ROVER: a DNS-based method to detect and prevent IP hijacks

2013 Fall.Includes bibliographical references.The Border Gateway Protocol (BGP) is critical to the global internet infrastructure. Unfortunately BGP routing was designed with limited regard for security. As a result, IP route hijacking has been observed for more than 16 years. Well known incidents include a 2008 hijack of YouTube, loss of connectivity for Australia in February 2012, and an event that partially crippled Google in November 2012. Concern has been escalating as critical national infrastructure is reliant on a secure foundation for the Internet. Disruptions to military, banking, utilities, industry, and commerce can be catastrophic. In this dissertation we propose ROVER (Route Origin VERification System), a novel and practical solution for detecting and preventing origin and sub-prefix hijacks. ROVER exploits the reverse DNS for storing route origin data and provides a fail-safe, best effort approach to authentication. This approach can be used with a variety of operational models including fully dynamic in-line BGP filtering, periodically updated authenticated route filters, and real-time notifications for network operators. Our thesis is that ROVER systems can be deployed by a small number of institutions in an incremental fashion and still effectively thwart origin and sub-prefix IP hijacking despite non-participation by the majority of Autonomous System owners. We then present research results supporting this statement. We evaluate the effectiveness of ROVER using simulations on an Internet scale topology as well as with tests on real operational systems. Analyses include a study of IP hijack propagation patterns, effectiveness of various deployment models, critical mass requirements, and an examination of ROVER resilience and scalability

Security analysis of network neighbors

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2010O presente trabalho aborda um problema comum a muitos dos actuais fornecedores de serviços Internet (ISPs): mitigação eficiente de tráfego malicioso na sua rede. Este tráfego indesejado impõe um desperdício de recursos de rede o que leva a uma consequente degradação da qualidade de serviço. Cria também um ambiente inseguro para os clientes, minando o potencial oferecido pela Internet e abrindo caminho para actividades criminosas graves. Algumas das principais condicionantes na criação de sistemas capazes de resolver estes problemas são: a enorme quantidade de tráfego a ser analisado, o facto da Internet ser inerentemente anónima e a falta de incentivo para os operadores de redes de trânsito em bloquear este tipo de tráfego. No âmbito de um ISP de média escala, este trabalho concentra-se em três áreas principais: origens de tráfego malicioso, classificação de segurança de redes vizinhas ao ISP e políticas de intervenção. Foram colectados dados de rede considerando, determinados tipos de tráfego malicioso: varrimento de endereços e inundação de fluxos de ligações; assim como informação de acessibilidades rede: mensagens de actualização de BGP disponibilizadas pelo RIPE Routing Information Service. Analisámos o tráfego malicioso em busca de padrões de rede, o que nos permitiu compreender que é maioritariamente originário de um subconjunto muito pequeno de ASes na Internet. No âmbito de um ISP e de acordo com um conjunto de métricas de segurança, definimos uma expressão de correlação para quantificar os riscos de segurança associados a conexões com redes vizinhas, a qual denominámos Risk Score. Finalmente, propusemos técnicas para concretização das tarefas de rede necessárias à redução de tráfego malicioso de forma eficiente, se possível em cooperação com redes vizinhas / ASes. Não temos conhecimento de qualquer publicação existente que correlacione as características de tráfego malicioso de varrimento de endereços e inundação de fluxos de ligações, com informação de acessibilidades de rede no âmbito de um ISP, de forma a classificar a segurança das vizinhanças de rede, com o propósito de decidir filtrar o tráfego de prefixos específicos de um AS ou bloquear todo o tráfego proveniente de um AS. Acreditamos que os resultados apresentados neste trabalho podem ser aplicados imediatamente em cenários reais, permitindo criar ambientes de rede mais seguros e escaláveis, desta forma melhorando as condições de rede necessárias ao desenvolvimento de novos serviços.This thesis addresses a common issue to many of current Internet Service Providers (ISPs): efficient mitigation of malicious traffic flowing through their network. This unwanted traffic imposes a waste of network resources, leading to a degradation of quality of service. It also creates an unsafe environment for users, therefore mining the Internet potential and opening way for severe criminal activity. Some of the main constraints of creating systems that may tackle these problems are the enormous amount of traffic to be analyzed, the fact that the Internet is inherently untraceable and the lack of incentive for transit networks to block this type of traffic. Under the scope of a mid scale ISP, this thesis focuses on three main areas: the origins of malicious traffic, security classification of ISP neighbors and intervention policies. We collected network data from particular types of malicious traffic: address scans and flow floods; and network reachability information: BGP update messages from RIPE Routing Information Service (RIS). We analyzed the malicious traffic looking for network patterns, which allowed us to understand that most of it originates from a very small subset of Internet ASes. We defined a correlation expression to quantify the security risks of neighbor connections within an ISP scope according to a set of security metrics that we named Risk Score. We finally proposed techniques to implement the network tasks required to mitigate malicious traffic efficiently, if possible in cooperation with other neighbors/ASes. We are not aware of any work been done that correlates the malicious traffic characteristics of address scans and flow flood attacks, with network reachability information of an ISP network, to classify the security of neighbor connections in order to decide to filter traffic from specific prefixes of an AS, or to block all traffic from an AS. It is our belief, the findings presented in this thesis can be immediately applied to real world scenarios, enabling more secure and scalable network environments, therefore opening way for better deployment environments of new services

A DSA-based scheme for defending against IP prefix hijacking without repositories

Krađa IP prefiksa predstavlja ozbiljnu prijetnju za sigurnost Interneta. Kriptografsko ustanovljavanje autentičnosti porijekla ASes (Autonomnih Sustava) oglašenog prefiksa, što predstavlja učinkovit način sprećavanja krađe IP prefiksa, široko je prihvaćeno. Međutim, postojećim se shemama upućuju različiti kritički komentari vezani za njihovu neučinkovitost kod kriptografskog ustanovljavanja autentičnosti porijekla ASes. U svrhu poboljšanja učinkovitosti, koristimo prednosti specifičnih obilježja DSA (Digital Signature Algorithm) te predstavljamo shemu za sprećavanje krađe IP prefiksa. Postoje dva obilježja predložene sheme, temeljena na DSA i učinkovita. Prvo, budući da je DSA standard za digitalne potpise federalne vlade SAD, DSA temeljeno obilježje može zadržati kompatibilnost s DSA i njegovim analitičkim alatima te je na taj način olakšano široko prihvaćanje i primjena u praksi predložene sheme. Drugo, državni ključni certifikati (key certificates) nisu potrebni jer se mogu izračunati pomoću formule. Odvojeni potpisi za verifikaciju u tim certifikatima, koji su neizbježni u gotovo svim postojećim shemama temeljenim na kriptografiji, mogu se zamijeniti računanjem multi-eksponencijalne formule. Na taj je način postignuta učinkovitost.IP prefix hijacking poses a serious threat to the security of the Internet. Cryptographic authenticating origin ASes (Autonomous Systems) of advertised prefix, which is an effective way of preventing IP prefix hijacking, has received wide acceptance. However, these existing schemes received various critical comments on their inefficiency when cryptographic authenticating origin ASes. For improving efficiency, we take full advantage of specific characteristics of DSA (Digital Signature Algorithm) and thus present a scheme for preventing IP prefix hijacking. There are two characteristics, which are DSA-based and efficient, in the proposed scheme. Firstly, because DSA is a United States Federal Government standard for digital signatures, the DSA-based can maintain compatibility with the DSA and its analytical tools, and thus it is easier for proposed scheme to be widely accepted and applied into practice. Secondly, public key certificates are not necessary because public keys can be computed by using a formula. Separated verifying signatures in these certificates, which are inevitable in almost all existing cryptography-based schemes, can be replaced with computing of a multi-exponentiation formula. Thus, the efficiency is achieved

Detecting IP prefix hijack events using BGP activity and AS connectivity analysis

The Border Gateway Protocol (BGP), the main component of core Internet connectivity, suffers vulnerability issues related to the impersonation of the ownership of IP prefixes for Autonomous Systems (ASes). In this context, a number of studies have focused on securing the BGP through several techniques, such as monitoring-based, historical-based and statistical-based behavioural models. In spite of the significant research undertaken, the proposed solutions cannot detect the IP prefix hijack accurately or even differentiate it from other types of attacks that could threaten the performance of the BGP. This research proposes three novel detection methods aimed at tracking the behaviour of BGP edge routers and detecting IP prefix hijacks based on statistical analysis of variance, the attack signature approach and a classification-based technique. The first detection method uses statistical analysis of variance to identify hijacking behaviour through the normal operation of routing information being exchanged among routers and their behaviour during the occurrence of IP prefix hijacking. However, this method failed to find any indication of IP prefix hijacking because of the difficulty of having raw BGP data hijacking-free. The research also proposes another detection method that parses BGP advertisements (announcements) and checks whether IP prefixes are announced or advertised by more than one AS. If so, events are selected for further validation using Regional Internet Registry (RIR) databases to determine whether the ASes announcing the prefixes are owned by the same organisation or different organisations. Advertisements for the same IP prefix made by ASes owned by different organisations are subsequently identified as hijacking events. The proposed algorithm of the detection method was validated using the 2008 YouTube Pakistan hijack event; the analysis demonstrates that the algorithm qualitatively increases the accuracy of detecting IP prefix hijacks. The algorithm is very accurate as long as the RIRs (Regional Internet Registries) are updated concurrently with hijacking detection. The detection method and can be integrated and work with BGP routers separately. Another detection method is proposed to detect IP prefix hijacking using a combination of signature-based (parsing-based) and classification-based techniques. The parsing technique is used as a pre-processing phase before the classification-based method. Some features are extracted based on the connectivity behaviour of the suspicious ASes given by the parsing technique. In other words, this detection method tracks the behaviour of the suspicious ASes and follows up with an analysis of their interaction with directly and indirectly connected neighbours based on a set of features extracted from the ASPATH information about the suspicious ASes. Before sending the extracted feature values to the best five classifiers that can work with the specifications of an implemented classification dataset, the detection method computes the similarity between benign and malicious behaviours to determine to what extent the classifiers can distinguish suspicious behaviour from benign behaviour and then detect the hijacking. Evaluation tests of the proposed algorithm demonstrated that the detection method was able to detect the hijacks with 96% accuracy and can be integrated and work with BGP routers separately.Saudi Cultural Burea

Prefix-Hijacking im Internetrouting : Monitoring, Analyse und Mitigation

Die vorliegende Arbeit betrachtet IT-Sicherheitsaspekte des Internetroutings und verbessert etablierte Ansätze zur Entdeckung, zur Klassifikation und zur Untersuchung der Folgen von Anomalien im Internetrouting und entwickelt darüber hinaus das Konzept und zeigt die Erprobung einer effektiven Gegenmaßnahme auf. Dabei steht das Border-Gateway-Protokoll (BGP), das die weltweite Kommunikation zwischen Computersystemen über das Internet erst ermöglicht, im Fokus der Betrachtung. Ausgehend von Computernetzwerken im militärischen Kontext und in Forschungseinrichtungen in den 1980er Jahren, entwickelte sich das Internet zu einem weltumspannenden Netzwerk von Computernetzwerken, das aus der zivilen Gesellschaft nicht mehr wegzudenken ist. Während moderne Anwendungen Haushaltsgeräte miteinander vernetzen und der Austausch von individuellen Erlebnissen den Takt in der modernen Gesellschaft vorgibt, sind die grundlegenden Mechanismen dieser Vernetzung in den letzten Jahren unverändert geblieben. Als Netzwerk von Computernetzwerken ist das Internet ein dynamischer Zusammenschluss sogenannter Autonomer Systeme (AS), also Computernetzwerken von Unternehmen, Forschungseinrichtungen sowie Regierungs- und Nicht-Regierungs-Organisationen. Um Datenpakete zwischen zwei Endgeräten unterschiedlicher AS auszutauschen, müssen auf den unteren Ebenen des eingesetzten TCP/IP-Protokollstacks notwendige Erreichbarkeitsinformationen ausgetauscht und regelmäßig aktualisiert werden. Für den Austausch dieser Erreichbarkeitsinformationen im Internet wird BGP verwendet. Die mit BGP ausgetauschten Erreichbarkeitsinformationen bestehen aus einem IP-Adressbereich (Prefix) und dem AS-Pfad, den ein Paket auf dem Weg zum Ziel durch andere AS zurücklegen muss. Dabei ist in BGP keine Validierung der ausgetauschten Erreichbarkeitsinformationen vorgesehen. Jedes AS kann damit im Grunde beliebige Informationen in das Internetrouting einbringen oder bei der Weiterleitung bestehende Informationen manipulieren. Falsche Erreichbarkeitsinformationen haben unterschiedliche Ursachen, etwa Fehler in der Routing-Hardware, Konfigurationsfehler in der Administration oder gezielte Angriffe. Aus falschen Erreichbarkeitsinformationen resultieren Routinganomalien unterschiedlicher Kritikalität, bis hin zur Nicht-Erreichbarkeit von Prefixen oder der Übernahme von Prefixen durch Angreifer. Diese Übernahme fremder Prefixe durch einen Angreifer nennt man Prefix-Hijacking, also die Entführung eines IP-Adressbereichs. Es gibt keine globale Sicht auf das Internetrouting, so dass eine globale Erkennung von Prefix-Hijacking ohne weiteres nicht möglich ist. Vielmehr besitzt jedes AS eine ganz eigene Sicht auf das Internet, bedingt durch die mit den Nachbarn ausgetauschten Erreichbarkeitsinformationen. Für einen Überblick müssen diese lokalen Sichten zunächst zu einer globalen Sicht zusammengefasst werden. Da Prefix-Hijacking mit der eingesetzten Version von BGP einfach realisiert werden kann, sind weitere Maßnahmen notwendig, um die Schutzziele der IT-Sicherheit im Internetrouting umzusetzen. Präventive Maßnahmen, wie die nachträgliche Absicherung der Erreichbarkeitsinformationen über Protokollerweiterungen oder zusätzliche Protokolle sind bisher nicht flächendeckend eingesetzt und daher ohne Erfolg. Für Prefix-Besitzer bleibt das kontinuierliche Monitoring der eigenen Prefixe im Internet als Maßnahme zur Gewährleistung der IT-Sicherheit. Die vorliegende Arbeit analysiert zunächst die Datenlage zur Umsetzung eines effektiven Monitorings des Internetroutings und berücksichtigt dabei die in der Literatur genutzten Routingarchive unterschiedlicher Anbieter. Durch die Hinzunahme weiterer Quellen, wie Internetknotenpunkten oder sogenannten Looking-Glass-Diensten, werden die in den Routingarchiven enthaltenen Informationen angereichert und die globale Sicht verbessert. Anschließend folgt die Revision der etablierten Methode zur Abschätzung einer Prefix-Hijacking-Resilienz für AS und die Herleitung einer verbesserten Formel zur Folgenabschätzung. Daraufhin wird eine effektive Gegenmaßnahme vorgestellt, die mit der Unterstützung von Partner-AS die Reichweite der legitimen Erreichbarkeitsinformationen ermöglicht und damit eine Mitigation von Prefix-Hijacking zumindest grundsätzlich möglich macht. Durch die vorgestellten Ansätze zur Verbreiterung der Datenbasis, zur Verbesserung der Analyse von Prefix-Hijacking-Folgen und dem Ansatz zur Mitigation von Prefix-Hijacking durch die Prefix-Besitzer, lassen sich verbesserte Maßnahmen zur Sicherstellung der IT-Sicherheits-Schutzziele umsetzen