2012/11/14imc12@boston1 detecting prefix hijackings in the internet with argus xingang shi yang...
TRANSCRIPT
![Page 1: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/1.jpg)
2012/11/14 IMC12@Boston 1
Detecting Prefix Hijackings in the Internet with Argus
Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu
Tsinghua University
![Page 2: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/2.jpg)
2012/11/14 IMC12@Boston 2
Outline
• Introduction– Prefix Hijacking– Existing Detection Methods
• Argus– Key Observation & Algorithm– System Architecture & Implementation
• Internet Monitoring Practice– Evaluation– Statistics– Case Studies
• Conclusion
![Page 3: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/3.jpg)
2012/11/14 IMC12@Boston 3
Outline
• Introduction– Prefix Hijacking– Existing Detection Methods
• Argus– Key Observation & Algorithm– System Architecture & Implementation
• Internet Monitoring Practice– Evaluation– Statistics– Case Studies
• Conclusion
![Page 4: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/4.jpg)
2012/11/14 IMC12@Boston 4
I nternet
4
5
1 7
28
3
< … >AS-path of f
f
BGP UPDATE
6
Inter-domain Routing
<1 7> <7>
![Page 5: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/5.jpg)
2012/11/14 IMC12@Boston 5
I nternet
4
5
1 7
28
3
< … >AS-path of f
f
BGP UPDATE
6
Hijacking UPDATE
Prefix Hijacking
<8>
<1 7>
![Page 6: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/6.jpg)
2012/11/14 IMC12@Boston 6
Black-holing Hijackings
• Packets dropped by the attacker
• Also cased by unintentional mis-configurations– 2010, China Tele. hijacked 15% of Internet– 2008, Pakistan Tele. hijacked Youtube for 2 hours
• Other types such as imposture/interception– Harder to detect– E2E mechanisms, i.e., IPsec, HTTPS
![Page 7: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/7.jpg)
2012/11/14 IMC12@Boston 7
Outline
• Introduction– Prefix Hijacking– Existing Detection Methods
• Argus– Key Observation & Algorithm– System Architecture & Implementation
• Internet Monitoring Practice– Evaluation– Statistics– Case Studies
• Conclusion
![Page 8: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/8.jpg)
2012/11/14 IMC12@Boston 8
Challenges of Hijacking Detection
Hijacking can pollute a large number of ASesin several seconds!
Real systemor service
Monitoring the whole Internet
Robust channel tonotify the attacker
Sub-prefix hijackingis more aggressive
Multi-homing, TE, BGP anycast, Backup links, Route failure, Policy change
shortdelay
high accuracy
easy todeploy
high scalability
attacker’s info
sub-prefix hijacking
![Page 9: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/9.jpg)
2012/11/14 IMC12@Boston 9
Existing Control or Data Plane Methods
• Complementary advantagesShort delay
High accuracy
Easy to deploy
High scalability
Attacker’s inf o
Sub-prefix hijacking
Short delay
High accuracy
Easy to deploy
High scalability
Attacker’s inf o
Sub-prefix hijacking
• Data-plane probing– iSPY [SIGCOMM ’08]– Reference Point
[SIGCOMM ’07]
• Control-plane monitoring– BGPmon.net– PHAS, Cyclops– MyASN
![Page 10: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/10.jpg)
2012/11/14 IMC12@Boston 10
Hybrid: control & data plane
• Hybrid solution [S&P ’07]– Control-plane driven: monitoring anomalous
route– Data-plane verification: whether it is a hijacking
• Cons.– Minutes of detection delay
• Traceroute, nmap, IP/TCP timestamp, reflect scan, …
– Hard to deploy• Planetlab
– BGP anycast
