logo

SCIENCE CHINA Information Sciences, Volume 59, Issue 5: 052105(2016) https://doi.org/10.1007/s11432-015-5490-8

An accurate distributed scheme for detection of prefix interception

More info
  • ReceivedApr 14, 2015
  • AcceptedSep 18, 2015
  • PublishedApr 8, 2016

Abstract

Previous research in interdomain routing security has often focused on prefix hijacking. However, several prefix interception events have happened lately, which poses a new security challenge to the interdomain routing system. Compared to prefix hijacking, prefix interception is much harder to detect, as it avoids black hole by forwarding the hijacked traffic back to the victim. In this paper, we present a novel method to detect prefix interception. Our approach exploits a key observation about prefix interception: during a prefix interception event, the attacker detours the intercepted traffic through its network, which turns it into a new important ``transit point'' for access to the victim. By collecting data plane information to detect the emerging ``transit point'' and using control plane information to verify it, our scheme can identify prefix interception in real time. The results of Internet experiments and Internet-scale simulations show that our method is accurate with low false alarm rate (0.28\%) and false negative rate (2.26\%).


Funded by

National Natural Science Foundation of China(61472215)


Acknowledgment

Acknowledgments

This work was supported by National Natural Science Foundation of China (Grant No. 61472215). We thank Cristel Pelsser for her helpful comments. We are also grateful to Randy Bush for his help.


References

[1] Karrenberg D. Youtube Hijacking: a Ripe Ncc Ris Case Study. RIPE NCC Technical Report. 2008. Google Scholar

[2] Hiran R, Carlsson N, Gill P. Characterizing large-scale routing anomalies: a case study of the China telecom incident. In: Proceedings of the 14th International Conference on Passive and Active Measurement, Hong Kong, 2013. 229-238. Google Scholar

[3] Cowie J. The New Threat: Targeted Internet Traffic Misdirection. Dyn Research Technical Report. 2013. Google Scholar

[4] Madory D. Uk Traffic Diverted Through Ukraine. Dyn Research Technical Report. 2015. Google Scholar

[5] Kent S, Lynn C, Seo K. IEEE J Sel Area Commun, 2000, 18: 582-592 Google Scholar

[6] Ng J. Extensions to BGP to support secure origin BGP (soBGP). IETF Draft draft-ng-sobgp-bgp-extensions-02. 2004. Google Scholar

[7] van Oorschot P C, Wan T, Kranakis E. ACM Trans Inf Syst Secur, 2007, 10: 11-592 Google Scholar

[8] Lepinski M, Kent S. An Infrastructure to Support Secure Internet Routing. IETF RFC 6480. 2012. Google Scholar

[9] Xiang Y, Shi X, Wu J, et al. Comput Netw, 2013, 57: 2250-2265 Google Scholar

[10] Lychev R, Goldberg S, Schapira M. BGP security in partial deployment: is the juice worth the squeeze? ACM SIGCOMM Comput Commun Rev, 2013, 43: 171-182. Google Scholar

[11] McPherson D, Osterweil E, Amante S, et al. Route-Leaks & MITM attacks against BGPSEC. IETF Draft draft-ietf-grow-simple-leak-attack-bgpsec-no-help-04. 2014. Google Scholar

[12] Li Q, Hu Y C, Zhang X. Even rockets cannot make pigs fly sustainably: can BGP be secured with BGPsec? In: Proceedings of the NDSS Workshop on Security of Emerging Networking Technologies, San Diego, 2014. Google Scholar

[13] Hu X, Mao Z M. Accurate real-time identification of IP prefix hijacking. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, Oakland, 2007. 3-17. Google Scholar

[14] Zhao X, Pei D, Wang L, et al. Detection of invalid routing announcement in the Internet. In: Proceedings of the International Conference on Dependable Systems and Networks, Bethesda, 2002. 59-68. Google Scholar

[15] Zhang Z, Zhang Y, Hu Y C, et al. ACM SIGCOMM Comput Commun Rev, 2008, 38: 327-338 Google Scholar

[16] Xiang Y, Wang Z, Yin X, et al. Argus: an accurate and agile system to detecting IP prefix hijacking. In: Proceedings of the 19th IEEE International Conference on Network Protocols, Vancouver, 2011. 43-48. Google Scholar

[17] Ballani H, Francis P, Zhang X. ACM SIGCOMM Comput Commun Rev, 2007, 37: 265-276 Google Scholar

[18] Gao L. IEEE/ACM Trans Netw (ToN), 2001, 9: 733-745 Google Scholar

[19] Gill P, Schapira M, Goldberg S. ACM SIGCOMM Comput Commun Rev, 2013, 44: 28-34 Google Scholar

[20] Zhang Y, Pourzandi M. Studying impacts of prefix interception attack by exploring bgp as-path prepending. In: Proceedings of the IEEE 32nd International Conference on Distributed Computing Systems (ICDCS), Macau, 2012. 667-677. Google Scholar

[21] Zhao X, Pei D, Wang L, et al. An analysis of BGP multiple origin AS (MOAS) conflicts. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, San Francisco, 2001. 31-35. Google Scholar

[22] Pilosov A, Kapela T. Stealing the Internet: an Internet-Scale Man in the Middle Attack. Defcon Technical Report. 2008. Google Scholar

[23] Madhyastha H V, Isdal T, Piatek M, et al. iPlane: an information plane for distributed services. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, Seattle, 2006. 367-380. Google Scholar

[24] Faloutsos M, Faloutsos P, Faloutsos C. ACM SIGCOMM Comput Commun Rev, 1999, 29: 251-262 Google Scholar

[25] Siganos G, Faloutsos M, Faloutsos P, et al. IEEE/ACM Trans Netw (TON), 2003, 11: 514-524 Google Scholar

[26] Luckie M, Huffaker B, Dhamdhere A, et al. AS relationships, customer cones, and validation. In: Proceedings of the 2013 Conference on Internet Measurement, Barcelona, 2013. 243-256. Google Scholar

[27] Xia J, Gao L. On the evaluation of AS relationship inferences [Internet reachability/traffic flow applications]. In: Proceedings of the Global Telecommunications Conference, Dallas, 2004. 1373-1377. Google Scholar

[28] Augustin B, Cuvellier X, Orgogozo B, et al. Avoiding traceroute anomalies with paris traceroute. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, Rio de Janeriro, 2006. 153-158. Google Scholar

[29] Quoitin B. Modeling the routing of an autonomous system with C-BGP. IEEE Netw, 2005, 19: 12-19 Google Scholar

[30] W{ä}hlisch M, Maennel O, Schmidt T C. ACM SIGCOMM Comput Commun Rev, 2012, 42: 103-104 Google Scholar

[31] Zheng C, Ji L, Pei D, et al. ACM SIGCOMM Comput Commun Rev, 2007, 37: 277-288 Google Scholar

[32] Lad M, Massey D, Pei D, et al. Phas: a prefix hijack alert system. In: Proceedings of the 15th Conference on USENIX Security Symposium, Berkeley, 2006. 153-166. Google Scholar

[33] Karlin J, Forrest S, Rexford J. Pretty good BGP: improving BGP by cautiously adopting routes. In: Proceedings of the 14th IEEE International Conference on Network Protocols, Santa Barbara, 2006. 290-299. Google Scholar

Copyright 2019 Science China Press Co., Ltd. 《中国科学》杂志社有限责任公司 版权所有

京ICP备18024590号-1