for each type
Achieve significant reduction in both false positives and false negatives
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
32
Paper-2Paper-2 A Light-Weight Distributed Scheme for
Detecting IP Prefix Hijacks in Real-Time
In SIGCOMM’07
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
33
Key observationsKey observations If a prefix is hijacked, the paths observed from certain vantage points to the prefix would
likely exhibit significant changes.
The path from a source to a prefix is almost always a super-path of the path from the same source to a reference point along the previous path, as long as the reference point is topologically close to the prefix.
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
34
High-level Methodology and High-level Methodology and ResultsResults Detect the suspicious hijacking using the first
observation Confirm the real hijacking using the second
observation
Result is surprising good, 0.5% false positive and false negative. (which is really beyond my expectation, why?)
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
35
Comparison between the two Comparison between the two paperpaper
Paper 1 Paper 2
Simplicity control + data √ data
Real-time effect analysis -> probing
√ online probing
Accuracy √
Probing overhead
√ targeted brute-force
IEEE Symposium on Security and PrivacyIEEE Symposium on Security and PrivacyMay 2007May 2007
36
My thinking (a 100% My thinking (a 100% detection)detection) Observation ? (my guess) - hijacked prefixes and victim prefixes are not identically used. Hijacked
addresses may be little used ? Proposed Method - Why not use a very simple and 100% accurate method, PING!!! Just ping
the sampled addresses, to detect reachable or unreachable. Merits - Very simple, easy to deploy, no false positive and false negative,
comparable overhead with previous work, no other assistance is need! Opportunity - I search online, nobody do so! Want to discuss with all of you - Why cannot we just do so?