Major Project Part II. Isolating Suspicious BGP Updates To Detect Prefix Hijacks

Transcription

1 Major Project Part II Isolating Suspicious BGP Updates To Detect Prefix Hijacks Author: Abhishek Aggarwal (IIT Delhi) Co-authors: Anukool Lakhina (Guavus Networks Inc.) Prof. Huzur Saran (IIT Delhi)

2 ! BGP routes can be hijacked by a misbehaving or compromised router. This can have serious consequences! Accidental hijack! AS 9121 incident! Malicious hijack! Used to send SPAM Larry J. Blunk, IEGP Meeting 62 nd IETF, March 6, 2005

3 Isolate suspicious BGP updates for further analysis to detect prefix hijacks

4 Prefix Hijack: Example a. True origin AS 52 announces prefix /16 b. False origin AS 110 announces prefix /16 Figure: AS 110 hijacks prefix of AS 52 Mohit et al., 2006, 15 th USENIX Security Symposium

5 Valid MOAS Case Multihoming without BGP Customer /24 AS 1 AS 2 announces /24 AS X AS Y announces / /24 AS Path: AS X,, AS 1 AS Z /24 AS Path: AS Y,, AS 2 Figure: Multihoming without BGP

6 Valid MOAS Case Private AS number substitution /24 AS 1 AS X Announces /24 Path: AS X AS Y Announces /24 Path: AS Y Figure: Private AS number substitution

7 Basic Philosophy! Analyze past BGP data to establish normal behavior for a prefix! Associate a state with every prefix at a border router! Origin AS is state variable! Track changes in the state to figure out normal changes for prefix! Analyze incoming updates and flag the ones violating the normal

8 Percentage hold time distribution of conflicting ASs is highly skewed %Hold Time Difference Prefix Figure: Percentage hold time difference for MOAS prefixes

9 Negative correlation between % Hold Time Change and AS Path Length Change a. 100 Perecntage Hold Time b. Normalized AS Path Length Backup AS Preferred AS Prefix Figure: (a) Percent hold time Vs Prefix, and (b) Normalized AS path length Vs Prefix

10 Preferred AS Path Length For 84 % prefixes: AS with high percentage hold time has a shorter path length 16% 84% Shorter Total MOAS Prefixes: 124 Longer Figure: Percentage breakup of MOAS prefixes on preferred AS path length

11 AS Path Relationship! Overlap! One path lies on the other! Related origin AS! Cross! Intersect in unique points! Distinct! Independent of each other

12 AS Path Relationship For ~ 88 % multi origin prefixes: Conflicting ASs have overlapping AS paths 8, 6.45% 7, 5.65% Total Prefixes: , 87.90% Distinct Paths Overlapping Paths Crossing Paths Figure: Percentage breakup of prefixes on AS path relationship of conflicting ASs

13 Characteristics of Possible Prefix Hijacks! Change in state of prefix! Multi Origin AS conflict! False origin AS has! Low percentage hold time " Malicious routes are short lived! Shorter AS path length! Distinct or Cross AS path relationship! Deaggregated prefix

14 Metrics! Change in Percentage hold time of conflicting ASs! Change in AS path length! AS path relationship! Overlapping! Cross! Distinct

15 Decision Tree Branch 1 Announcement Update Change in State MOAS Conflict Investigate Further + Percentage Hold Time Change - AS PATH Length Change AS PATH Length Change - AS PATH Relation AS PATH Relation AS PATH Relation AS PATH Relation Cross Overlap Distinct Cross Overlap Distinct Cross Overlap Distinct Cross Overlap Traffic En gineering Normal Low Suspicion Normal Low Suspicion Moderate Susp icio n Distinct High Suspicion

16 Decision Tree Branch 2 Update Announcement Withdrawal Change in State New Prefix Announcements No Change in State MOAS Conflict No MOAS Conflict Safe/Accepted Investigate Further MOAS Deaggregation Deaggregated Prefixes Self Deaggregation Distinct Prefixes Investigate Further Cross Low Suspicion Safe/Accepted AS PATH Relation Overlap High Suspicion Distinct

17 Algorithm/ Decision Tree

18 Architecture Diagram COLLECTION ENGINE PRESENTATION ENGINE DATABASE DATA ANALYSIS ENGINE CLASSIFICATION ENGINE Existing data

19 Abilene routing data for 2 months 1 st month s data Warm Up Phase 2 nd month s data Phase

20 Total Updates processed = , 49% 60, 43% Total Updates Flagged: , 8% High Suspicion Medium Suspicion Low Suspicion Figure: Percentage break up of flagged updates

21 26% 74% Total Updates: Announcements Withdrawals Figure: Percentage break up of updates 933, 0.19% , 34.56% , 65.25% Total Annoucements: Change State No Change in State New Prefix Announcements Figure: Percentage break up of announcements

22 958, 0.56% , 99.44% Total Annoucements Causing Change in State: MOAS Conflict No MOAS Conflict Figure: Percentage break up of announcements causing change in state 53, 5% 11, 1% 35, 3% 905, 91% Total MOAS Conflicts: 958 Valid Cases High Suspicion Medium Suspicion Low Suspicion Figure: Percentage break up of MOAS conflict cases

23 7, 1% 32, 3% 373, 40% 521, 56% Total New Prefix Announcements: 958 No Deaggregation Self Deaggregation High Suspicion Low Suspicion Figure: Percentage break up of new prefix announcements

24 Some Interesting Incidents Deaggregation Existing Covering Prefix: /16 Origin AS: 668 AS Path: 668 Deaggregation Prefix: /24 Origin AS: New AS Path: AS Path Relation: Distinct

25 Some Interesting Incidents Replacement Existing Status: Active Origin AS: 5050 AS Path: 5050 Hold Time %: New AS Path Relationship: Distinct Origin AS: 559 AS Path: Hold Time %: Prefix: /24

26 ! Past BGP data about a prefix can help to determine safe changes to the state of the prefix! Percentage hold time change, AS path length change and AS path relationship are useful metrics to filter out valid MOAS incidents! Normally, percentage hold time change and AS path length change have a negative correlation

27 Key Benefits! Help network operators! Enable manual data analysis! Inject new detection schemes! Readily deployable! Incremental deployment! Build base truth on prefix hijacks

28 Future Scope of Work Work Done! Finding new relevant metrics to isolate and classify prefix hijack incidents with higher probability! Fusing Internet wide Route Views data with local AS data! Fusing Internet traffic data with routing data Future Work

29 Work Done!Anirudh Ramachandaran,Nick Feamster. On understanding Network Level behavior of spammers. In Proc. ACM SIGCOMM Conference, 2006.!Ola Nordstrom, Constantinos Dovrolis. Beware of BGP Attacks. In ACM SIGCOMM Communications Review, April 2004.!Mohit Lad, Dan Massey, Dan Pie. Prefix Hijack Alert System. In 15th USENIX Security Symposium, USENIX Security 2006.!Xiaoliang Zhao, Dan Pei, Lan Wang and Dan Massey. An analysis of BGP MOAS conflicts. In ACM SIGCOMM Workshop on Internet Measurement,2002.!C. Lynn, S. Kent and K.Seo. Secure border Gateway protocol (S-BGP). In IEEE JSAC Special Issue on Network Security,2002.

30 Work Done Thank You!