Detecting Prefix Hijackings in the Internet with Argus
Download
Report
Transcript Detecting Prefix Hijackings in the Internet with Argus
Detecting Prefix Hijackings in
the Internet with Argus
Xingang Shi Yang Xiang Zhiliang Wang
Xia Yin
Jianping Wu
Tsinghua University
2012/11/14
IMC12@Boston
1
Outline
• Introduction
– Prefix Hijacking
– Existing Detection Methods
• Argus
– Key Observation & Algorithm
– System Architecture & Implementation
• Internet Monitoring Practice
– Evaluation
– Statistics
– Case Studies
• Conclusion
2012/11/14
IMC12@Boston
2
Outline
• Introduction
– Prefix Hijacking
– Existing Detection Methods
• Argus
– Key Observation & Algorithm
– System Architecture & Implementation
• Internet Monitoring Practice
– Evaluation
– Statistics
– Case Studies
• Conclusion
2012/11/14
IMC12@Boston
3
Inter-domain Routing
<7>
<1 7>
8
Internet
5
6
2
3
<…>
AS-path of f
BGP UPDATE
2012/11/14
7
1
4
f
IMC12@Boston
4
Prefix Hijacking
f
<1 7>
4
<8>
8
Internet
5
6
BGP UPDATE
2012/11/14
7
1
2
3
<… >
Hijacking UPDATE AS-path of f
IMC12@Boston
5
Black-holing Hijackings
• Packets dropped by the attacker
• Also cased by unintentional mis-configurations
– 2010, China Tele. hijacked 15% of Internet
– 2008, Pakistan Tele. hijacked Youtube for 2 hours
• Other types such as imposture/interception
– Harder to detect
– E2E mechanisms, i.e., IPsec, HTTPS
2012/11/14
IMC12@Boston
6
Outline
• Introduction
– Prefix Hijacking
– Existing Detection Methods
• Argus
– Key Observation & Algorithm
– System Architecture & Implementation
• Internet Monitoring Practice
– Evaluation
– Statistics
– Case Studies
• Conclusion
2012/11/14
IMC12@Boston
7
Challenges of Hijacking Detection
Hijacking can pollute a
large number of ASes
in several seconds!
Real system
or service
easy to
deploy
Robust channel to
notify the attacker
2012/11/14
Multi-homing, TE,
high
BGP anycast, Backup links,
accuracy
Route failure, Policy change
short
delay
high
scalability
attacker’s
info
sub-prefix
hijacking
IMC12@Boston
Monitoring the
whole Internet
Sub-prefix hijacking
is more aggressive
8
Existing Control or Data Plane Methods
• Complementary advantages
Short
delay
High
accuracy
Easy to
deploy
Short
delay
High
scalability
Attacker’s
info
Easy to
deploy
– BGPmon.net
2012/11/14
– PHAS, Cyclops
– MyASN
High
scalability
Attacker’s
info
Sub-prefix
hijacking
• Control-plane monitoring
High
accuracy
Sub-prefix
hijacking
• Data-plane probing
IMC12@Boston
– iSPY [SIGCOMM ’08]
– Reference Point
[SIGCOMM ’07]
9
Hybrid: control & data plane
• Hybrid solution [S&P ’07]
– Control-plane driven: monitoring anomalous route
– Data-plane verification: whether it is a hijacking
• Cons.
– Minutes of detection delay
• Traceroute, nmap, IP/TCP timestamp, reflect scan, …
– Hard to deploy
• Planetlab
– BGP anycast
• Lack of correlation between control and data
plane status
2012/11/14
IMC12@Boston
10
Our Approach
Short
delay
Control
plane
Easy to
deploy
Short
delay
Easy to
deploy
High
accuracy
Easy to
deploy
Sub-prefix
hijacking
High
scalability
Attacker’s
info
High
accuracy
Short
delay
High
scalability
Attacker’s
info
2012/11/14
Short
delay
High
scalability
Attacker’s
info
Hybrid
High
accuracy
Easy to
deploy
Sub-prefix
hijacking
IMC12@Boston
Sub-prefix
hijacking
High
accuracy
Argus
Attacker’s
info
Data
plane
High
scalability
Correlation
Sub-prefix
hijacking
11
Outline
• Introduction
– Prefix Hijacking
– Existing Detection Methods
• Argus
– Key Observation & Algorithm
– System Architecture & Implementation
• Internet Monitoring Practice
– Evaluation
– Statistics
– Case Studies
• Conclusion
2012/11/14
IMC12@Boston
12
Key Observations: Relationship
between Control and Data Plane
• Only part of the Internet is polluted
• Distinguishable from other route events
Probe with
reply
Probe without
reply
Normal
AS
Affected
AS
(a) multi-origin,
traffic engineering
(b) route
failure
(c) route
migration
(d)
hijacking
2012/11/14
IMC12@Boston
13
Status Matching
• Eyes of Argus: public route-servers, looking-glasses
– Simple & fast commands: show ip bgp, ping
• Eyej at time t
• Control plane Ctj : not affected by the anomalous route?
• Data plane Dtj : live IP in the corresponding prefix can be reached?
Ct = {Ct,j} = [ 1 , 0 , 1 , 0 , 0 ]
f
Dt = {Dt,j} = [ 1 , 01 , 1 , 0 , 0 ]
eye1
eye4
7
1
Ct,j Dt,j
4
Fingerprint:
eye1: 1 1
N
8
2
eye2: 0 10
[(Ct , j Ct )( Dt , j Dt )]
5
5
eye2
j 1
eye5
eye
:
1
1
F
3
t
3
N
N
2
eye
:
0
0
6
4
(Ct , j Ct ) ( Dt , j Dt )2
eye3
j 1
j 1
eye5: 0 0
2012/11/14
IMC12@Boston
14
Identification of Prefix Hijacking
• Prefix hijacking: Ft1.0, (Ft >= threshold μ)
Reachability Dt
Route
migration
-1
1
TE,
Multi-homing,
Anycast,
…
Route failure,
Firewall,
Inactive host,
…
0
Prefix
hijacking
1
Fingerprint Ft
2012/11/14
IMC12@Boston
15
Type of Anomalies
• AS-path p = <an , … , ai+1 , ai , ai-1 , … , a0>
– OA: Origin Anomaly
• Anomalous origin AS: pa = <a0 , f >
– AA: Adjacency Anomaly
• Anomalous AS pair in AS-path: pa = <aj , aj-1>
– PA: Policy Anomaly
• Anomalous AS triple in AS-path: pa = <aj+1 , aj , aj-1>
2
2
4
〈1〉
〈3〉
3 f
f 1
victim
attacker
OA: Origin Anomaly
2012/11/14
〈1〉
f
1
2
4
〈3,1〉
3
victim
attacker
AA: Adjacency Anomaly
4 〈4,3,2,1〉
〈1〉
〈3,2,1〉
f 1
3
victim
attacker
PA: Policy Anomaly
IMC12@Boston
Normal UPDATE
Hijacking UPDATE
Customer-Provider
Peer-Peer
Normal AS
Polluted AS
16
Outline
• Introduction
– Prefix Hijacking
– Existing Detection Methods
• Argus
– Key Observation & Algorithm
– System Architecture & Implementation
• Internet Monitoring Practice
– Evaluation
– Statistics
– Case Studies
• Conclusion
2012/11/14
IMC12@Boston
17
Architecture of Argus
BGPmon
Anomaly Monitoring Module
Hijacking Identification Module
..
.
Eyes of Argus:
public route-servers &
looking-glasses
live BGP feed
Parse
Stat.
OA / AA / PA
Prefix f, Anomaly pa
show ip bgp
ping
Origin ASes
AS pairs
AS triples
Argus
Live IP
i in f
..
.
Detect
Internet
Fingerprint
daily traceroute
Test
Extract
Identify
Live IP
Candidates
Victim
Prefix f
Hijacking Alarm
CAIDA
iPlane
Live-IP Retrieving Module
2012/11/14
IMC12@Boston
18
System Deployment
• From May 2011, launched >1 years
• Live BGP feed collected from ~130 peers
– BGPmon: http://bgpmon.netsec.colostate.edu/
– 10GB BGP UPDATE /day, 20Mbps peak
• 389 eyes, in 41 transit AS
• Online notification services
– (AS-4847) Mailing list
– (AS-13414, AS-35995) Twitter
– (AS-4538) Website, web service APIs
2012/11/14
IMC12@Boston
19
Outline
• Introduction
– Prefix Hijacking
– Existing Detection Methods
• Argus
– Key Observation & Algorithm
– System Architecture & Implementation
• Internet Monitoring Practice
– Evaluation
– Statistics
– Case Studies
• Conclusion
2012/11/14
IMC12@Boston
20
Argus is Online
• 40k anomalous route events
• 220 stable hijackings
– Duration of Ft>=μ in more than T seconds
– μ: fingerprint threshold of hijacking
– T: duration threshold of stable hijacking
Fingerprint (Ft) distribution of all stable hijackings.
