Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense -
description
Transcript of Network Reachability-based IP Prefix Hijacking Detection - PhD Thesis Defense -
Seongcheol Hong, POSTECH PhD Thesis Defense 1/30
Network Reachability-basedIP Prefix Hijacking Detection
- PhD Thesis Defense -
Seongcheol Hong
Supervisor: Prof. James Won-Ki Hong
December 16, 2011
Distributed Processing & Network Management Lab.Dept. of Computer Science and Engineering
POSTECH, Korea
Seongcheol Hong, POSTECH PhD Thesis Defense 2/30
Presentation Outline Introduction
Related Work
Research Approach
Reachability Based Hijacking Detection (RBHD)
Evaluation and Results
Conclusions
Seongcheol Hong, POSTECH PhD Thesis Defense 3/30
Introduction Routing protocols communicate reachability infor-
mation and perform path selection BGP is the Internet’s de facto inter-domain routing
protocol
iBGP
AS 1
AS 2AS 300
advertise 1.10.0.0/16 AS 2
advertise1.10.0.0/16 AS 1 AS 2
eBGP
Prefix Path
1.2.0.0/16 2
Prefix Path
1.2.0.0/16 1 2
Seongcheol Hong, POSTECH PhD Thesis Defense 4/30
IP prefix hijacking incidentsAS 7007 incidentYouTube hijackingChinese ISP hijacking
Introduction What is IP prefix hijacking?
Stealing IP addresses belonging to other networksIt can occur on purpose or by mistakeSerious threat to the robustness and security of the Internet routing system
IP prefix hijacking attack typesNLRI falsificationAS path falsification
AS 1AS 2
AS 4 AS 5
AS 3
advertise 1.2.0.0/16
advertise 1.2.0.0/16
Prefix Path
1.2.0.0/16 2, 1
Prefix Path
1.2.0.0/16 5
Prefix Path
1.2.0.0/16 1
Prefix Path
1.2.0.0/16 2, 1
Victim
Attacker
Seongcheol Hong, POSTECH PhD Thesis Defense 5/30
Research Motivation IP prefix hijacking is a crucial problem in the Internet
security
Number of efforts were introducedSecurity enabled BGP protocolsHijacking detection methods
Every existing BGP security solutions have limitationsSecurity enabled BGP protocols are impractical to deployHijacking detection methods cannot detect every types of IP prefix hijacking threats
We need a novel approach which is practical and cov-ers all types of IP prefix hijacking attacks
Seongcheol Hong, POSTECH PhD Thesis Defense 6/30
Research Goals Target approach
Security enabled BGP protocolIP prefix hijacking detection method
Developing a new approach which is practical and detects all types of IP prefix hijacking
IP hijacking detection system does not require co-operation of ASes and does not have to be located in a specific monitoring point
Proposed approach should be validated in simulated environments using real network data
Seongcheol Hong, POSTECH PhD Thesis Defense 7/30
Related Work Security enabled BGP protocol
• Protecting the underlying TCP session and implementing BGP session defenses• Not verifying the content of BGP messages
BGP Session Protection
• Filters announcements which are bad and potentially malicious• It is difficult for an ISP to identify invalid routes originated from several AS
hops away
Defensive Filtering
• Rely on a shared key between two parties• Public Key Infrastructure (PKI) requires many resources
Cryptographic Techniques
• Shared, global view of ‘correct’ routing information• Registry itself must be secure, complete and accurate
Routing Registries
Seongcheol Hong, POSTECH PhD Thesis Defense 8/30
Related Work Existing IP hijacking detection methods
Detection ap-proach
• Victim-centric• Infrastructure-
based• Peer-centric
Type of used data
• Routing infor-mation (control-plane)
• Data probing (data-plane)
Attack type
• NLRI falsifica-tion
• AS path falsifi-cation
Seongcheol Hong, POSTECH PhD Thesis Defense 9/30
Related Work
Detection approach Type of used data Attack type
Victim-centric
Infrastruc-ture-based
Peer-centric
Routing informa-
tionData
probingNLRI fal-sification
AS path falsifica-
tion
Topology O O O O
PHAS O O O
Distance O O O
Real-timeMonitor-
ingO O O O O O
pgBGP O O O
iSPY O O O
Stro-belight O O O
Reacha-bility(Pro-
posed)O O O O O
Comparison among IP hijacking detection methods
Seongcheol Hong, POSTECH PhD Thesis Defense 10/30
Research Approach IP prefix hijacking detection based on network
reachability
AS 1AS 2
AS 4 AS 5
AS 3
1.2.0.0/16
advertise 1.2.0.0/16
Prefix Path
1.2.0.0/16 2 1
Prefix Path
1.2.0.0/16 1
Prefix Path
1.2.0.0/16 2 1
Multiple origin AS?
