A forensic case study on as hijacking

Schlamp, Johann; Carle, Georg; Biersack, Ernst W.

doi:10.1145/2479957.2479959

Cited by 19 publications

(21 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In either case, the result of a prefix hijack is having rogue entries in the routing tables which may in turn cause disruptions or denial of service. Furthermore, the attacker (if any) could exploit the redirected traffic to carry out other attacks such as spamming [27], phishing [28], or Man In The Middle (MITM) operations [25], [26], [36]. In many cases, the recipient of the misdirected traffic collapses under the unexpected load.…”

Section: Bgp Hijacksmentioning

confidence: 99%

“…However simple at such a small scale, the model becomes relevant when applied to the thousands of routes handled by core transit providers. Model discussion: Counting the number of affected ASs and paths is the usual model for BGP disruptions in the literature [7], [8], [25], [27], [29], [30], [32]. This method is sometimes refined by counting affected prefixes [27], [29], [30] which allows to measure their length [30] or count affected IPs [29].…”

Section: Local Disruptionsmentioning

confidence: 99%

See 1 more Smart Citation

It Bends But Would It Break? Topological Analysis of BGP Infrastructures in Europe

Frey

Elkhatib

Rashid

et al. 2016

2016 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

Abstract-The Internet is often thought to be a model of resilience, due to a decentralised, organically-grown architecture. This paper puts this perception into perspective through the results of a security analysis of the Border Gateway Protocol (BGP) routing infrastructure. BGP is a fundamental Internet protocol and its intrinsic fragilities have been highlighted extensively in the literature. A seldom studied aspect is how robust the BGP infrastructure actually is as a result of nearly three decades of perpetual growth. Although global black-outs seem unlikely, local security events raise growing concerns on the robustness of the backbone. In order to better protect this critical infrastructure, it is crucial to understand its topology in the context of the weaknesses of BGP and to identify possible security scenarios. Firstly, we establish a comprehensive threat model that classifies main attack vectors, including but non limited to BGP vulnerabilities. We then construct maps of the European BGP backbone based on publicly available routing data. We analyse the topology of the backbone and establish several disruption scenarios that highlight the possible consequences of different types of attacks, for different attack capabilities. We also discuss existing mitigation and recovery strategies, and we propose improvements to enhance the robustness and resilience of the backbone. To our knowledge, this study is the first to combine a comprehensive threat analysis of BGP infrastructures with advanced network topology considerations. We find that the BGP infrastructure is at higher risk than already understood, due to topologies that remain vulnerable to certain targeted attacks as a result of organic deployment over the years. Significant parts of the system are still uncharted territory, which warrants further investigation in this direction.

show abstract

Section: Bgp Hijacksmentioning

confidence: 99%

Section: Local Disruptionsmentioning

confidence: 99%

It Bends But Would It Break? Topological Analysis of BGP Infrastructures in Europe

Frey

Elkhatib

Rashid

et al. 2016

2016 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

show abstract

“…Unfortunately, miscreants are becoming increasingly sophisticated and security attacks are no longer isolated events. Instead, attacks often cover multiple domains and behaviors [13,16,17]. For example, Ramchandran et al [13] found that routing anomalies and botnets are exploited by spammers to avoid detection while sending spam, making it difficult for a single network acting on its own to detect the attack.…”

Section: Problem Formulationmentioning

confidence: 99%

Collaborative Network Security: Targeting Wide-area Routing and Edge-network Attacks

Hiran

2016

Linköping Studies in Science and Technology. Dissertations

View full text Add to dashboard Cite

To ensure that services can be delivered reliably and continuously over the Internet, it is important that both Internet routes and edge networks are secured. However, the sophistication and distributed nature of many attacks that target wide-area routing and edge networks make it difficult for an individual network, user, or router to detect these attacks. Therefore collaboration is important. Although the benefits of collaboration between different network entities have been demonstrated, many open questions still remain, including how to best design distributed scalable mechanisms to mitigate attacks on the network infrastructure. This thesis makes several contributions that aim to secure the network infrastructure against attacks targeting wide-area routing and edge networks.First, we present a characterization of a controversial large-scale routing anomaly, in which a large Telecom operator hijacked a very large number of Internet routes belonging to other networks. We use publicly available data from the time of the incident to understand what can be learned about large-scale routing anomalies and what type of data should be collected in the future to diagnose and detect such anomalies.Second, we present multiple distributed mechanisms that enable collaboration and information sharing between different network entities that are affected by such attacks. The proposed mechanisms are applied in the contexts of collaborating Autonomous Systems (ASes), users, and servers, and are shown to help raise alerts for various attacks. Using a combination of data-driven analysis and simulations, based on publicly available real network data (including traceroutes, BGP announcements, and network relationship data), we show that our solutions are scalable, incur low communication and processing overhead, and provide attractive tradeoffs between attack detection and false alert rates.Finally, for a set of previously proposed routing security mechanisms, we consider the impact of regional deployment restrictions, the scale of the collaboration, and the size of the participants deploying the solutions. Although regional deployment can be seen as a restriction and the participation of large networks is often desirable, we find interesting cases where regional deployment can yield better results compared to random global deployment, and where smaller networks can play an important role in achieving better security gains. This study offers new insights towards incremental deployment of different classes of routing security mechanisms.This work was supported by the Swedish National Graduate School of Computer Science (CUGS) and the Internet Foundation in Sweden (IIS). iii Populärvetenskaplig sammanfattningInternet och dess tjänsterär mycket exponerade för attacker. Många av de kritiska protokoll och mekanismer som behövs för att leverera tjänsteröver internet designades för flera decennier sedan. Dessa protokoll och mekanismerär starkt beroende av tillit mellan olika nätverkskomponenter, såsom routers och servrar. Den ex...

show abstract

“…In theory, spammers using this technique are able to circumvent backtracking and traditional IP-based blacklisting due to the short-lived nature of the attack. More recently, a validated case of a BGP hijack specifically carried out to send spam from the stolen prefixes was reported in [12], [13]. Unlike the first observations of fly-by spammers, this incident involved a long-term hijack attack of several months and was confirmed by the owner of the victim network.…”

Section: Introductionmentioning

confidence: 95%

“…Some works [13], [16], [17] have carried out forensic analyses of well known hijacks. Others have attempted to validate observed suspicious routing events [2], [11], [18] usually in the context of the evaluation of a hijack detection technique.…”

Section: Introductionmentioning

confidence: 99%

Malicious BGP hijacks: Appearances can be deceiving

Vervier

Jacquemart

Schlamp

et al. 2014

2014 IEEE International Conference on Communications (ICC)

Self Cite

View full text Add to dashboard Cite

BGP hijacking is a well known threat to the Internet routing infrastructure. There has been considerable interest in developing tools that detect prefix hijacking but such systems usually identify a large number of events, many of them being due to some benign BGP engineering practice or misconfiguration. Ramachandran et al.[1] and later Hu et al.[2] also correlated suspicious routing events with spam and claimed to have found evidence of spammers temporarily stealing prefixes to send spam.In an effort to study at large scale the existence and the prevalence of malicious BGP hijacks in the Internet we developed a system which (i) identifies hijacks using BGP, traceroute and IRR data and (ii) investigates traffic originating from the reported networks with spam and netflow data. In this paper we present a real case where suspicious BGP announcements coincided with spam and web scam traffic from corresponding networks. Through this case study we show that a correlation of suspicious routing events with malicious activities is insufficient to evidence harmful BGP hijacks. We thus question previously reported cases and conclude that identifying malicious BGP hijacks requires additional data sources as well as feedback from network owners in order to reach decisive conclusions.

show abstract

A forensic case study on as hijacking

Cited by 19 publications

References 9 publications

It Bends But Would It Break? Topological Analysis of BGP Infrastructures in Europe

It Bends But Would It Break? Topological Analysis of BGP Infrastructures in Europe

Collaborative Network Security: Targeting Wide-area Routing and Edge-network Attacks

Malicious BGP hijacks: Appearances can be deceiving

Contact Info

Product

Resources

About