• Lack of correlation between control and data plane status
![Page 11: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/11.jpg)
2012/11/14 IMC12@Boston 11
Our ApproachShort delay
High accuracy
Easy to deploy
High scalability
Attacker’s info
Sub- prefix hijacking
Short delay
High accuracy
Easy to deploy
High scalability
Attacker’s info
Sub- prefix hijacking
Short delay
High accuracy
Easy to deploy
High scalability
Attacker’s info
Sub- prefix hijacking
Short delay
High accuracy
Easy to deploy
High scalability
Attacker’s info
Sub- prefix hijacking
Controlplane
Dataplane
Hybrid Correlation
Argus
![Page 12: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/12.jpg)
2012/11/14 IMC12@Boston 12
Outline
• Introduction– Prefix Hijacking– Existing Detection Methods
• Argus– Key Observation & Algorithm– System Architecture & Implementation
• Internet Monitoring Practice– Evaluation– Statistics– Case Studies
• Conclusion
![Page 13: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/13.jpg)
2012/11/14 IMC12@Boston 13
Key Observations: Relationship between Control and Data Plane• Only part of the Internet is polluted• Distinguishable from other route
events
(d) hijacking
Probe with reply
Probe without reply
Aff ectedAS
(c) route migration
(b) routefailure
NormalAS
(a) multi-origin, traffi c engineering
![Page 14: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/14.jpg)
Ct = {Ct,j} = [ 1 , 0 , 1 , 0 , 0 ]Dt = {Dt,j} = [ 1 , 0 , 1 , 0 , 0 ]
2012/11/14 IMC12@Boston 14
Status Matching
4
5
1 7
28
3
f
6
eye4eye1
eye2
eye3
eye5
eye1:eye2:eye3:eye4:eye5:
• Eyes of Argus: public route-servers, looking-glasses– Simple & fast commands: show ip bgp, ping
• Eyej at time t• Control plane Ctj : not affected by the anomalous route?
• Data plane Dtj : live IP in the corresponding prefix can be reached?
10100
10100
Ct,j Dt,j
5 1
1
, ,1
2 2, ,
1 1
[( )( )]
( ) ( )
N
t j t t j tj
t N N
t j t t j tj j
C C D D
F
C C D D
Fingerprint:
![Page 15: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/15.jpg)
2012/11/14 IMC12@Boston 15
Identification of Prefix Hijacking
• Prefix hijacking: Ft1.0, (Ft >= threshold μ)
Prefixhijacking
Routemigration
-1
Fingerprint Ft
0 1
1Reachability Dt
TE,Multi-homing,
Anycast,…
Route f ailure, Firewall,
I nactive host,…
![Page 16: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/16.jpg)
2012/11/14 IMC12@Boston 16
Type of Anomalies
• AS-path p = <an , … , ai+1 , ai , ai-1 , … , a0>– OA: Origin Anomaly
• Anomalous origin AS: pa = <a0 , f >
– AA: Adjacency Anomaly• Anomalous AS pair in AS-path: pa = <aj , aj-1>
– PA: Policy Anomaly• Anomalous AS triple in AS-path: pa = <aj+1 , aj , aj-1>
〈1〉
Normal UPDATE
Hijacking UPDATE〈3,1〉
OA: Origin Anomaly AA: Adjacency Anomaly PA: Policy Anomaly
〈4,3,2,1〉
〈3〉
attacker3
42
1victim
Customer-Provider
Peer-Peer
Normal AS
f〈3,2,1〉〈1〉
attacker3
42
1victimf
〈1〉
attacker
42
1victim
f
Polluted AS
f 3
![Page 17: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/17.jpg)
2012/11/14 IMC12@Boston 17
Outline
• Introduction– Prefix Hijacking– Existing Detection Methods
• Argus– Key Observation & Algorithm– System Architecture & Implementation
• Internet Monitoring Practice– Evaluation– Statistics– Case Studies
• Conclusion
![Page 18: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/18.jpg)
2012/11/14 IMC12@Boston 18
Architecture of Argus
InternetArgus
BGPmon
live BGP feedParse
CAIDAiPlane
daily tracerouteLive IP
Candidates
Origin ASesAS pairs
AS triples
Detect
Extract
...
