Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense -

Seongcheol Hong, POSTECH PhD Thesis Defense 1/30

Network Reachability-basedIP Prefix Hijacking Detection

- PhD Thesis Defense -

Seongcheol Hong

Supervisor: Prof. James Won-Ki Hong

December 16, 2011

Distributed Processing & Network Management Lab.Dept. of Computer Science and Engineering

POSTECH, Korea


Presentation Outline Introduction

Related Work

Research Approach

Reachability Based Hijacking Detection (RBHD)

Evaluation and Results

Conclusions


Introduction Routing protocols communicate reachability infor-

mation and perform path selection BGP is the Internet’s de facto inter-domain routing

protocol

iBGP

AS 1

AS 2AS 300

advertise 1.10.0.0/16 AS 2

advertise1.10.0.0/16 AS 1 AS 2

eBGP

Prefix Path

1.2.0.0/16 2

Prefix Path

1.2.0.0/16 1 2


IP prefix hijacking incidentsAS 7007 incidentYouTube hijackingChinese ISP hijacking

Introduction What is IP prefix hijacking?

Stealing IP addresses belonging to other networksIt can occur on purpose or by mistakeSerious threat to the robustness and security of the Internet routing system

IP prefix hijacking attack typesNLRI falsificationAS path falsification

AS 1AS 2

AS 4 AS 5

AS 3

advertise 1.2.0.0/16


Prefix Path

1.2.0.0/16 2, 1

Prefix Path

1.2.0.0/16 5

Prefix Path

1.2.0.0/16 1

Prefix Path

1.2.0.0/16 2, 1

Victim

Attacker


Research Motivation IP prefix hijacking is a crucial problem in the Internet

security

Number of efforts were introducedSecurity enabled BGP protocolsHijacking detection methods

Every existing BGP security solutions have limitationsSecurity enabled BGP protocols are impractical to deployHijacking detection methods cannot detect every types of IP prefix hijacking threats

We need a novel approach which is practical and cov-ers all types of IP prefix hijacking attacks


Research Goals Target approach

Security enabled BGP protocolIP prefix hijacking detection method

Developing a new approach which is practical and detects all types of IP prefix hijacking

IP hijacking detection system does not require co-operation of ASes and does not have to be located in a specific monitoring point

Proposed approach should be validated in simulated environments using real network data


Related Work Security enabled BGP protocol

• Protecting the underlying TCP session and implementing BGP session defenses• Not verifying the content of BGP messages

BGP Session Protection

• Filters announcements which are bad and potentially malicious• It is difficult for an ISP to identify invalid routes originated from several AS

hops away

Defensive Filtering

• Rely on a shared key between two parties• Public Key Infrastructure (PKI) requires many resources

Cryptographic Techniques

• Shared, global view of ‘correct’ routing information• Registry itself must be secure, complete and accurate

Routing Registries


Related Work Existing IP hijacking detection methods

Detection ap-proach

• Victim-centric• Infrastructure-

based• Peer-centric

Type of used data

• Routing infor-mation (control-plane)

• Data probing (data-plane)

Attack type

• NLRI falsifica-tion

• AS path falsifi-cation


Related Work

Detection approach Type of used data Attack type

Victim-centric

Infrastruc-ture-based

Peer-centric

Routing informa-

tionData

probingNLRI fal-sification

AS path falsifica-

tion

Topology O O O O

PHAS O O O

Distance O O O

Real-timeMonitor-

ingO O O O O O

pgBGP O O O

iSPY O O O

Stro-belight O O O

Reacha-bility(Pro-

posed)O O O O O

Comparison among IP hijacking detection methods


Research Approach IP prefix hijacking detection based on network

reachability

AS 1AS 2

AS 4 AS 5

AS 3

1.2.0.0/16


Prefix Path

1.2.0.0/16 2 1

Prefix Path

1.2.0.0/16 1

Prefix Path

1.2.0.0/16 2 1

Multiple origin AS?

This update is IP hijacking

case

Reached the intended

network?

Prefix Path

1.2.0.0/16 5

Victim

Attacker

reachability test


Reachability-Based Hijacking Detection (RBHD)


Network Reachability Examination IP prefix hijacking is an attack which influences the

network reachability

We have developed network fingerprinting techniques for network reachability examination

Network fingerprinting is active or passive collection of characteristics from a target network (AS level)

Network fingerprint should be unique to distinguish a certain net-work

A B

FingerprintA FingerprintB

A = B if and only ifFingerprintA = Finger-

printB


Network Fingerprinting What can uniquely characterize a network?

