BGP hijacking classification

Cho, Shinyoung; Fontugne, Romain; Cho, Kenjiro; Dainotti, Alberto; Gill, Peter

doi:10.23919/tma.2019.8784511

Cited by 51 publications

(19 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We complement the set of malicious ASes compiled through the honeypot data with AS reputation lists which are developed by monitoring the BGP routing system to detect ASes with consistent patterns of malicious routing, such as traffic misdirection. We use the list produced by Testart et al [58], which we further extend with examples of bulletproof hosters and hijackers reported by [25,14] resulting in a list of 922 malicious ASes.…”

Section: As Reputation Lists Based On Bgp Misbehaviormentioning

confidence: 99%

Passive and Active Measurement

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The depletion of the unallocated address space in combination with the slow pace of IPv6 deployment have given rise to the IPv4 transfer market, namely the trading of allocated IPv4 prefixes between ASes. While RIRs have established detailed transfer policies in an effort to regulate the IPv4 transfer market for malicious networks such as spammers and bulletproof ASes, IPv4 transfers pose an opportunity to bypass reputational penalties of abusive behavior since they can obtain "clean" IPv4 address space or offload blacklisted address space. Additionally, IP transfers create a window of uncertainty about legitimate ownership of prefixes, which leads to inconsistencies in WHOIS records and ROA objects. In this paper we provide the first detailed study of how transferred IPv4 prefixes are misused in the wild by synthesizing an array of longitudinal IP blacklists, honeypot data, and AS reputation lists compiled through hijack detection. Our findings yield evidence that the transferred network blocks are used by malicious networks to address botnets and fraudulent sites in much higher rates compared to non-transferred addresses, while the timing of the attacks indicate efforts to evade filtering mechanisms.

show abstract

Section: As Reputation Lists Based On Bgp Misbehaviormentioning

confidence: 99%

Passive and Active Measurement

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…The prefix originations by these single digit ASes are likely mere results of misconfigurations, where an origin network accidentally adds an additional AS number (behind its own) to its BGP advertisements. These so-called "fat finger errors" [15] commonly occur when configuring a router to perform AS path prepending, a traffic engineering technique that artificially lengthens the AS path in order to make the advertised path less desirable in the BGP decision process [44]. A notable example of an AS flagged by our classifier is AS5, an AS whose registered company went out of business 20 years ago, periodically revived through router misconfiguration.…”

Section: Indications Of Misconfigurationmentioning

confidence: 99%

Profiling BGP Serial Hijackers

Testart

Richter

King

et al. 2019

Proceedings of the Internet Measurement Conference

Self Cite

View full text Add to dashboard Cite

BGP hijacks remain an acute problem in today's Internet, with widespread consequences. While hijack detection systems are readily available, they typically rely on a priori prefix-ownership information and are reactive in nature. In this work, we take on a new perspective on BGP hijacking activity: we introduce and track the long-term routing behavior of serial hijackers, networks that repeatedly hijack address blocks for malicious purposes, often over the course of many months or even years. Based on a ground truth dataset that we construct by extracting information from network operator mailing lists, we illuminate the dominant routing characteristics of serial hijackers, and how they differ from legitimate networks. We then distill features that can capture these behavioral differences and train a machine learning model to automatically identify Autonomous Systems (ASes) that exhibit characteristics similar to serial hijackers. Our classifier identifies ≈ 900 ASes with similar behavior in the global IPv4 routing table. We analyze and categorize these networks, finding a wide range of indicators of malicious activity, misconfiguration, as well as benign hijacking activity. Our work presents a solid first step towards identifying and understanding this important category of networks, which can aid network operators in taking proactive measures to defend themselves against prefix hijacking and serve as input for current and future detection systems. CCS CONCEPTS • Networks → Network measurement; Network security.

show abstract

“…• MOAS (Multiple Origin AS) conflict [20]. It means that a prefix matches the behavior of multiple origin ASs.…”

Section: B Prefix Hijacking Detection Technologymentioning

confidence: 99%

A Prefix Hijacking Detection Model Based on the Immune Network Theory

Zhang

Zhao

2019

IEEE Access

View full text Add to dashboard Cite

The prefix hijacking problem is an urgent security issue that need to address in the Border Gateway Protocol (BGP) security research. In order to solve the problem of prefix hijacking in BGP, we propose (a) new (p)refix (h)ijacking (d)etection model based on the immune network theory in this paper, called aPHD. To be specific, aPHD uses real BGP UPDATE messages for pre-training and has the ability to detect UPDATE messages in real time after pre-training. The aPHD (1) can effectively detect prefix hijacking attacks with high accuracy; (2)is easy to deployment; and (3) has a low false positive rate and low overhead. Extensive performance evaluation shows that our solution is secure and feasible. The aPHD improved the accuracy rate by 6.2% and reduced the false positive rate by 85.7%. INDEX TERMS Immune network theory, prefix hijacking, BGP security, negative selection.

show abstract

BGP hijacking classification

Cited by 51 publications

References 27 publications

Passive and Active Measurement

Passive and Active Measurement

Profiling BGP Serial Hijackers

A Prefix Hijacking Detection Model Based on the Immune Network Theory

Contact Info

Product

Resources

About