2012/11/14
IMC12@Boston
21
False Positive
• Directly contact network operators (March-April, 2012)
– 10/31 confirmed our hijacking alarms
– No objection
• ROA: Route Origin Authorization
– 266 anomalies with ROA records
– False positive 0%
(μ=0.6, T=10, #eyes=40)
• IRR: Internet Routing Registry
– 3988 anomalies with IRR records
– False positive 0.2%
(μ=0.6, T=10 , #eyes=40)
2012/11/14
IMC12@Boston
22
Delay
• Detection delay
detection delay
– 60% less than 10 seconds
• Identification delay
First
anomalous
UPDATE
– 80% less than 10 seconds
– 50% less than 1 second
2012/11/14
IMC12@Boston
identification delay
time
First
polluted
eye
First
alarm
(Ft ≥ μ)
23
Outline
• Introduction
– Prefix Hijacking
– Existing Detection Methods
• Argus
– Key Observation & Algorithm
– System Architecture & Implementation
• Internet Monitoring Practice
– Evaluation
– Statistics
– Case Studies
• Conclusion
2012/11/14
IMC12@Boston
24
Statistics - Overview
• Adjacency/Policy based hijacking do exists
Total
OA
AA
(origin AS) (Adjacency)
PA
(Policy)
Anomalies
40k
20k
6.7k
13.3k
Hijackings
220
122
71
27
Total # of route anomalies and stable hijackings in one year.
Weekly # of stable hijackings.
2012/11/14
IMC12@Boston
25
Statistics - Hijacking duration
• Stable hijacking duration: live time of
anomalous route
– 20+% hijackings last <10 minutes
– Long hijackings also exist
2012/11/14
IMC12@Boston
26
Statistics - Prefix length
• Stable hijackings with most specific prefix
– 91% hijacked prefixes are most specific
– 100% hijacked prefixes with length <= 18 are most specific
• 10% stable hijackings are sub-prefix hijacking
2012/11/14
IMC12@Boston
27
Statistics - Pollution scale
• 20% stable hijackings could pollute 80+
transit ASes
2012/11/14
IMC12@Boston
28
Statistics - Pollution speed
• 20+ transit ASes are polluted in 2 minutes
• For hijackings polluted 80+ transit ASes
– 50% Internet are polluted within 20 seconds
– 90% Internet are polluted within 2 minutes
2012/11/14
IMC12@Boston
29
Outline
• Introduction
– Prefix Hijacking
– Existing Detection Methods
• Argus
– Key Observation & Algorithm
– System Architecture & Implementation
• Internet Monitoring Practice
– Evaluation
– Statistics
– Case Studies
• Conclusion
2012/11/14
IMC12@Boston
30
Case Studies
• OA hijackings (confirmed by email)
–
–
–
–
Missing route filters
Network maintenance misplay
Premature migration attempt
Sub-prefix hijacking
• AA hijackings (confirmed by email)
– Mis-configuration in TE
– AS-path poisoning experiment
• PA hijackings (verified in IRR)
– Import policy violation
– Export policy violation
2012/11/14
IMC12@Boston
31
OA Hijackings
Time
Prefix
Normal Origin
Anomalous Origin
Duration
Delay
Nov. 27, 2011
166.111.32.0/24, …
AS-4538
CERNET, CN
AS-23910
CERNET-2, CN
10+ sec
10 sec
Mar. 20, 2012
193.105.17.0/24
AS-50407
Douglas, DE
AS-15763
DOKOM, DE
12 min
5 sec
• Missing route filters
• Network
maintenance misplay
2012/11/14
IMC12@Boston
32
OA Hijackings
Time
Prefix
Normal Origin
Anomalous Origin
Duration
Delay
Apr. 04, 2012
91.217.242.0/24
AS-197279
WizjaNet, PL
AS-48559
Infomex, PL
17 min
9
Mar. 22, 2012
12.231.155.0/24
(in 12.128.0.0/9)
AS-7018
AT&T, US
AS-13490
Buckeye, US
16 min
7
• Premature
migration attempt
• Sub-prefix hijacking
2012/11/14
IMC12@Boston
33
AA Hijackings
Time
Prefix
AS-path
Delay
Apr. 12, 2012
210.1.38.0/24
<3043 174 38082 38794 24465>
12
Mar. 31, 2012
184.464.255.0/24
<4739 6939 2381 47065 19782 47065>
4
• Mis-configuration in TE
– AS-38794 (BB-Broadband, TH) is a new provider
of AS-24465 (Kasikorn, TH)
• AS-path poisoning experiment [SIGCOMM ’12]
– BBN announces loop AS-paths <47065, x, 47065>
for experimental purpose
2012/11/14
IMC12@Boston
34
PA Hijackings
Time
Prefix
AS-path
Delay
Apr. 19, 2012
77.223.240.0/22
<4739 24709 25388 21021 12741 47728>
9
Apr. 16, 2012
195.10.205.0/24
<3043 174 20764 31484 3267 3216 35813>
5
• Import policy violation
IRR info. of
AS-21021
