Investigating the Nature of Routing Anomalies: Closing in on Subprefix Hijacking Attacks

Schlamp, Johann; Holz, Ralph; Gasser, Oliver; Korsten, Andreas; Jacquemart, Quentin; Carle, Georg; Biersack, Ernst W.

doi:10.1007/978-3-319-17172-2_12

Cited by 4 publications

(6 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We used a blacklist of IP ranges generated during past scans [14,42]. At the time of writing, it contains 177 entries covering 2.6 million addresses (about 0.08% of the routable space).…”

Section: A Active Scansmentioning

confidence: 99%

TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication

Holz

Amann

Mehani

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Email and chat still constitute the majority of electronic communication on the Internet. The standardisation and acceptance of protocols such as SMTP, IMAP, POP3, XMPP, and IRC has allowed to deploy servers for email and chat in a decentralised and interoperable fashion. These protocols can be secured by providing encryption with TLS-directly or via the STARTTLS extension. X.509 PKIs and ad hoc methods can be leveraged to authenticate communication peers. However, secure configuration is not straight-forward and many combinations of encryption and authentication mechanisms lead to insecure deployments and potentially compromise of data in transit. In this paper, we present the largest study to date that investigates the security of our email and chat infrastructures. We used active Internet-wide scans to determine the amount of secure service deployments, and employed passive monitoring to investigate to which degree user agents actually choose secure mechanisms for their communication. We addressed both client-to-server interactions as well as server-to-server forwarding. Apart from the authentication and encryption mechanisms that the investigated protocols offer on the transport layer, we also investigated the methods for client authentication in use on the application layer. Our findings shed light on an insofar unexplored area of the Internet. Our results, in a nutshell, are a mix of both positive and negative findings. While large providers offer good security for their users, most of our communication is poorly secured in transit, with weaknesses in the cryptographic setup and especially in the choice of authentication mechanisms. We present a list of actionable changes to improve the situation.

show abstract

“…We used a blacklist of IP ranges generated during past scans [14,42]. At the time of writing, it contains 177 entries covering 2.6 million addresses (about 0.08% of the routable space).…”

Section: A Active Scansmentioning

confidence: 99%

TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication

Holz

Amann

Mehani

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

show abstract

“…If we succeed with b), the suspected attacker holds ownership rights for the prefix and is thus authorized to originate the prefix from his AS. Compared to our previous work [11], we extended this filter to support the IRR databases provided by all five RIRs. Note that we transform all IRR databases into the RIPE data model as presented in Figure 3, since it is most consistent and represents a superset of all available information.…”

Section: B Filtering Methodologymentioning

confidence: 99%

“…We propose a novel Hijacking Event Analysis Program (HEAP) to reliably assess hijacking alarms. We combine techniques from prior work [11], [12] to identify incidents with legitimate cause. Our goal is not to develop a new alarm system.…”

Section: Heap: a Real-time Frameworkmentioning

confidence: 99%

See 1 more Smart Citation

HEAP: Reliable Assessment of BGP Hijacking Attacks

Schlamp

Holz

Jacquemart

et al. 2016

IEEE J. Select. Areas Commun.

Self Cite

View full text Add to dashboard Cite

The detection of BGP prefix hijacking attacks has been the focus of research for more than a decade. However, stateof-the-art techniques fall short of detecting more elaborate types of attack. To study such attacks, we devise a novel formalization of Internet routing, and apply this model to routing anomalies in order to establish a comprehensive attacker model. We use this model to precisely classify attacks and to evaluate their impact and detectability. We analyze the eligibility of attack tactics that suit an attacker's goals and demonstrate that related work mostly focuses on less impactful kinds of attacks.We further propose, implement and test the Hijacking Event Analysis Program (HEAP), a new approach to investigate hijacking alarms. Our approach is designed to seamlessly integrate with previous work in order to reduce the high rates of false alarms inherent to these techniques. We leverage several unique data sources that can reliably disprove malicious intent. First, we make use of an Internet Routing Registry to derive business or organisational relationships between the parties involved in an event. Second, we use a topology-based reasoning algorithm to rule out events caused by legitimate operational practice. Finally, we use Internet-wide network scans to identify SSL/TLS-enabled hosts, which helps to identify non-malicious events by comparing public keys prior to and during an event. In our evaluation, we prove the effectiveness of our approach, and show that day-today routing anomalies are harmless for the most part. More importantly, we use HEAP to assess the validity of publicly reported alarms. We invite researchers to interface with HEAP in order to cross-check and narrow down their hijacking alerts.

show abstract

“…To prevent a large quantity of false positives, Schlamp et al [178,179] tried to detect subprefix hijack attacks by using update messages to retrieve candidates of hijacked prefixes and conducting active scans of SSL/TLS-enabled hosts within these networks. If the hosts use different public keys before and during the potential subprefix hijack event, this event is considered as a real attack.…”

Section: Accepted Manuscriptmentioning

confidence: 99%

The state of affairs in BGP security: A survey of attacks and defenses

Mitseva

Panchenko

Engel

2018

Computer Communications

View full text Add to dashboard Cite

The Border Gateway Protocol (BGP) is the de facto standard interdomain routing protocol. Despite its critical role on the Internet, it does not provide any security guarantees. In response to this, a large amount of research has proposed a wide variety BGP security extensions and detection-recovery systems in recent decades. Nevertheless, BGP remains vulnerable to many types of attack. In this work, we conduct an up-to-date review of fundamental BGP threats and present a methodology for evaluation of existing BGP security proposals. Based on this, we introduce a comprehensive and up-to-date survey of proposals intended to make BGP secure and methods for detection and mitigation of routing instabilities. Last but not least, we identify gaps in research, and pinpoint open issues and unsolved challenges.

show abstract

Investigating the Nature of Routing Anomalies: Closing in on Subprefix Hijacking Attacks

Cited by 4 publications

References 13 publications

TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication

TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication

HEAP: Reliable Assessment of BGP Hijacking Attacks

The state of affairs in BGP security: A survey of attacks and defenses

Contact Info

Product

Resources

About