IP prefix informationNumber of running servers in the networkA static live host or device in the network (e.g., IDS or IPS)Firewall policyGeographical location of the networkEtc.

We have selected static live host information and firewall policy as network fingerprints

Static live host: Web server, mail server, DNS server, IPS device, and etc.Firewall policy: allowed port numbers or IP addresses

Not changed frequently


Static Live Host Requirements of live hosts

Operated in most ASesEasy to obtain IP addressesAlways provide services for its ASAllow external connection and respond to active probing

DNS server satisfies all of these requirementsProvide a conversion service between domain names and IP addressesPart of the core infrastructure of the InternetAlways provide service and allow external connections from any host


DNS Server List Collection BGP-RIB of RouteViews

‘RouteViews’ collects global routing informationRIB consists of IP prefixes and AS paths

DNS server collection process

1

• Perform reverse DNS lookup• Obtain the authority server name with authority over a particular IP prefix

2• Perform DNS lookup with the authority server name• Obtain the IP addresses of the DNS server

3• Repeat process 1 and 2 over all IP prefixes in BGP-RIB


DNS Server Fingerprinting Host fingerprint of DNS

server is used as network fingerprint

DNS server fingerprintingDNS protocol informationDNS domain name informationDNS server configuration infor-mation

DNS Host Fingerprint

DNS Server Configura-

tion (DNSSEC…)

DNS Do-main Name

(AA flag…)

DNS Protocol (implementa-

tion…)


Firewall Policy as Alternative Fingerprint

DNS host fingerprints are not sufficient for reachability monitor-ing of all ASes in the Internet

The ASes in which a DNS server is not found exist (such as IX)

Suitability of firewall policies as network fingerprintsNumber of possible combination is huge

• Protocol • Port number • IP address

E.g.) ACCEPT TCP from anywhere to 224.0.0.251 TCP Port:80 REJECT ICMP from anywhere to anywhere ICMP unreachable

Firewall policy fingerprinting is performed by active probing

Target Network

• Direction • Permission

Probing packets


Reachability-Based Hijacking Detection (RBHD)

Identification of NLRI falsification

Identification of AS path falsification

DNS host fingerprint-ing

Firewall policy finger-printing

BGP update

Collect DNS host fin-gerprints

NLRI falsi-fication?

Collect firewall pol-icy fingerprints

AS path falsifica-

tion?

Valid update Invalid update

Match the existing finger-prints?

Match the existing finger-prints?

An avail-able DNS server in the target network?

Valid update

Y

N

Y

N

Y

N

Y

N

Y

N


Evaluations andResults


DNS Server Collection Result

Current state of DNS server operation304,106 IP prefixes (8,414,294 /24 prefixes) in BGP-RIB77,530 DNS server’s information using DNS forward/reverse query to /24 prefixes

* The number of IP prefixes owned by each AS


Host Fingerprint Groups

* The number of distinguishable DNS server fingerprints

The total number of distinguishable fingerprints are 73,781 (total DNS server 77,530)


Uniqueness of Fingerprints N : the total number of collected DNS servers G : the total number of mutually exclusive fingerprints For each group, ni is defined as the number of DNS

servers that belong to i-th fingerprint group Ni

The collision probability PC :

In our result,N is 77,530 and G is 73,781Pc in our experiment is 2.69 x 10-6

We conclude that the sufficient level of distinction can be applied in our proposed host fingerprinting method.


Firewall Policy Examples


Differences of Firewall Policies

* Network C * Network D

* Network A * Network B


IP Prefix Hijacking Testbed

Translate IP addressex) 192.168.1.0 => 192.168.31.0

Collect AS A’s fingerprints

false announce-mentCollect current fingerprints

two networks are randomly selected (IP address in this slide are anoymized)


1. Summary2. Contributions3. Future Work

Conclusions


Summary We proposed a new approach that practically detects

IP prefix hijacking based on network reachability monitoring

We used a fingerprinting scheme in order to deter-mine the network reachability of a specific network

We proposed DNS host and firewall policy finger-printing methods for network reachability monitoring

We validated the effectiveness of the proposed method in the IP hijacking test-bed


Contributions The problems of existing IP prefix hijacking detection

techniques are addressed

The absence of detection techniques which deal with all IP prefix hijacking cases leads to the development of new methodologies which are suitable for the current Internet

Our approach provides the practical network fingerprint-ing method for the reachability test of all ASes

DNS host fingerprintingFirewall policy fingerprinting

Novel and real-time IP prefix hijacking detection methods are described and validated with the real network data.


Future Work Enhancement of our DNS server finding and finger-

printing method

Optimization of inferring the firewall policies with small probing packets

Analyzing the performance and feasibility of our fin-gerprinting approach on the Internet

Applying our hijacking detection system to a real re-search network


PhD Thesis Defense, Seongcheol HongDecember 16, 2011

Q & A


Appendix


IP Prefix Hijacking Incidents AS7007 incident

April 25 1997Caused by a misconfigured router that flooded the Internet with incorrect advertisement

YouTube HijackingFebruary 24 2008Pakistan's attempt to block YouTube access within their country takes down YouTube entirely

Chinese ISP hijacks the InternetApril 8 2010China Telecom originated 37,000 prefixes not belonging to them


Related Work Security enabled BGP protocol

BGP Session Protection•Protecting the underlying TCP session and implementing BGP session defenses•Not verifying the content of BGP messages

Defensive Filtering•Filters announcements which are bad and potentially malicious• It is difficult for an ISP to identify invalid routes originated from several AS hops away

Cryptographic Techniques•Rely on a shared key between two parties•Public Key Infrastructure (PKI) requires many resources

Routing Registries•Shared, global view of ‘correct’ routing information•Registry itself must be secure, complete and accurate


Related Work Existing IP hijacking detection methods

Detection approach

•Victim-centric•Infrastruc-ture-based•Peer-cen-tric

Type of used data

•Routing in-formation (control-plane)•Data probing (data-plane)

Attack type

•NLRI fal-sification•AS path falsifica-tion


Solution Approach

Research HypothesisAn independent system can perform real-time IP prefix hijacking detection using networkreachability monitoring without any changes of existing Internet infrastructure


Legitimate Case

AS 1 AS 2

AS 4 AS 5

AS 3

1.2.0.0/16


Prefix Path

1.2.0.0/16 2 1

Prefix Path

1.2.0.0/16 1

Prefix Path

1.2.0.0/16 2 1

Multiple origin AS?

This update is valid

Reached the intended

network?

Prefix Path

1.2.0.0/16 5

reachability testStatic link

O


Common Legitimate Cases Xin Hu and Z. Morley Mao, “Accurate Real-time Iden-

tification of IP Prefix Hijacking”


DNS Server Collection ProcessStart

Get IP prefix and AS path

information

Do reverse query about an IP addressin the IP prefix to local DNS server

Query result exists?

Authority Section existsin the result?

BGP- RIB at RouteViews

Query result exists?

Do reverse query about an IP addressin the IP prefix to global DNS server

More IP prefix?

Yes

Yes

Yes

Yes

Print ‘no DNS serverin the IP prefix’

No

No

No

No

Do forward query about an IP addressin the Authority Section

End

Get domain name and IP addressabout the DNS server

Print ‘DNS server infomationin the IP prefix’


Distinguishable Groups of Each fingerprints

* DNS protocol information * DNS domain name information

* DNS server configuration


DNS Server Fingerprint

* DNS server fingerprinting process

* Structure of DNS server fingerprint


DNS Server Fingerprint Examples


The Use of Sweep Line for Firewall Policy Inference

Example of the sweep line algorithm on a 2-dimen-sional space


Inferring the Firewall Policy

Protocol Response packet Permission

ICMPecho reply accept

- deny

TCP

ICMP Time Exceeded accept

ICMP Destination Unreachable deny

- deny

UDP- accept


Protocol Destination IP Destination Port Option TTLICMP 192.168.10.0/24 - echo router + 1

TCP 192.168.10.0/24 1:1023 SYN router + 1

UDP 192.168.10.0/24 1:1023 - router + 1


Inferring the Firewall Policy

Protocol Response packet Permission

ICMPecho reply accept

- deny

TCP

SYN/ACK accept

RST/ACK accept

RST accept


- deny

UDP- accept


Protocol Destination IP Destination Port Option TTLICMP 192.168.10.0/24 - echo 255

TCP 192.168.10.0/24 1:1023 SYN 255

UDP 192.168.10.0/24 1:1023 - 255


Suspicious Update Frequency Suspicious update frequency

During 2 weeks monitoring from BGP-RIB

Anomalous update type Total number Average rate(/ min)

NLRI 1234 0.12

AS path 12632 1.02

Documents

Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense -