Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2003: Recent Advances in Intrusion Detection pp 17–35Cite as

Topology-Based Detection of Anomalous BGP Messages

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2820))

Abstract

The Border Gateway Protocol (BGP) is a fundamental component of the current Internet infrastructure. Due to the inherent trust relationship between peers, control of a BGP router could enable an attacker to redirect traffic allowing man-in-the-middle attacks or to launch a large-scale denial of service. It is known that BGP has weaknesses that are fundamental to the protocol design. Many solutions to these weaknesses have been proposed, but most require resource intensive cryptographic operations and modifications to the existing protocol and router software. For this reason, none of them have been widely adopted. However, the threat necessitates an effective, immediate solution.

We propose a system that is capable of detecting malicious inter-domain routing update messages through passive monitoring of BGP traffic. This approach requires no protocol modifications and utilizes existing monitoring infrastructure. The technique relies on a model of the autonomous system connectivity to verify that route advertisements are consistent with the network topology. By identifying anomalous update messages, we prevent routers from accepting invalid routes. Utilizing data provided by the Route Views project, we demonstrate the ability of our system to distinguish between legitimate and potentially malicious traffic.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Asia Pacific Network Information Centre, http://www.apnic.net

  2. American Registry for Internet Numbers, http://www.arin.net

  3. Chandra, R., Traina, P., Li, T.: BGP Communities Attribute. IETF-RFC 1997 (August 1996)

    Google Scholar 

  4. Cheung, S.: An Efficient Message Authentication Scheme for Link State Routing. In: 13th Annual Computer Security Applications Conference (December 1997)

    Google Scholar 

  5. Convey, S., Cook, D., Franz, M.: An Attack Tree for the Border Gateway Protocol. In: IETF Internet Draft (October 2002)

    Google Scholar 

  6. Faloutsos, M., Faloutsos, P., Faloutsos, C.: On Power-Law Relationships of the Internet Topology. In: Proceedings of ACM SIGCOMM 1999 (1999)

    Google Scholar 

  7. Farrar, J.: Cable and Wireless Routing Instability, http://www.merit.edu/mail.archives/nanog/2001-04/msg00209.html

  8. Gao, L.: On Inferring Autonomous System Relationships in the Internet. In: Proceedings of IEEE Global Internet (November 2000)

    Google Scholar 

  9. Goodell, G., Aiello, W., Griffin, T., Ioannidis, J., Mc-Daniel, P., Rubin, A.: Working Around BGP: An Incremental Approach to Improving Security and Accuracy of Interdomain Routing. In: Network and Distributed Systems Security (2003)

    Google Scholar 

  10. Govindan, R., Reddy, A.: An Analysis of Internet Inter-Domain Topology and Route Stability. In: IEEE InfoCom(1997)

    Google Scholar 

  11. Huffaker, B., Broido, A., claffy, k., Fomenkov, M., Keys, K., Lagache, E., Moore, D.: Skitter AS Internet Graph. In: CAIDA (October 2000)

    Google Scholar 

  12. Jou, Y.F., Gong, F., Sargor, C., Wu, X., Wu, F., Chang, H.C., Wang, F.: Design and Implementation of a Scalable Intrusion Detection System for the Protection of Network Infrastructure. In: DARPA Information Survivability Conference and Exposition (January 2000)

    Google Scholar 

  13. Kent, S., Lynn, C., Mikkelson, J., Seo, K.: Secure Border Gateway Protocol (Secure-BGP) - Real World Performance and Deployment Issues. In: Proceedings of the Symposium on Network and Distributed System Security (February 2000)

    Google Scholar 

  14. Kent, S., Lynn, C., Seo, K.: Secure Border Gateway Protocol (Secure-BGP). IEEE Journal on Selected Areas in Communications 18(4), 582–592 (2000)

    Article  Google Scholar 

  15. Labovitz, C., Ahuja, A., Jahanian, F.: Experimental Study of Internet Stability and Wide-Area Network Failures. In: Fault-Tolerant Computing Symposium (June 1999)

    Google Scholar 

  16. Labovitz, C., Malan, G.R., Jahanian, F.: Origins of Internet Routing Instability. In: IEEE INFOCOM (March 1998)

    Google Scholar 

  17. The Latin American and Caribbean Internet Addresses Registry, http://www.lacnic.net

  18. Mahajan, R., Wetherall, D., Anderson, T.: Understanding BGP Misconfiguration. In: Proceedings of ACM SIGCOMM (August 2002)

    Google Scholar 

  19. Malkin, G.: RIP Version 2. IETF-RFC 2453 (November 1998)

    Google Scholar 

  20. McCreary, S., Woodcook, B.: PCH RouteViews archive, http://www.pch.net/resources/data/routing-tables

  21. Mittal, V., Vigna, G.: Sensor-Based Intrusion Detection for Intra-Domain Distance-Vector Routing. In: Proceedings of the ACM Conference on Computer and Communication Security (CCS 2002), Washington, DC, November 2002, ACM Press, New York (2002)

    Google Scholar 

  22. Moy, J.: OSPF Version 2. IETF-RFC 2328 (April 1998)

    Google Scholar 

  23. Murphy, S.: Border Gateway Protocol Security Analysis. In: IETF Internet Draft (November 2001)

    Google Scholar 

  24. Murphy, S.L., Badger, M.R.: Digital Signature Protection of the OSPF Routing Protocol. In: Proceedings of the Symposium on Network and Distributed System Security (February 1996)

    Google Scholar 

  25. The North American Network Operators’ Group, http://www.nanog.org

  26. Qu, D., Vetter, B.M., Wang, F., Narayan, R., Wu, F., Jou, F., Gong, F., Sargor, C.: Statistical Anomaly Detection for Link-State Routing Protocols. In: Proceedings of the 1998 International Conference on Network Protocols (October 1998)

    Google Scholar 

  27. Przygienda, A., Hauser, R., Tsudik, G.: Reducing the cost of security in link state routing. In: ISOC Symposium on Network and Distributed System Security (February 1997)

    Google Scholar 

  28. Rekhter, Y., Li, T.: A Border Gateway Protocol 4 (BGP-4). IETF-RFC 1654 (March 1995)

    Google Scholar 

  29. Routing Arbiter Project, http://www.ra.net

  30. Smith, B.R., Murthy, S., Garcia-Luna-Aceves, J.J.: Securing Distance-Vector Routing Protocols. In: Proceedings of the Symposium on Network and Distributed System Security (February 1997)

    Google Scholar 

  31. Subramanian, L., Agarwal, S., Rexford, J., Katz, R.H.: Characterizing the Internet Hierarchy From Multiple Vantage Points. In: IEEE INFOCOM (2002)

    Google Scholar 

  32. University of Oregon - Looking Glass, http://antc.uoregon.edu/route-views

  33. Zegura, E., Calvert, K., Donahoo, M.: A quantitative comparison of graph-based models for internetworks. IEEE/ACM Transactions on Networking 5(6), 770–783 (1997)

    Article  Google Scholar 

  34. Zhao, X., Pei, D., Wang, L., Massey, D., Mankin, A., Wu, S.F., Zhang, L.: An Analysis of BGP Multiple Origin AS (MOAS) Conflict. In: ACM SIGCOMM Internet Measurement Workshop, San Francisco, USA (November 2001)

    Google Scholar 

  35. Zhao, X., Pei, D., Wang, L., Zhang, L., Massey, D., Mankin, A., Wu, S.F.: Detection of Invalid Route Announcement in the Internet. In: International Conference on Dependable Systems and Networks (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Reliable Software Group, University of California, Santa Barbara

    Christopher Kruegel, Darren Mutz, William Robertson & Fredrik Valeur

Authors
  1. Christopher Kruegel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Darren Mutz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. William Robertson
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Fredrik Valeur
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of California Santa Barbara, 93106-5110, Santa Barbara, CA, USA

    Giovanni Vigna

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

  3. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Göteborg, Sweden

    Erland Jonsson

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kruegel, C., Mutz, D., Robertson, W., Valeur, F. (2003). Topology-Based Detection of Anomalous BGP Messages. In: Vigna, G., Kruegel, C., Jonsson, E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45248-5_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-45248-5_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-40878-9

  • Online ISBN: 978-3-540-45248-5

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation