Embed Size (px)
Citation preview
Akmal KhanAkmal Khan08-27-2009
OutlineOutlineIntroductionIntroduction
Related WorkRelated Work
Proposed Solutionp
Experimental Results
Conclusion
2
Internet AbstractionsInternet Abstractions
Collection of Hosts, Routers,Point of Presence(PoP’s) orAutonomous System(AS)
An AS is a connected group of one or moreAn AS is a connected group of one or more IP prefixes run by one or more network operators which has a SINGLE andoperators which has a SINGLE and CLEARLY DEFINED routing policy(RFC 1930))
3
Border Gateway Protocol (BGP)Border Gateway Protocol (BGP)Inter-domain routing protocol(Inter AS)○ Critical Communications and Business
Infrastructure!Vulnerable to different threatsVulnerable to different threats○ Configuration/Human Errors▫ “Patches” applied as threats are exploded pp p▫ E2E solutions require collaboration
1 2 0 0/16
(AS_PATH, prefix)
1.2.0.0/164
{1} p {2 1} p
p
1 2 3
{1}, p {2, 1}, p5
{3, 2, 1}, p
4
Prefix Hijacking 101Announce someone else's prefixAnnounce a more specific of a someone else's prefixSynopsis: You are trying to “steal” someone else’s traffic by getting itsomeone else s traffic by getting it routed to you.C t iff di t i l t t ffiCapture, sniff, redirect, manipulate traffic as you wish.
5
P fi Hij ki i lPrefix Hijacking…simple case
AS 4Prefix Path
1.2.0.0/16 2, 11.2.0.0/16 path: 5
Prefix Path
1.2.0.0/16 5Advertise 1.2.0.0/16
AS 3AS 5
,5 1.2.0.0/16 51.2.0.0/16
AS 3
Prefix Path
1 2 0 0/16 2 1
Prefix Path
1 2 0 0/16 4 5MOAS (Multiple Origin AS)
1.2.0.0/16 path: 4, 5
1.2.0.0/16 2, 11.2.0.0/16 4, 5( p g )
Advertise 1.2.0.0/16
Prefix Path
1.2.0.0/16 1AS 1 AS 2
6
Types of Prefix hijacking(PH)Types of Prefix hijacking(PH)[Type1]Prefix hijacking /Duplicate PH[ yp ] j g p
AS1 owns 1.2.0.0/16 but advertised by AS2[Type2]Sub prefix hijacking[Type2]Sub prefix hijacking
AS2 advertises 1.2.3.0/24[Type3]AS Path Spoofing[Type3]AS Path Spoofing
AS5 announce [5 1] without having peering with AS1[Type4]Independent PH[Type4]Independent PH
AS2 use Bogons (unused address space) [T 5]M i th iddl (MITM) Att k[Type5]Man in the middle (MITM) Attacks
7
BGP Prefix hijacking Incidentsj gDid AS13214 really hijack the Internet?• http://bgpmon net/blog/?p=80http://bgpmon.net/blog/?p 80
• Cyclops detects global routing leak by AS13214AS13214
• Don’t be afraid of AS3130..April 2009• http://cyclops cs ucla edu/• http://cyclops.cs.ucla.edu/
• WorldofWarcraft.com and WoWarmory.com sub-prefix hijacked (July 2008)sub-prefix hijacked (July 2008)
• YouTube’s prefix hijacked by Pakistan Telecom February 2008Telecom February 2008
8
O tlineOutline
IntroductionIntroduction
Related WorkRelated Work
Proposed Solutionp
Experimental Results
Conclusion
9
Major Research GroupsMajor Research GroupsUniversity of California Los Angeles(LixiaZhang)
Internet Research Lab(irl)CAIDAColorodo State University (Dan Massey)Colorodo State University (Dan Massey)
Network Security Research GroupUniversity of Princeton(Jennifer Rexford)University of Princeton(Jennifer Rexford)
Incrementally Deployable Secure Interdomain RoutingUniversity of Michigan(Z.Morley Mao)
RobustNet Group
Major Research GroupsMajor Research GroupsN ti l I tit t f St d d dNational Institute of Standards and Technology(Advanced Network Technologies Division)Technologies Division)
Trustworthy NetworkingBGP Security and Routing Robustnesshttp://w3.antd.nist.gov/
University of Swinburne (Geoff Huston)CAIACAIA
UCL,Loouvain-la-Neuve,Belgium(Olivier Bonaventure)Bonaventure)
INL:IP Networking Lab
BGP Solutions CategoriesBGP Solutions CategoriesPreventione e o
S-BGP,SO-BGP,SPVMitigationMitigation
Wang et.al,PG-BGP,Zhang et al.AnycastR tiRouting
Detect & AlertmyASN,IAR,Phas->Cyclops,BGPmon.net
Detect & RecoverDetect & RecoverProbabilistic IP Prefix Hijacking(PIPA)
Table 1 : Prefix Hijacking Solutions
Detectio Alarm Prefix/ Subpref Super/ Path MITMDetectionSystem
AlarmType
Prefix/Duplicate PH
Subprefix PH
Super/Independent PH
PathSpoofing
MITM
PHAS [ hit H Origin Y Y N limited NPHAS [mohitet al]
H Origin,Last Hop,SubAllocation
Y Y N limited N
PG BGP H Prefix Sub Y Y N Y limitedPG-BGP[J.Karlin et al]
H Prefix, SubPrefix
Y Y N Y limited
K.Sriram etal [
H+R N Y Y N Y Nal. [
Nemecis R N Y Y N N N
Hu et al. H N Y Y N Y N
13
Table 1 : Taxonomy of Prefix Hijacking Solutions (PH: Prefix Hijacking, Y: yes, N: No, H: History, R: Registry, Un: Unreachability, MITM: Man In The Middle)
Cyclops..AS-Centric Visualization tool
Data sourcesBGP routing tables + updates: Route Views, RIPE, Abilene, CERNET BGP View Route Servers: Packet Clearing House, UCR, t t R t S Wikitraceroute.org, Route Server Wiki Looking Glasses: traceroute.org, NANOG, Looking Glass WikiLooking Glass Wiki
OthersMapnet,Otter,HERMES,VAST,FixedOrbit
htt // l l d /http://cyclops.cs.ucla.edu/
Some More toolsSome More tools
PCH-Prefix Sanity CheckerRIPE-MyASN ServiceyBGPPlayBGP tBGPmon.net
15
Tools to use & get inspirationTools to use & get inspirationLinux Distribution(Ubuntu),Java,C/C++,Perl,Python, mySQL,…
Quagga 0 99 14Quagga 0.99.14IRRd - Internet Routing Registry 2.3.9Irrtoolset 4.8.5I P T lIrrPowerToolsStraighRVMRT dump file manipulation toolkit(MDFMT) version 0.2p p ( )
BGP4MPTableDump V2
PrefixanalyzeryPybgpdumpDpkt 1.6LinkRank Beta 02LinkRank Beta 02
....
O tlineOutline
IntroductionIntroduction
Related WorkRelated Work
Proposed Solutionp
Partial Experimental Results
Conclusion
17
PIPA Data SourcesPIPA Data SourcesRIR/Internet Route Registry(IRR)
Registration information/Policy Information○ RADb,RIPE,ARIN,APNIC
BGP Data CollectorsRouteViews(240) RIPE-RIS(>600)RouteViews(240), RIPE-RIS(>600)○ No. of BGP collector deployed around the world
New Data Source [unreachability information]• New Data Source [unreachability information]Hubble Project/iPlane[Ethan K.et al]
18
How is Unreachability helpful?Internet Goals : Global ReachabilityPrefix hijacking can affect some of the AsesPrefix hijacking can affect some of the Ases.
E.g. AS5 hijacked the Prefix of AS1 and black h l ll th t ffihole all the trafficApplications in some AS will observe U h bilitUnreachability
There are projects like Hubble/iPlane which provides information about the blackholes & unreachabilities duration
Help detecting prefix hijackingPinpointing the location of hijackerPinpointing the location of hijacker
19
Probabilistic IP Prefix Authentication (PIPA)
Continuously update theContinuously update the Probability of prefix hijack based on its reach ability information around theinformation around the world
Possible promotionPossible promotion /demotion of historically best BGP Path of certain prefixprefix
20
Hijack Probability AssignmentHijack Probability AssignmentEvery Prefix can be assigned a Hijack y g jProbability based on it’s conformance with
Historical StandingsgRegistry StandingsReal time Unreachability statisticsReal time Unreachability statistics
Non conformance with History/Registry can raise early Alarms and Recovery process canraise early Alarms and Recovery process can be started.
Probability score can be continuously updated basedProbability score can be continuously updated based on real time statistics i.e. BGP updates, etc.
21
P fi Hij k D i Ch llPrefix Hijack Detection ChallengeHow to differentiate between differentHow to differentiate between different unreachability
Unreachability due to equipment failures , line cuts,Unreachability due to equipment failures , line cuts, etc.
MITM: When there are no un-reachabilitiesHow to detect MOAS conflicts
○ Registry data if accurately updatedg y y p○ Maintaining knows AS home Set
IP Prefix: 1.2.0.0/16Owner AS: AS1Owner AS: AS1IP Prefix Homes : AS1,…
22
Prefix Hijack RecoveryPrefix Hijack RecoveryN t k t ifi fiNetwork operator announces more specific prefixto recover from Prefix hijack situation
Longest Prefi Matching Wins○ Longest Prefix Matching Wins○ But what if that is the one already hijacked.
Contact the malicious/misconfigured party or its providerContact the malicious/misconfigured party or its provider
PIPA based on its results can suggest toparticular AS to use Previous used route which itparticular AS to use Previous used route which itwas using before the introduction of newmalicious or erroneous prefixmalicious or erroneous prefix
23
Prefix Hijack Recovery 1 2 3 0/24 i Prefix Hijack RecoveryAttacker is able to attract all traffic
1.2.3.0/24 is a hijacked route
PIPAAttacker is able to attract all traffic
AS 4
Pefix Path
1.2.3.0/24 5Advertise1 2 3 0/24
AS 3AS 5
1.2.0.0/16 2, 11.2.3.0/24
AS 3
Prefix Path
1.2.0.0/16 2, 1
Prefix Path
1.2.3.0/24 4,5Send packet to 1.2.3.4 in AS 1 ,1.2.3.0/24 4,5
1.2.0.0/16 2, 1
L P f
Advertise 1.2.0.0/16
Prefix Path
1.2.0.0/16 1
AS 1 AS 2 Prefix Path
1.2.3.0/24 4,5
1.2.0.0/16 1
Longest Prefix Matching
24
1.2.0.0/16 1
O tlineOutline
IntroductionIntroduction
Related WorkRelated Work
Proposed Solutionp
Experimental Results
Conclusion
25
No.of Hrs Passed100
Ases Reachability
40
45
50
80
90
100
25
30
35
rs P
asse
d
50
60
70
each
abili
ty
15
20
25
NO
. of H
r
30
40
50
Perc
enta
ge R
e
0
5
10
0
10
20
1 23 45 67 89 111
133
155
177
199
221
243
265
287
309
331
353
375
397
419
441
463
No. of Ases
0
1 20 39 58 77 96 115
134
153
172
191
210
229
248
267
286
305
324
343
362
381
400
419
438
457
No.of ASes
26
Experimental MethodologyExperimental Methodology
Initial experimental ResultsComparison of False Alarms with PGBGPData collectedPGBGP suspicious Announcements(5/2006-3/2009)
Provided by Josh Karlin○ Public RIR/IRR data
H bbl h bilit t ti ti○ Hubble unreachability statisticsRun checks to see whether routes are suspicious as announced by PGBGP IARannounced by PGBGP IAR.Result: Too much suspicion is not good
27
PG BGP Alerts 5/2006 3/2009PG-BGP Alerts 5/2006-3/2009
261387
90564119734
59277
/2006 /2007 /2008 /2009
28
60000
PG-BGP Susipicouson over the years month wise50000
p y
40000
30000
20000
10000
0
2006
/520
06/6
2006
/720
06/8
2006
/920
06/1
020
06/1
120
06/1
220
07/1
2007
/220
07/3
2007
/420
07/5
2007
/620
07/7
2007
/820
07/9
2007
/10
2007
/11
2007
/12
2008
/120
08/2
2008
/320
08/4
2008
/520
08/6
2008
/720
08/8
2008
/920
08/1
020
08/1
120
08/1
220
09/1
2009
/220
09/3
29
Comparison with PGBGPComparison with PGBGPPGBGP-marks new routes suspicious if they ydo not conform to the History BGP[24 hrs]PIPA—Let them work but observer theirPIPA Let them work but observer their performance (unreachabilities)
False Alarms
60
70
80
90
ctio
n
30
40
50
60
se H
ijack
Det
ec
0
10
20
PIPA PGBGP
Fals
30
PIPA PGBGP
C l i & F t W kConclusion & Future WorkExtensive Review of existing solutionsExtensive Review of existing solutionsInclusion of New data source for PH detectiondetection
“unreachability” data collected in real time.C I t t S lf f PH?Can Internet Self recover from PH?
Proposed PH recovery mechanism Where can we find self healing property of Internet?
W ki th f ll l lWe are working on the full level implementation and experimental results of PIPAPIPA
31
C l i & F t W kConclusion & Future WorkExtensive Review of existing solutionsExtensive Review of existing solutionsInclusion of New data source for PH detectiondetection
“unreachability” data collected in real time.C I t t S lf f PH?Can Internet Self recover from PH?
Proposed PH recovery mechanism Where can we find self healing property of Internet?
W ki th f ll l lWe are working on the full level implementation and experimental results of PIPAPIPA
32
Some ? To myselfSome ? To myself
What about the current state of implementation of PKI for DNSSEC/Who IS.
How can we include/adopt that?pHow to deploy PIPA?H PIPA d t t MITM?How PIPA detects MITM???
ReferencesReferences[Ethan K. et al]Studying Black holes in the Internet with Hubble http://hubble.cs.washington.edu p g[M. Lad et.al] PHAS: A Prefix Hijack Alert System, in USENIX Security Symposium 2006. [Hu et al ] Accurate Real time Identification of IP Prefix Hijacking I[Hu et al.] Accurate Real-time Identification of IP Prefix Hijacking,IEEE Security and Privacy, Oakland, 2007 [J. Karlin, et al.] Pretty Good BGP: Improving BGP by Cautiously Adopting Routes,IEEE ICNP 2006, Santa Barbara, CA, USA, Nov. 2006 • Internet Alert Registry[http://iar cs unm edu]• Internet Alert Registry[http://iar.cs.unm.edu][G. Siganos et al.],A Blueprint for Improving the Robustness of Internet Routing,Security ‘06, 2006.
34