VictimPrefix f
... Eyes of Argus:public route-servers &
looking-glasses
Identify
Hijacking Alarm
OA / AA / PAPrefix f, Anomaly pa
Live IPi in f
Stat.
ping
show ip bgp
Fingerprint
Test
Anomaly Monitoring Module
Live-IP Retrieving Module
Hijacking Identification Module
![Page 19: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/19.jpg)
2012/11/14 IMC12@Boston 19
System Deployment
• From May 2011, launched >1 years• Live BGP feed collected from ~130 peers
– BGPmon: http://bgpmon.netsec.colostate.edu/– 10GB BGP UPDATE /day, 20Mbps peak
• 389 eyes, in 41 transit AS
• Online notification services– (AS-4847) Mailing list– (AS-13414, AS-35995) Twitter– (AS-4538) Website, web service APIs
![Page 20: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/20.jpg)
2012/11/14 IMC12@Boston 20
Outline
• Introduction– Prefix Hijacking– Existing Detection Methods
• Argus– Key Observation & Algorithm– System Architecture & Implementation
• Internet Monitoring Practice– Evaluation– Statistics– Case Studies
• Conclusion
![Page 21: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/21.jpg)
2012/11/14 IMC12@Boston 21
Argus is Online
• 40k anomalous route events• 220 stable hijackings
– Duration of Ft>=μ in more than T seconds
– μ: fingerprint threshold of hijacking– T: duration threshold of stable hijacking
Fingerprint (Ft) distribution of all stable hijackings.
![Page 22: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/22.jpg)
2012/11/14 IMC12@Boston 22
False Positive
• Directly contact network operators (March-April, 2012)– 10/31 confirmed our hijacking alarms– No objection
• ROA: Route Origin Authorization– 266 anomalies with ROA records– False positive 0%
(μ=0.6, T=10, #eyes=40)
• IRR: Internet Routing Registry– 3988 anomalies with IRR records– False positive 0.2%
(μ=0.6, T=10 , #eyes=40)
![Page 23: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/23.jpg)
2012/11/14 IMC12@Boston 23
Delay
• Detection delay– 60% less than 10 seconds
• Identification delay– 80% less than 10 seconds– 50% less than 1 second
First anomalous UPDATE
Firstpolluted
eye
First alarm(Ft ≥ μ)
identification delay
detection delay
time
![Page 24: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/24.jpg)
2012/11/14 IMC12@Boston 24
Outline
• Introduction– Prefix Hijacking– Existing Detection Methods
• Argus– Key Observation & Algorithm– System Architecture & Implementation
• Internet Monitoring Practice– Evaluation– Statistics– Case Studies
• Conclusion
![Page 25: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/25.jpg)
2012/11/14 IMC12@Boston 25
Statistics - Overview
• Adjacency/Policy based hijacking do exists
Weekly # of stable hijackings.
Total OA(origin
AS)
AA(Adjacen
cy)
PA(Policy)
Anomalies 40k 20k 6.7k 13.3k
Hijackings 220 122 71 27Total # of route anomalies and stable hijackings in one year.
