Detecting Internet Traffic Interception based on Route Hijacking

Transcription

1 Detecting Internet Traffic Interception based on Route Hijacking Alberto Dainotti Center for Applied Internet Data Analysis University of California, San Diego Joint work with: Pavlos Sermpezis, Vasileios Kotronis, Petros Gigis, Xenofontas Dimitropoulos, Jae Hyun Park, Danilo Cicalese, Alistair King

2 INTERNET ROUTE HIJACKING a threat to your organization and to critical infrastructure BAD_AS oas (your network) Polluted AS simple hijack (remote users) 2

3 INTERNET ROUTE HIJACKING a threat to your organization and to critical infrastructure BAD_AS oas (your network) Polluted AS (remote users) man-in-the-middle (MITM) hijack 3

4 INTERNET ROUTE HIJACKING many MITM events documented BAD_AS oas (your network) Polluted AS (remote users) Nov

5 INTERNET ROUTE HIJACKING many MITM events documented BAD_AS oas (your network) Polluted AS (remote users) In few minutes, a single attack can manipulate millions of flows causing: service disruption, fraud, data theft, bad reputation, 5

6 ATTACKS UNDER THE RADAR can have large impact Hijack Types: Type hijack: <prefix: BAD_AS, > (a.k.a. prefix origin hijack ) oas, BAD_AS, > Type hijack: <prefix: ARTEMIS: Neutralizing BGP Hijacking within a Minute Type 2 hijack: <prefix: oas, AS, BAD_AS, > lots of attention.8 CDF % 2% 4% 6% 8% Percentage of polluted ASes (a) % Percentage of polluted ASes all events invisible events (stream services) invisible events (all services) Hijack 3 4 (b) 6 Figure : Impact of di erent hijack s: (a) CDF

7 ATTACKS UNDER THE RADAR can have large impact Hijack Types: Type hijack: <prefix: BAD_AS, > (a.k.a. prefix origin hijack ) oas, BAD_AS, > Type hijack: <prefix: ARTEMIS: Neutralizing BGP Hijacking within a Minute Type 2 hijack: <prefix: oas, AS, BAD_AS, >.8 CDF % 2% 4% 6% 8% Percentage of polluted ASes (a) % Percentage of polluted ASes all events invisible events (stream services) invisible events (all services).8 often neglected Hijack 3 4 (b) 7 Figure : Impact of di erent hijack s: (a) CDF

8 STATE OF THE ART False Positives + False Negatives Third-party Detection Services False Positives unless you promptly communicate changes to your network configuration Privacy? False Negatives Most services focus on Type- attacks Hard to detect more sophisticated attacks (Type-, Type-2, ) Mitigation? No integration with mitigation solutions Btw, would you mitigate if uncertain? how later? 8

9 NEED EARLY & ACCURATE DETECTION + FAST MITIGATION 9

10 OUR APPROACH ARTEMIS (/3) public infrastructure Realtime BGP Monitoring using CoNEXT 7, December 27, Seoul, South ~2 vantage points worldwide (BGP routers) impactful events Detect events in few seconds! (tested with experiments on the real Internet) Percentage of invisible events Provides visibility of all Percentage of invisible events source: RouteViews, RIPE RIS, Colorado State Univ. BGPMon processing: CAIDA s BGPStream % 2% 2 % Impact: Percentage of polluted ASes (a) all monitors % 5% Impact: Perc (b) stream Figure 3: Percentage (y-axis) of the hi grouped by impact (x-axis), that are

11 OUR APPROACH ARTEMIS (2/3) Detection without outsourcing Run locally: leverages knowledge of your network configuration Accurate: Detects all s of attacks! No false negatives for all visible attacks No false positives for most s of attacks; demonstrated extremely low rate otherwise No sharing of private data Transparency: open source code

12 OUR APPROACH ARTEMIS (3/3) Mitigation Automated + flexible (it can be configured on a per-prefix basis) Both autonomous or outsourced Prefix de-aggregation Announcement and tunneling from other ASes CoNEXT 7, December 27, Seoul, South Korea P. Sermpezis et al. Contact offending AS and its neighbors outsourcing: random ASes outsourcing: #providers ASes outsourcing: top ISPs filtering: top ISPs Number of ASes (a) Hijack 8 Mean percentage of polluted ASes Mean percentage of polluted ASes.8 outsourcing: random ASes outsourcing: #providers ASes outsourcing: top ISPs filtering: top ISPs Number of ASes 8 Type Type Type2 Type3 without outsourcing 5.% 28.6% 6.9%.6% top ISPs 2.4% 8.2% 6.2% 4.5% AK 2.4%.3%.2%.% CF 4.8%.8%.4%.4% VE 5.%.9%.4%.3% IN NE 7.3%.% 2.3% 3.3%.3%.%.%.5% (b) Hijack Figure Center 6: E ciency mitigation via outsourcing BGP for Applied of Internet Data Analysis University of California San Diego announcements to organizations selected (i) randomly, and based on their (ii) number of providers and (iii) Table 3: Mean percentage of polluted ASes, when outsourcing BGP announcements to organizations providing DDoS protection services. Foundationtoforless Research e.g., leading thanand 5%Technology-Hellas polluted ASes (one order of mag nitude lower compared to the initial impact) with only 3 top2

13 ARTEMIS CONFIGURATION sample Configuration file configure manually extract from routers / route reflector pre-populate from RADB? // Artemis configuration for our main prefixes prefixes: /6,.../24 origin_asns: 43, 432 neighbors: 4, 32, 267, 45, 28, 7462, 423 mitigation: deaggregate // Artemis configuration for prefixes we use only at site #2 prefixes: /24, /24 origin_asns: 43 neighbors: 28, 7462, 423 mitigation: deaggregate, outsource 3

14 PILOT DEPLOYMENT try ARTEMIS Pilot deployment of detection component - all you need is a box with Python Feedback Read our paper draft Contribute to the development of scripts etc. 4

15 THANKS 5

16 ONE LAST SLIDE - We are also developing a centralized service (an Internet observatory for BGP hijacks and anomalies) which does not need deployment in your network - Soon you ll be able to subscribe to receive notifications and inspect events on a dashboard - If you upload your ARTEMIS configuration file it is going to be more accurate and may provide more information about the incident 6