1 / 45

Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense -

Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense -. Seongcheol Hong Supervisor: Prof. James Won-Ki Hong December 16, 2011 Distributed Processing & Network Management Lab. Dept. of Computer Science and Engineering POSTECH, Korea. Presentation Outline.

ivi
Download Presentation

Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense -

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Reachability-basedIP Prefix Hijacking Detection- PhD Thesis Defense - Seongcheol Hong Supervisor: Prof. James Won-Ki Hong December 16, 2011 Distributed Processing & Network Management Lab. Dept. of Computer Science and Engineering POSTECH, Korea

  2. Presentation Outline • Introduction • Related Work • Research Approach • Reachability Based Hijacking Detection (RBHD) • Evaluation and Results • Conclusions

  3. Introduction • Routing protocols communicate reachability information and perform path selection • BGP is the Internet’s de facto inter-domain routing protocol AS 1 iBGP advertise 1.10.0.0/16 AS 1 AS 2 advertise 1.10.0.0/16 AS 2 eBGP AS 2 AS 300

  4. Introduction • What is IP prefix hijacking? • Stealing IP addresses belonging to other networks • It can occur on purpose or by mistake • Serious threat to the robustness and security of the Internet routing system • IP prefix hijacking attack types • NLRI falsification • AS path falsification advertise 1.2.0.0/16 • IP prefix hijacking incidents • AS 7007 incident • YouTube hijacking • Chinese ISP hijacking AS 4 AS 5 Attacker AS 3 AS 2 AS 1 advertise 1.2.0.0/16 Victim

  5. Research Motivation • IP prefix hijacking is a crucial problem in the Internet security • Number of efforts were introduced • Security enabled BGP protocols • Hijacking detection methods • Every existing BGP security solutions have limitations • Security enabled BGP protocols are impractical to deploy • Hijacking detection methods cannot detect every types of IP prefix hijacking threats • We need a novel approach which is practical and covers all types of IP prefix hijacking attacks

  6. Research Goals • Target approach • Security enabled BGP protocol • IP prefix hijacking detection method • Developing a new approach which is practical and detects all types of IP prefix hijacking • IP hijacking detection system does not require cooperation of ASes and does not have to be located in a specific monitoring point • Proposed approach should be validated in simulated environments using real network data

  7. Related Work • Security enabled BGP protocol

  8. Related Work • Existing IP hijacking detection methods

  9. Related Work • Comparison among IP hijacking detection methods

  10. Research Approach • IP prefix hijacking detection based on network reachability advertise1.2.0.0/16 AS 5 AS 4 Attacker This update is IP hijacking case AS 3 reachability test Multiple origin AS? 1.2.0.0/16 Reached the intended network? AS 2 AS 1 Victim

  11. Reachability-Based Hijacking Detection (RBHD)

  12. Network Reachability Examination • IP prefix hijackingis an attack which influences the network reachability • We have developed network fingerprinting techniques for network reachability examination • Network fingerprinting is active or passive collection of characteristics from a target network (AS level) • Network fingerprint should be unique to distinguish a certain network A B A = B if and only if FingerprintA = FingerprintB FingerprintB FingerprintA

  13. Network Fingerprinting • What can uniquely characterize a network? • IP prefix information • Number of running servers in the network • A static live host or device in the network (e.g., IDS or IPS) • Firewall policy • Geographical location of the network • Etc. • We have selected static live host information and firewall policy as network fingerprints • Static live host: Web server, mail server, DNS server, IPS device, and etc. • Firewall policy: allowed port numbers or IP addresses  Not changed frequently

  14. Static Live Host • Requirements of live hosts • Operated in most ASes • Easy to obtain IP addresses • Always provide services for its AS • Allow external connection and respond to active probing • DNS server satisfies all of these requirements • Provide a conversion service between domain names and IP addresses • Part of the core infrastructure of the Internet • Always provide service and allow external connections from any host

  15. DNS Server List Collection • BGP-RIB of RouteViews • ‘RouteViews’ collects global routing information • RIB consists of IP prefixes and AS paths • DNS server collection process

  16. DNS Server Fingerprinting • Host fingerprint of DNS server is used as network fingerprint • DNS server fingerprinting • DNS protocol information • DNS domain name information • DNS server configuration information

  17. Firewall Policy as Alternative Fingerprint • DNS host fingerprints are not sufficient for reachability monitoring of all ASes in the Internet • The ASes in which a DNS server is not found exist (such as IX) • Suitability of firewall policies as network fingerprints • Number of possible combination is huge • Protocol • Port number • IP address • E.g.) ACCEPT TCP from anywhere to 224.0.0.251 TCP Port:80 REJECT ICMP from anywhere to anywhere ICMP unreachable • Firewall policy fingerprinting is performed by active probing • Direction • Permission Target Network Probing packets