![Page 26: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/26.jpg)
2012/11/14 IMC12@Boston 26
Statistics - Hijacking duration
• Stable hijacking duration: live time of anomalous route– 20+% hijackings last <10 minutes– Long hijackings also exist
![Page 27: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/27.jpg)
2012/11/14 IMC12@Boston 27
Statistics - Prefix length
• Stable hijackings with most specific prefix– 91% hijacked prefixes are most specific– 100% hijacked prefixes with length <= 18 are most
specific
• 10% stable hijackings are sub-prefix hijacking
![Page 28: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/28.jpg)
2012/11/14 IMC12@Boston 28
Statistics - Pollution scale
• 20% stable hijackings could pollute 80+ transit ASes
![Page 29: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/29.jpg)
2012/11/14 IMC12@Boston 29
Statistics - Pollution speed
• 20+ transit ASes are polluted in 2 minutes
• For hijackings polluted 80+ transit ASes– 50% Internet are polluted within 20 seconds– 90% Internet are polluted within 2 minutes
![Page 30: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/30.jpg)
2012/11/14 IMC12@Boston 30
Outline
• Introduction– Prefix Hijacking– Existing Detection Methods
• Argus– Key Observation & Algorithm– System Architecture & Implementation
• Internet Monitoring Practice– Evaluation– Statistics– Case Studies
• Conclusion
![Page 31: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/31.jpg)
2012/11/14 IMC12@Boston 31
Case Studies
• OA hijackings (confirmed by email)– Missing route filters– Network maintenance misplay– Premature migration attempt– Sub-prefix hijacking
• AA hijackings (confirmed by email)– Mis-configuration in TE– AS-path poisoning experiment
• PA hijackings (verified in IRR)– Import policy violation– Export policy violation
![Page 32: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/32.jpg)
2012/11/14 IMC12@Boston 32
OA Hijackings
• Missing route filters
• Networkmaintenance misplay
Time Prefix Normal Origin
Anomalous Origin
Duration
Delay
Nov. 27, 2011
166.111.32.0/24, …
AS-4538CERNET, CN
AS-23910CERNET-2, CN
10+ sec 10 sec
Mar. 20, 2012
193.105.17.0/24 AS-50407Douglas, DE
AS-15763DOKOM, DE
12 min 5 sec
![Page 33: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/33.jpg)
2012/11/14 IMC12@Boston 33
OA Hijackings
• Prematuremigration attempt
• Sub-prefix hijacking
Time Prefix Normal Origin
Anomalous Origin
Duration
Delay
Apr. 04, 2012 91.217.242.0/24
AS-197279WizjaNet, PL
AS-48559Infomex, PL
17 min 9
Mar. 22, 2012
12.231.155.0/24
(in 12.128.0.0/9)
AS-7018AT&T, US
AS-13490Buckeye, US
16 min 7
![Page 34: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/34.jpg)
2012/11/14 IMC12@Boston 34
AA Hijackings
• Mis-configuration in TE– AS-38794 (BB-Broadband, TH) is a new
provider of AS-24465 (Kasikorn, TH)
• AS-path poisoning experiment [SIGCOMM ’12]– BBN announces loop AS-paths <47065, x,
47065> for experimental purpose
Time Prefix AS-path Delay
Apr. 12, 2012 210.1.38.0/24 <3043 174 38082 38794 24465> 12
Mar. 31, 2012 184.464.255.0/24 <4739 6939 2381 47065 19782 47065>
4
![Page 35: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/35.jpg)
2012/11/14 IMC12@Boston 35
PA Hijackings
• Import policy violation
• Export policy violation
Time Prefix AS-path Delay
Apr. 19, 2012
77.223.240.0/22 <4739 24709 25388 21021 12741 47728>
9
Apr. 16, 2012
195.10.205.0/24 <3043 174 20764 31484 3267 3216 35813>
5
IRR info. ofAS-21021
(Multimedia, PL) :
IRR info. ofAS-31484
(OOO Direct Tele., RU):
![Page 36: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/36.jpg)
2012/11/14 IMC12@Boston 36
Non-hijacking Anomalies• TE using BGP anycast
– 193.0.16.0/24 (DNS root-k) suddenly originatedby AS-197000 (RIPE)
– Ft0, Dt = 1• TE with backup links
– AS-12476 (Aster, PL)announced prefix to a new provider AS-6453 (Tata, CA)
– Ft0, Dt = 1• Route migration
– Prefix owmer changed fromAS-12653 (KB Impuls, GR) toAS-7700 (Singapore Tele)
– Ft-1
![Page 37: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/37.jpg)
2012/11/14 IMC12@Boston 37
Outline
• Introduction– Prefix Hijacking– Existing Detection Methods
• Argus– Key Observation & Algorithm– System Architecture & Implementation
• Internet Monitoring Practice– Evaluation– Statistics– Case Studies
• Conclusion
![Page 38: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/38.jpg)
2012/11/14 IMC12@Boston 38
Conclusion of Our Contributions
Arugs
Short delay
High accuracy
Easy to deploy
High scalability
Attacker’s info
Sub- prefix hijacking
• 80% delay <10 seconds• 20% stable hijackings last
<10 minutes, some can pollute 90% Internet in <2 minutes
• OA, AA, PA anomalies• ROA, IRR, email
confirmation
• show ip bgp, ping• Public available
external resources
• Anomaly driven probing
• Monitoring the whole Internet
• Live BGP feed from BGPmon
• Victims can be noticed through several channels
• 10% stable hijackings aresub-prefix hijacking
One year’s Internet detection practice.
![Page 39: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/39.jpg)
"Now Argus had a hundred eyes in his head, and never went to sleep with more than two at a time, so he kept watch of Io constantly.“
-- Thomas Bulfinch, The Age of Fable (Philadelphia: Henry altemus Company, 1897) 39
2012/11/14 IMC12@Boston 39clip produced by the Florida Center for Instructional Technology, College of Education, University of South Florida
![Page 40: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/40.jpg)
2012/11/14 IMC12@Boston 40
Thanks!Q & A
• Algorithm for realtime & accurate hijacking detection
• Online system that monitoring the whole Internet• Online services for network operators /
researchers• One year Internet wide hijacking detection
practice• Root cause analysis of hijackings and anomalies
twitter.com/sharangxytli.tl/argus
![Page 41: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/41.jpg)
2012/11/14 IMC12@Boston 41
Backups
![Page 42: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/42.jpg)
2012/11/14 IMC12@Boston 42
We focus on black-hole hijackings
• Mis-configuration typically cause black-holing– 2010, China Tele. hijacked 15% of Internet– 2008, Pakistan Tele. hijacked Youtube for two hours
• ISP is trustworthy, malicious attack is relatively rare
• Perfect imposture/interception is difficult– Mimic all behaviors, forward all the traffic
• Detect interception is hard, any AS is a MITM• E2E mechanism is more effective in preventing
imposture/interception
![Page 43: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/43.jpg)
2012/11/14 IMC12@Boston 43
Anomaly Monitoring Module
• Live BGP feed, colltected from ~130 peers– BGPmon: http://bgpmon.netsec.colostate.edu/
• 10GB BGP UPDATE /day, 20Mbps peak– 4-stage pipeline processing– Parallel UPDATE parser– Mem-cached DB read, batch write
BGPmon
LiveBGPfeed
Parser
Origin ASesAS pairs
AS triples
...OA / AA
/ PAStat.Recv.
XML-UPDATEQueue
UPDATE(f, p)Queue
Clean& Sort
OriginASes
AS pairsAS triples
Prefix fAnomaly pa
Parser
Parser…
UPDATEPool
…
![Page 44: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/44.jpg)
2012/11/14 IMC12@Boston 44
Live-IP Retrieving Module
• Live-IP candidates in prefix f– Traceroute results, DNS records– Possible gateways
• The first/last IP in every sub-prefix
• 512-parallel checking, find a live target in <1 second
CAIDAiPlane
Daily traceroute
Live IPCandidates
Extract &Guess
Test
DNSrecords
HE
Check Live IPi in f
Check
Check
……
![Page 45: 2012/11/14IMC12@Boston1 Detecting Prefix Hijackings in the Internet with Argus Xingang Shi Yang Xiang Zhiliang Wang Xia Yin Jianping Wu Tsinghua University](https://reader035.vdocuments.site/reader035/viewer/2022062409/5697bfd91a28abf838cafbc9/html5/thumbnails/45.jpg)
2012/11/14 IMC12@Boston 45
Hijacking Identification Module
• Distinguish hijacking from other route events– Acquire Ct and Dt
– Calculate Ft
– Last for W=120 secondsfor every anomaly
• N=389 eyes, in 41 transit AS
• Online services– (AS-4847) Mailing list– (AS-13414, AS-35995) Twitter– (AS-4538) Website, web service APIs
InternetDetect ...
VictimPrefix f
Eyes of Arguspublic route-servers& looking-glasses
Identify
Hijacking Alarm
Prefix fAnomaly pa
Live IPi in f
ping
show ip bgp
Fingerprint