(Multimedia, PL) :
• Export policy violation
IRR info. of
AS-31484
(OOO Direct Tele., RU):
2012/11/14
IMC12@Boston
35
Non-hijacking Anomalies
• TE using BGP anycast
– 193.0.16.0/24 (DNS root-k)
suddenly originated
by AS-197000 (RIPE)
– Ft0, Dt = 1
• TE with backup links
– AS-12476 (Aster, PL)
announced prefix to a new
provider AS-6453 (Tata, CA)
– Ft0, Dt = 1
• Route migration
– Prefix owmer changed from
AS-12653 (KB Impuls, GR) to
AS-7700 (Singapore Tele)
– Ft-1
2012/11/14
IMC12@Boston
36
Outline
• Introduction
– Prefix Hijacking
– Existing Detection Methods
• Argus
– Key Observation & Algorithm
– System Architecture & Implementation
• Internet Monitoring Practice
– Evaluation
– Statistics
– Case Studies
• Conclusion
2012/11/14
IMC12@Boston
37
Conclusion of Our Contributions
•
•
80% delay <10 seconds
20% stable hijackings last <10
minutes, some can pollute
90% Internet in <2 minutes
•
•
show ip bgp, ping
Public available
external resources
•
•
Live BGP feed from BGPmon
Victims can be noticed
through several channels
Easy to
deploy
Short
delay
High
accuracy
Arugs
Attacker’s
info
•
•
OA, AA, PA anomalies
ROA, IRR, email confirmation
High
scalability
Sub-prefix
hijacking
•
•
•
Anomaly driven
probing
Monitoring the whole
Internet
10% stable hijackings are
sub-prefix hijacking
One year’s Internet detection practice.
2012/11/14
IMC12@Boston
38
"Now Argus had a hundred eyes in his head,
and never went to sleep with more than
two at a time, so he kept watch of Io
constantly.“
-- Thomas Bulfinch, The Age of Fable (Philadelphia: Henry
altemus Company, 1897) 39
2012/11/14
IMC12@Boston
39
clip produced by the Florida Center for Instructional Technology, College of Education, University of South Florida
Thanks!
Q&A
•
•
•
•
•
Algorithm for realtime & accurate hijacking detection
Online system that monitoring the whole Internet
Online services for network operators / researchers
One year Internet wide hijacking detection practice
Root cause analysis of hijackings and anomalies
tli.tl/argus
2012/11/14
IMC12@Boston
twitter.com/sharangxy
40
Backups
2012/11/14
IMC12@Boston
41
We focus on black-hole hijackings
• Mis-configuration typically cause black-holing
– 2010, China Tele. hijacked 15% of Internet
– 2008, Pakistan Tele. hijacked Youtube for two hours
• ISP is trustworthy, malicious attack is relatively rare
• Perfect imposture/interception is difficult
– Mimic all behaviors, forward all the traffic
• Detect interception is hard, any AS is a MITM
• E2E mechanism is more effective in preventing
imposture/interception
2012/11/14
IMC12@Boston
42
Anomaly Monitoring Module
• Live BGP feed, colltected from ~130 peers
– BGPmon: http://bgpmon.netsec.colostate.edu/
• 10GB BGP UPDATE /day, 20Mbps peak
– 4-stage pipeline processing
– Parallel UPDATE parser
– Mem-cached DB read, batch write
Parser
..
.
Recv.
UPDATE
Pool
Parser
Clean
& Sort
Stat.
OA / AA
/ PA
Parser
Origin ASes
AS pairs
AS triples
2012/11/14
Prefix f
Anomaly pa
UPDATE(f, p)
Queue
…
Live
BGP
feed
XML-UPDATE
Queue
…
BGPmon
IMC12@Boston
Origin
ASes
AS pairs
AS triples
43
Live-IP Retrieving Module
• Live-IP candidates in prefix f
– Traceroute results, DNS records
– Possible gateways
• The first/last IP in every sub-prefix
• 512-parallel checking, find a live target in <1 second
HE
DNS
records
Check
2012/11/14
Daily
traceroute
Live IP
Candidates
IMC12@Boston
Check
…
CAIDA
iPlane
…
Extract &
Guess
Test
Live IP
i in f
Check
44
Hijacking Identification Module
• Distinguish hijacking from other route events
– Acquire Ct and Dt
– Calculate Ft
– Last for W=120 seconds
for every anomaly
Eyes of Argus
public route-servers
& looking-glasses
Prefix f
Anomaly pa
Live IP
i in f
show ip bgp
ping
Detect
• N=389 eyes, in 41 transit AS
..
.
Internet
Fingerprint
Identify
• Online services
– (AS-4847) Mailing list
– (AS-13414, AS-35995) Twitter
– (AS-4538) Website, web service APIs
2012/11/14
IMC12@Boston
Hijacking Alarm
Victim
Prefix f
45