  18. Reachability-Based Hijacking Detection (RBHD) • Identification of NLRI falsification • Identification of AS path falsification • DNS host fingerprinting • Firewall policyfingerprinting BGP update NLRI falsification? AS path falsification? N N Valid update Y Y An available DNS server in the target network? N Y Collect DNS host fingerprints Collect firewall policyfingerprints Match the existing fingerprints? Match the existing fingerprints? N N Y Y Valid update Invalid update

  19. Evaluations and Results

  20. DNS Server Collection Result • Current state of DNS server operation • 304,106 IP prefixes (8,414,294 /24 prefixes) in BGP-RIB • 77,530 DNS server’s information using DNS forward/reverse query to /24 prefixes * The number of IP prefixes owned by each AS

  21. Host Fingerprint Groups • The total number of distinguishable fingerprints are 73,781 (total DNS server 77,530) * The number of distinguishable DNS server fingerprints

  22. Uniqueness of Fingerprints • N: the total number of collected DNS servers • G: the total number of mutually exclusive fingerprints • For each group, ni is defined as the number of DNS servers that belong to i-th fingerprint group Ni • The collision probability PC: • In our result, • N is 77,530 and G is 73,781 • Pc in our experiment is 2.69 x 10-6 • We conclude that the sufficient level of distinction can be applied in our proposed host fingerprinting method.

  23. Firewall Policy Examples

  24. Differences of Firewall Policies * Network B * Network A * Network C * Network D

  25. IP Prefix Hijacking Testbed false announcement two networks are randomly selected (IP address in this slide are anoymized) Collect current fingerprints Collect AS A’s fingerprints Translate IP address ex) 192.168.1.0 => 192.168.31.0

  26. Conclusions Summary Contributions Future Work

  27. Summary • We proposed a new approach that practically detects IP prefix hijacking based on network reachability monitoring • We used a fingerprinting scheme in order to determine the network reachability of a specific network • We proposed DNS host and firewall policy fingerprinting methods for network reachability monitoring • We validated the effectiveness of the proposed method in the IP hijacking test-bed

  28. Contributions • The problems of existing IP prefix hijacking detection techniques are addressed • The absence of detection techniques which deal with all IP prefix hijacking cases leads to the development of new methodologies which are suitable for the current Internet • Our approach provides the practical network fingerprinting method for the reachability test of all ASes • DNS host fingerprinting • Firewall policy fingerprinting • Novel and real-time IP prefix hijacking detection methods are described and validated with the real network data.

  29. Future Work • Enhancement of our DNS server finding and fingerprinting method • Optimization of inferring the firewall policies with small probing packets • Analyzing the performance and feasibility of our fingerprinting approach on the Internet • Applying our hijacking detection system to a real research network

  30. PhD Thesis Defense, Seongcheol Hong December 16, 2011 Q & A

  31. Appendix

  32. IP Prefix Hijacking Incidents • AS7007 incident • April 25 1997 • Caused by a misconfigured router that flooded the Internet with incorrect advertisement • YouTube Hijacking • February 24 2008 • Pakistan's attempt to block YouTube access within their country takes down YouTube entirely • Chinese ISP hijacks the Internet • April 8 2010 • China Telecom originated 37,000 prefixes not belonging to them

  33. Related Work • Security enabled BGP protocol

  34. Related Work • Existing IP hijacking detection methods

  35. Solution Approach Research Hypothesis An independent system can perform real-time IP prefix hijacking detection using network reachability monitoring without any changes of existing Internet infrastructure

  36. Legitimate Case advertise1.2.0.0/16 AS 5 AS 4 AS 3 This update is valid Static link reachability test Multiple origin AS? O Reached the intended network? AS 2 AS 1 1.2.0.0/16

  37. Common Legitimate Cases • Xin Hu and Z. Morley Mao, “Accurate Real-time Identification of IP Prefix Hijacking”

  38. DNS Server Collection Process

  39. Distinguishable Groups of Each fingerprints * DNS domain name information * DNS protocol information * DNS server configuration

  40. DNS Server Fingerprint * DNS server fingerprinting process * Structure of DNS server fingerprint

  41. DNS Server Fingerprint Examples

  42. The Use of Sweep Line for Firewall Policy Inference • Example of the sweep line algorithm on a 2-dimensional space

  43. Inferring the Firewall Policy

  44. Inferring the Firewall Policy

  45. Suspicious Update Frequency • Suspicious update frequency • During 2 weeks monitoring from BGP-RIB

More Related