This update is IP hijacking
case
Reached the intended
network?
Prefix Path
1.2.0.0/16 5
Victim
Attacker
reachability test
Seongcheol Hong, POSTECH PhD Thesis Defense 11/30
Reachability-Based Hijacking Detection (RBHD)
Seongcheol Hong, POSTECH PhD Thesis Defense 12/30
Network Reachability Examination IP prefix hijacking is an attack which influences the
network reachability
We have developed network fingerprinting techniques for network reachability examination
Network fingerprinting is active or passive collection of characteristics from a target network (AS level)
Network fingerprint should be unique to distinguish a certain net-work
A B
FingerprintA FingerprintB
A = B if and only ifFingerprintA = Finger-
printB
Seongcheol Hong, POSTECH PhD Thesis Defense 13/30
Network Fingerprinting What can uniquely characterize a network?
IP prefix informationNumber of running servers in the networkA static live host or device in the network (e.g., IDS or IPS)Firewall policyGeographical location of the networkEtc.
We have selected static live host information and firewall policy as network fingerprints
Static live host: Web server, mail server, DNS server, IPS device, and etc.Firewall policy: allowed port numbers or IP addresses
Not changed frequently
Seongcheol Hong, POSTECH PhD Thesis Defense 14/30
Static Live Host Requirements of live hosts
Operated in most ASesEasy to obtain IP addressesAlways provide services for its ASAllow external connection and respond to active probing
DNS server satisfies all of these requirementsProvide a conversion service between domain names and IP addressesPart of the core infrastructure of the InternetAlways provide service and allow external connections from any host
Seongcheol Hong, POSTECH PhD Thesis Defense 15/30
DNS Server List Collection BGP-RIB of RouteViews
‘RouteViews’ collects global routing informationRIB consists of IP prefixes and AS paths
DNS server collection process
1
• Perform reverse DNS lookup• Obtain the authority server name with authority over a particular IP prefix
2• Perform DNS lookup with the authority server name• Obtain the IP addresses of the DNS server
3• Repeat process 1 and 2 over all IP prefixes in BGP-RIB
Seongcheol Hong, POSTECH PhD Thesis Defense 16/30
DNS Server Fingerprinting Host fingerprint of DNS
server is used as network fingerprint
DNS server fingerprintingDNS protocol informationDNS domain name informationDNS server configuration infor-mation
DNS Host Fingerprint
DNS Server Configura-
tion (DNSSEC…)
DNS Do-main Name
(AA flag…)
DNS Protocol (implementa-
tion…)
Seongcheol Hong, POSTECH PhD Thesis Defense 17/30
Firewall Policy as Alternative Fingerprint
DNS host fingerprints are not sufficient for reachability monitor-ing of all ASes in the Internet
The ASes in which a DNS server is not found exist (such as IX)
Suitability of firewall policies as network fingerprintsNumber of possible combination is huge
• Protocol • Port number • IP address
E.g.) ACCEPT TCP from anywhere to 224.0.0.251 TCP Port:80 REJECT ICMP from anywhere to anywhere ICMP unreachable
Firewall policy fingerprinting is performed by active probing
Target Network
• Direction • Permission
Probing packets
Seongcheol Hong, POSTECH PhD Thesis Defense 18/30
Reachability-Based Hijacking Detection (RBHD)
Identification of NLRI falsification
Identification of AS path falsification
DNS host fingerprint-ing
Firewall policy finger-printing
BGP update
Collect DNS host fin-gerprints
NLRI falsi-fication?
Collect firewall pol-icy fingerprints
AS path falsifica-
tion?
Valid update Invalid update
Match the existing finger-prints?
Match the existing finger-prints?
An avail-able DNS server in the target network?
