HEAP: Reliable Assessment of BGP Hijacking Attacks

Schlamp, Johann; Holz, Ralph; Jacquemart, Quentin; Carle, Georg; Biersack, Ernst W.

doi:10.1109/jsac.2016.2558978

Cited by 38 publications

(17 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Though hijack attacks can be effective for many adversarial objectives (e.g., setting up phishing websites and spoofing DNS responses [49]), they disrupt connectivity for hosts in the victim's network. In contrast, interception attacks preserve connectivity in the data plane, making them much harder to detect than hijack attacks (as seen in [77,86], data-plane connectivity is a common method for detecting hijack attacks).…”

Section: Bgp Interception Attacksmentioning

confidence: 99%

Sico

Birge-Lee

Wang

Rexford

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

The Border Gateway Protocol (BGP) is the primary routing protocol for the Internet backbone, yet it lacks adequate security mechanisms. While simple BGP hijack attacks only involve an adversary hijacking Internet traffic destined to a victim, more complex and challenging interception attacks require that adversary intercept a victim's traffic and forward it on to the victim. If an interception attack is launched incorrectly, the adversary's attack will disrupt its route to the victim making it impossible to forward packets. To overcome these challenges, we introduce SICO attacks (Surgical Interception using COmmunities): a novel method of launching interception attacks that leverages BGP communities to scope an adversary's attack and ensure a route to the victim. We then show how SICO attacks can be targeted to specific source IP addresses for reducing attack costs. Furthermore, we ethically perform SICO attacks on the real Internet backbone to evaluate their feasibility and effectiveness. Results suggest that SICO attacks can achieve interception even when previously proposed attacks would not be feasible and outperforms them by attracting traffic from an additional 16% of Internet hosts (worst case) and 58% of Internet hosts (best case). Finally, we analyze the Internet topology to find that at least 83% of multi-homed ASes are capable of launching these attacks.

show abstract

Section: Bgp Interception Attacksmentioning

confidence: 99%

Sico

Birge-Lee

Wang

Rexford

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…The effect of a hijack is to redirect traffic for the affected prefix to/through the network of the hijacker AS. This attracted traffic can be (i) dropped (blackholing, BH), (ii) manipulated or eavesdropped and then sent on to the victim AS1 (manin-the-middle, MM), or (iii) used in an impersonation of the [25] (2006) [40] (2008) [68] (2007) [69] (2016) [59] (2012) [63] (2007) [36]…”

Section: Classification By Data-plane Traffic Manipulationmentioning

confidence: 99%

“…Reactive defenses comprise two steps: detection and mitigation. Several systems have been proposed for prefix hijacking detection [25], [36], [40], [59], [63], [68], [69], with most of them being designed to operate as third-party services; they monitor the Internet control/data plane and upon the detection of a suspicious event or anomaly, notify the involved ASes. Our survey reveals a similar trend in practice: more than 60% rely on third-parties (e.g., [8]) to get notified about suspicious events involving their prefixes.…”

Section: Real-world Problems With Bgp Hijackingmentioning

confidence: 99%

“…Hybrid approaches [36], [59], [63], [55], [58] combine control and data plane information, and sometimes query external databases (e.g., Internet Routing Registries, IRR) [59], [63], to detect multiple classes of hijacking events. HEAP [59] can detect any type of AS-PATH manipulation on the control plane, but is limited to sub-prefix hijacking events which result in blackholing or imposture on the data plane. Thus, it misses MM attacks both for exact prefix and sub-prefix hijacks.…”

Section: Detection Of Bgp Hijackingmentioning

confidence: 99%

See 1 more Smart Citation

ARTEMIS: Neutralizing BGP Hijacking Within a Minute

Sermpezis

Kotronis

Gigis

et al. 2018

IEEE/ACM Trans. Networking

View full text Add to dashboard Cite

BGP prefix hijacking is a critical threat to Internet organizations and users. Despite the availability of several defense approaches (ranging from RPKI to popular third-party services), none of them solves the problem adequately in practice. In fact, they suffer from: (i) lack of detection comprehensiveness, allowing sophisticated attackers to evade detection, (ii) limited accuracy, especially in the case of third-party detection, (iii) delayed verification and mitigation of incidents, reaching up to days, and (iv) lack of privacy and of flexibility in post-hijack counteractions, on the side of network operators. In this work, we propose ARTEMIS (Automatic and Real-Time dEtection and MItigation System), a defense approach (a) based on accurate and fast detection operated by the AS itself, leveraging the pervasiveness of publicly available BGP monitoring services and their recent shift towards real-time streaming, thus (b) enabling flexible and fast mitigation of hijacking events. Compared to previous work, our approach combines characteristics desirable to network operators such as comprehensiveness, accuracy, speed, privacy, and flexibility. Finally, we show through real-world experiments that, with the ARTEMIS approach, prefix hijacking can be neutralized within a minute. ✦

show abstract

“…As a result, BGP hijacks are a prevalent threat and concern for network operators [48]. There have been many efforts in the research community to characterize BGP hijacking events [28,56] and to develop hijack detection systems using different approaches, metrics, and vantage points [22,27,42,43,46,49,50,57]. While most systems focus on detecting individual BGP hijacking events, some attempt to identify the source of the cause and a few even tackle mitigation and remediation [7].…”

Section: Related Workmentioning

confidence: 99%

Profiling BGP Serial Hijackers

Testart

Richter

King

et al. 2019

Proceedings of the Internet Measurement Conference

View full text Add to dashboard Cite

BGP hijacks remain an acute problem in today's Internet, with widespread consequences. While hijack detection systems are readily available, they typically rely on a priori prefix-ownership information and are reactive in nature. In this work, we take on a new perspective on BGP hijacking activity: we introduce and track the long-term routing behavior of serial hijackers, networks that repeatedly hijack address blocks for malicious purposes, often over the course of many months or even years. Based on a ground truth dataset that we construct by extracting information from network operator mailing lists, we illuminate the dominant routing characteristics of serial hijackers, and how they differ from legitimate networks. We then distill features that can capture these behavioral differences and train a machine learning model to automatically identify Autonomous Systems (ASes) that exhibit characteristics similar to serial hijackers. Our classifier identifies ≈ 900 ASes with similar behavior in the global IPv4 routing table. We analyze and categorize these networks, finding a wide range of indicators of malicious activity, misconfiguration, as well as benign hijacking activity. Our work presents a solid first step towards identifying and understanding this important category of networks, which can aid network operators in taking proactive measures to defend themselves against prefix hijacking and serve as input for current and future detection systems. CCS CONCEPTS • Networks → Network measurement; Network security.

show abstract

HEAP: Reliable Assessment of BGP Hijacking Attacks

Cited by 38 publications

References 23 publications

Sico

Sico

ARTEMIS: Neutralizing BGP Hijacking Within a Minute

Profiling BGP Serial Hijackers

Contact Info

Product

Resources

About