280 likes | 410 Views
Active correlation between the control and data plane: Accurate real-time identification of IP hijacking. Z. Morley Mao University of Michigan. Data plane and control plane. Data plane: determines data packet behavior Packet forwarding Packet differentiation (e.g., ACLs)
E N D
Active correlation between the control and data plane:Accurate real-time identification of IP hijacking Z. Morley Mao University of Michigan
Data plane and control plane • Data plane: determines data packet behavior • Packet forwarding • Packet differentiation (e.g., ACLs) • Buffering, link scheduling • Control plane: controls the state of network elements • Route selection • RSVP, capability signaling, etc.
routes Control plane: exchange routes Fail over to alternate route : Routing session Dynamic adaptation Internet Data plane: forward traffic IP traffic www.cnn.com IP=64.236.16.52 Prefix=64.236.16.0/20 Bear.eecs.umich.edu IP=141.212.110.196 Prefix=141.212.0.0/16
Consistency between them • Consistency • (Routing) state advertised by the control plane is enforced by the data plane • Inconsistency due to • Routing anomalies • Misconfigurations • Protocol anomalies • Malicious behavior • Main insight: use expected consistency to identify routing problems.
IP hijacking • An example routing attack • Steal IP addresses belonging to other networks • Also known as BGP Hijacking • Achieved by announcing unauthorized prefixes on purpose or by accident
Reasons for IP hijacking • Conduct malicious activities • Spamming, illegal file sharing, advertising • Disrupt communication of legitimate hosts • DoS attacks • Inherent advantage • Hide attacker’s identities • Difficult for trace back
Prevention through route filtering • Analogous to ingress/egress filtering for traffic • Filter route announcements to preclude prefixes not owned by customers • Lack of knowledge of address blocks owned by customers • Difficult to enforce across all networks • Filtering impossible along peering edges
Our approach • Goal: • Detect and thwart potential IP hijacking attempts • Reduce false positive/negative rate • Stale registry data • Other timing-based techniques • Light-weight and real-time detection • Approach: • Real-time monitoring and active/passive fingerprinting triggered by suspicious routing updates • Identify conflicting data-plane fingerprints indicating “successful” IP hijacking
Comprehensive classification of hijacking • Hijack only the prefix • Hijack both the prefix and the AS number • Hijack a subnet of an existing prefix • Hijack a prefix subnet and the AS number
Hijacking only the prefix • Attacker announces the prefixe belonging to other ASes using his own AS number. • Leading to MOAS (Multiple Origin AS) conflicts
Hijack both the prefix and AS • Announce a path through itself to other ASes and their prefix • AS M announces a Path [AS M, AS 1] to reach prefix 141.212.110.0/24
Hijack a subnet of an existing prefix • In previous attack models, the hijacker has to compete with victim to attract traffic. • Announcing only a subnet of other’s prefix avoids the competition altogether due to the Longest Prefix Matching rule of BGP • No apparent MOAS Conflicts in routing table! subMOAS!
Hijack a subnet of a prefix and AS number • Announce a path to a subnet of one of victim AS’s Prefix • No subMOAS conflicts! Most stealthy with almost no abnormal symptom in routing table • Ability to receive all traffic because of longest prefix matching
Methodology • Monitor all route updates in real time • Given suspicious updates, use data-plane fingerprinting to reduce false positive/negative rate • Our key insight: A real hijacking will result in conflicting fingerprints describing the edge networks
Fingerprinting • Techniques for remotely determining the characteristics or identity of devices • Our system employs four type of fingerprints: • OS detection, IP ID probing, TCP timestamp and ICMP timestamp • Any other fingerprinting techniques can be used as well e.g. physical fingerprint
Feasibility of fingerprinting • IP ID implementation in modern OS • Support for TCP/ICMP timestamp
Probe place selection • From a single place, the probing packets can only reach either attacker’s or victim’s AS, not both. • To probe both, we need multiple probing points. • Use Planetlab, which consists of more than 600 machines all over the world. • Select probing places that are near the targets, in terms of AS path.
Detecting hijacking a prefix • Candidates are prefixes that have MOAS conflicts. • Build path tree for the prefix: • Select Planetlab nodes near different origin ASes and probing live hosts in the prefix
Detecting hijacking prefix and AS number • Candidates are BGP Updates that violates geographical constraint • ASes that are connected in AS path should be located in close vicinity. • The invalid path announced by attacker will be very likely to violate this constraint • Geographical location of prefixes and ASes can be obtained from a number of commercial and public database such as IP2Location, Netgeo • Netgeo Record for prefix 141.212.0.0/16 |141.212.0.0/16|237| COUNTRY: US NAME: UMNET2 CITY: ANN ARBOR STATE: MICHIGAN LAT: 42.29 LONG: -83.72
Detecting hijacking a subnet of prefix -- reflect scan If not hijacking, the reflected SYN/ACK packet will be sent to H2 IP ID value of H2 will increase During hijacking, the reflected SYN/ACK packet will not reach H2 IP ID value of H2will not increase.
Detect hijacking a prefix subnet and AS number • Candidate is every new prefix that is a subnet of some prefix in its origin AS. • Edge prevalence serves a heuristic to reduce target space • Combine geographical constraint and reflect scan
Classifier • For each BGP update, classifier decides whether it is a valid update and classify those invalid updates into separate types • Then feed the classification results to probing module for selecting proper probing methods
Different signatures, example: • 63.130.249.0/24|63.130.249.1|1273 3561|1273:planetlab-1.eecs.cwru.edu 3561:node1.lbnl.nodes.planet-lab.org planetlab-1.eecs.cwru.edu: Interesting ports on 63.130.249.1: (The 1664 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 23/tcp open telnet 1214/tcp filtered fasttrack 6346/tcp filtered gnutella 6699/tcp filtered napster No exact OS matches for host … node1.lbnl.nodes.planet-lab.org: Interesting ports on 63.130.249.1: (The 1663 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen 23/tcp open telnet No exact OS matches for host …
DNS Anycast - valid hijacking • k.root-servers.net (193.0.14.129:25152) • Violation of geographic constraint: • 193.0.14.0/24|25152|UK:ENGLAND (country):LONDON:51.50:-0.17|1103|NL:SOUTH HOLLAND (province):THE HAGUE:52.08:4.27|312.4 • Fingerprint from one planetlab in China and my local machine in US
K-root server results Local Machine [root@wing statistic]# nmap -O 193.0.14.129 Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting ports on k.root-servers.net (193.0.14.129): (The 1667 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 53/tcp open domain Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux 2.4.0 - 2.5.20 Uptime 26.048 days (since Thu Mar 23 06:17:24 2006) Nmap finished: 1 IP address (1 host up) scanned in 43.319 seconds Planetlab in China bash-2.05b# nmap -O 193.0.14.129 Interesting ports on k.root-servers.net (193.0.14.129): (The 1664 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 53/tcp open domain 179/tcp open bgp 2601/tcp open zebra 2605/tcp open bgpd Device type: general purpose Running: FreeBSD 5.X|6.X OS details: FreeBSD 5.2-CURRENT - 5.3 (x86) with pf scrub all, FreeBSD 5.2.1-RELEASE or 6.0-CURRENT Uptime 119.383 days (since Mon Dec 19 22:13:54 2005) Nmap finished: 1 IP address (1 host up) scanned in 15.899 seconds
Conclusion • A comprehensive classification of IP hijacking • Implemented hijacking detection using active correlation of data and control plane • Other uses of correlation: • Routing anomaly detection • Other routing attacks: e.g., stealthy attacks. • Enforcement of routing behavior