Valid update
Y
N
Y
N
Y
N
Y
N
Y
N
Seongcheol Hong, POSTECH PhD Thesis Defense 19/30
Evaluations andResults
Seongcheol Hong, POSTECH PhD Thesis Defense 20/30
DNS Server Collection Result
Current state of DNS server operation304,106 IP prefixes (8,414,294 /24 prefixes) in BGP-RIB77,530 DNS server’s information using DNS forward/reverse query to /24 prefixes
* The number of IP prefixes owned by each AS
Seongcheol Hong, POSTECH PhD Thesis Defense 21/30
Host Fingerprint Groups
* The number of distinguishable DNS server fingerprints
The total number of distinguishable fingerprints are 73,781 (total DNS server 77,530)
Seongcheol Hong, POSTECH PhD Thesis Defense 22/30
Uniqueness of Fingerprints N : the total number of collected DNS servers G : the total number of mutually exclusive fingerprints For each group, ni is defined as the number of DNS
servers that belong to i-th fingerprint group Ni
The collision probability PC :
In our result,N is 77,530 and G is 73,781Pc in our experiment is 2.69 x 10-6
We conclude that the sufficient level of distinction can be applied in our proposed host fingerprinting method.
Seongcheol Hong, POSTECH PhD Thesis Defense 23/30
Firewall Policy Examples
Seongcheol Hong, POSTECH PhD Thesis Defense 24/30
Differences of Firewall Policies
* Network C * Network D
* Network A * Network B
Seongcheol Hong, POSTECH PhD Thesis Defense 25/30
IP Prefix Hijacking Testbed
Translate IP addressex) 192.168.1.0 => 192.168.31.0
Collect AS A’s fingerprints
false announce-mentCollect current fingerprints
two networks are randomly selected (IP address in this slide are anoymized)
Seongcheol Hong, POSTECH PhD Thesis Defense 26/30
1. Summary2. Contributions3. Future Work
Conclusions
Seongcheol Hong, POSTECH PhD Thesis Defense 27/30
Summary We proposed a new approach that practically detects
IP prefix hijacking based on network reachability monitoring
We used a fingerprinting scheme in order to deter-mine the network reachability of a specific network
We proposed DNS host and firewall policy finger-printing methods for network reachability monitoring
We validated the effectiveness of the proposed method in the IP hijacking test-bed
Seongcheol Hong, POSTECH PhD Thesis Defense 28/30
Contributions The problems of existing IP prefix hijacking detection
techniques are addressed
The absence of detection techniques which deal with all IP prefix hijacking cases leads to the development of new methodologies which are suitable for the current Internet
Our approach provides the practical network fingerprint-ing method for the reachability test of all ASes
DNS host fingerprintingFirewall policy fingerprinting
Novel and real-time IP prefix hijacking detection methods are described and validated with the real network data.
Seongcheol Hong, POSTECH PhD Thesis Defense 29/30
Future Work Enhancement of our DNS server finding and finger-
printing method
Optimization of inferring the firewall policies with small probing packets
Analyzing the performance and feasibility of our fin-gerprinting approach on the Internet
Applying our hijacking detection system to a real re-search network
Seongcheol Hong, POSTECH PhD Thesis Defense 30/30
PhD Thesis Defense, Seongcheol HongDecember 16, 2011
Q & A
Seongcheol Hong, POSTECH PhD Thesis Defense 31/30
Appendix
Seongcheol Hong, POSTECH PhD Thesis Defense 32/30
IP Prefix Hijacking Incidents AS7007 incident
April 25 1997Caused by a misconfigured router that flooded the Internet with incorrect advertisement
YouTube HijackingFebruary 24 2008Pakistan's attempt to block YouTube access within their country takes down YouTube entirely
Chinese ISP hijacks the InternetApril 8 2010China Telecom originated 37,000 prefixes not belonging to them
Seongcheol Hong, POSTECH PhD Thesis Defense 33/30
Related Work Security enabled BGP protocol
BGP Session Protection•Protecting the underlying TCP session and implementing BGP session defenses•Not verifying the content of BGP messages
Defensive Filtering•Filters announcements which are bad and potentially malicious• It is difficult for an ISP to identify invalid routes originated from several AS hops away
Cryptographic Techniques•Rely on a shared key between two parties•Public Key Infrastructure (PKI) requires many resources
Routing Registries•Shared, global view of ‘correct’ routing information•Registry itself must be secure, complete and accurate
Seongcheol Hong, POSTECH PhD Thesis Defense 34/30
Related Work Existing IP hijacking detection methods
Detection approach
•Victim-centric•Infrastruc-ture-based•Peer-cen-tric
Type of used data
•Routing in-formation (control-plane)•Data probing (data-plane)
Attack type
•NLRI fal-sification•AS path falsifica-tion
Seongcheol Hong, POSTECH PhD Thesis Defense 35/30
Solution Approach
Research HypothesisAn independent system can perform real-time IP prefix hijacking detection using networkreachability monitoring without any changes of existing Internet infrastructure
Seongcheol Hong, POSTECH PhD Thesis Defense 36/30
Legitimate Case
AS 1 AS 2
AS 4 AS 5
AS 3
1.2.0.0/16
advertise 1.2.0.0/16
Prefix Path
1.2.0.0/16 2 1
Prefix Path
1.2.0.0/16 1
Prefix Path
1.2.0.0/16 2 1
Multiple origin AS?
This update is valid
Reached the intended
network?
Prefix Path
1.2.0.0/16 5
reachability testStatic link
O
Seongcheol Hong, POSTECH PhD Thesis Defense 37/30
Common Legitimate Cases Xin Hu and Z. Morley Mao, “Accurate Real-time Iden-
tification of IP Prefix Hijacking”
Seongcheol Hong, POSTECH PhD Thesis Defense 38/30
DNS Server Collection ProcessStart
Get IP prefix and AS path
information
Do reverse query about an IP addressin the IP prefix to local DNS server
Query result exists?
Authority Section existsin the result?
BGP- RIB at RouteViews
Query result exists?
Do reverse query about an IP addressin the IP prefix to global DNS server
More IP prefix?
Yes
Yes
Yes
Yes
Print ‘no DNS serverin the IP prefix’
No
No
No
No
Do forward query about an IP addressin the Authority Section
End
Get domain name and IP addressabout the DNS server
Print ‘DNS server infomationin the IP prefix’
Seongcheol Hong, POSTECH PhD Thesis Defense 39/30
Distinguishable Groups of Each fingerprints
* DNS protocol information * DNS domain name information
* DNS server configuration
Seongcheol Hong, POSTECH PhD Thesis Defense 40/30
DNS Server Fingerprint
* DNS server fingerprinting process
* Structure of DNS server fingerprint
Seongcheol Hong, POSTECH PhD Thesis Defense 41/30
DNS Server Fingerprint Examples
Seongcheol Hong, POSTECH PhD Thesis Defense 42/30
The Use of Sweep Line for Firewall Policy Inference
Example of the sweep line algorithm on a 2-dimen-sional space
Seongcheol Hong, POSTECH PhD Thesis Defense 43/30
Inferring the Firewall Policy
Protocol Response packet Permission
ICMPecho reply accept
- deny
TCP
ICMP Time Exceeded accept
ICMP Destination Unreachable deny
- deny
UDP- accept
ICMP Destination Unreachable deny
Protocol Destination IP Destination Port Option TTLICMP 192.168.10.0/24 - echo router + 1
TCP 192.168.10.0/24 1:1023 SYN router + 1
UDP 192.168.10.0/24 1:1023 - router + 1
Seongcheol Hong, POSTECH PhD Thesis Defense 44/30
Inferring the Firewall Policy
Protocol Response packet Permission
ICMPecho reply accept
- deny
TCP
SYN/ACK accept
RST/ACK accept
RST accept
ICMP Destination Unreachable deny
- deny
UDP- accept
ICMP Destination Unreachable deny
Protocol Destination IP Destination Port Option TTLICMP 192.168.10.0/24 - echo 255
TCP 192.168.10.0/24 1:1023 SYN 255
UDP 192.168.10.0/24 1:1023 - 255
Seongcheol Hong, POSTECH PhD Thesis Defense 45/30
Suspicious Update Frequency Suspicious update frequency
During 2 weeks monitoring from BGP-RIB
Anomalous update type Total number Average rate(/ min)
NLRI 1234 0.12
AS path 12632 1.02