Understanding the impact of outsourcing mitigation against BGP prefix hijacking

Abstract

BGP prefix hijacking caused by a misconfiguration or malicious route announcements brings great trouble to today’s Internet. Outsourcing mitigation is a recently proposed automatic hijacking mitigation method. It mitigates hijacking incidents by attracting and redirecting the hijacked traffic to the origin AS so the deployment of the AS that performs the attracting and redirecting behaviors is important for improving the effectiveness of mitigation. However, traditional methods fail to guarantee mitigation effectiveness, i.e., simply selecting the neighbor AS of the origin AS to mitigate. Therefore, how to measure the mitigation effectiveness of different ASes and effectively select the mitigators are key issues of outsourcing mitigation.

In this paper, to measure the mitigation effectiveness of ASes, (1) we use a new metric for evaluating the mitigation effectiveness, and propose a strategy called AS Reachability Influence Selection (ARS) for effectively selecting ASes with high mitigation effectiveness. (2) We conduct extensive analysis to deeply study different characteristics (e.g., AS type, degree, provider, region) that influence the mitigation effectiveness. As the results show, ARS can put ASes with high mitigation effectiveness in front. The results also show that ASes with many Tier-1 providers or high tier providers may achieve higher mitigation effectiveness than Tier-1 ASes.

Introduction

Today’s Internet is composed of tens of thousands of networks called Autonomous Systems (ASes). These ASes use Border Gateway Protocol (BGP) for routing information exchange. Because of the weaknesses in the BGP design, the Internet suffers from different security issues [1] including BGP prefix hijacking and route leak, which are two most common types of incidents in the BGP network. BGP prefix hijacking involves an attacker announcing a prefix that does not belong to itself, which causes ASes who trust those false routing announcements to send their traffic to the wrong destination. A route leak occurs when the attacker propagates a valid route beyond the scope intended by the routing policy of the ASes involved [2]. In this paper, we mainly consider the BGP prefix hijacking. BGP prefix hijacking can be used for various malicious activities such as spamming, phishing, and traffic blackholing. A well-known hijacking incident is that an ISP from Pakistan hijacked the prefix of YouTube in 2008, causing YouTube to be inaccessible for 2 h worldwide [3]. Moreover, the study in [4] also demonstrates that BGP prefix hijacking can be used to attack the Bitcoin network.

Over the last two decades, great efforts have been made by researchers to secure the inter-domain network and a variety of BGP defense mechanisms are proposed, such as [5], [6], [7], [8], [9], [10], [11]. These mechanisms can be categorized into two types: proactive defense and reactive defense. The main difference between the two kinds of defense mechanisms is that proactive defense aims at preventing the attack before it is launched and reactive defense focuses on how to accurately detect and mitigate the attack when it has already happened. Due to technical and financial issues, proactive defense mechanisms like BGPsec [9] and RPKI [8] have not been deployed globally [12] and they bring meager security in partial deployment [13]. For example, BGPsec cannot secure a routing path if there is an AS that does not support BGPsec in the path, because BGPsec requires each AS of the path to validate all previous signatures and sign their signatures [13]. According to a survey in [12], compared with proactive defense mechanisms, reactive defense mechanisms require a simpler deployment and less modification on the current network infrastructures, so it is easier for operators to adopt reactive defense mechanisms.

The reactive defense mechanism often includes two parts: detection and mitigation. In the reactive defense mechanism, if the detection system detects that a hijack is happening, it will notify network operators of the hijack incident. After getting the notification, there are mainly two ways in practice to mitigate the hijack, announcing the disaggregated prefix (e.g., hijacked prefix 119.63.0.0/23 can be disaggregated to 119.63.0.0/24 and 119.63.1.0/24) or contacting network operators of other ASes. However, the effects of these two mitigation strategies are very limited. For instance, the effect of prefix-disaggregation is not ideal when the hijacked prefix is more than /25 prefix since most routers filter prefixes more specific than /25 [14]. Contacting with or waiting for other networks to react to the hijack costs unpredictable delay or even impossible [15]. Sometimes the victims have to publicly disclose the hijacking incident in the mail to other network operators [15]. However, large-scale BGP hijacking may last for a long time such as incidents [16], [17] both lasted more than 2 h, which had a serious impact on the Internet. There is a need for a more efficient way to mitigate the hijacking quickly. Therefore, in addition to improving the hijacking detection accuracy, how to effectively mitigate the negative impact of the detected hijacking is also important, especially when there are no other direct methods to eliminate the malicious routes.

The work [18] proposed a new method for mitigating BGP prefix hijacking (we call it outsourcing mitigation). In outsourcing mitigation, the mitigator (AS) attracts misdirected traffic by announcing the hijacked prefix, then redirects the hijacked traffic to the victim. This method is capable of efficiently mitigating the impact of hijacking incidents and does not need large-scale cooperation between ASes [18] or disaggregate the hijacked prefix. It only requires the agreement between the victim whose prefix is hijacked and the mitigator who does the mitigating action. The mitigation effectiveness of outsourcing mitigation is affected by the selection of mitigators who perform the traffic redirection because different ASes acting as mitigators will attract different numbers of ASes to accept their routes instead of the attackers’ routes. For example, we have done a simple experiment, in which AS-33657 is the hijacker and hijacks the prefix of AS-398373. In this hijack event, around 96% ASes accepted the wrong route announced by the hijacker. If AS-20940 is selected as the mitigator, the number of ASes accepting the wrong route can be reduced to around 4.7%. However, if AS-174 is selected as the mitigator, the percentage can only be reduced to around 80%. Therefore, the mitigator deployment is crucial for maximizing the effect of outsourcing mitigation. However, the traditional way such as selecting the neighbor of the origin AS to mitigate [19] cannot guarantee the effectiveness of mitigation.

In this paper, we study the deployment problem of outsourcing mitigation, and propose a metric to quantify the mitigation effectiveness of mitigators. To further analyze the effectiveness, we propose a mitigator selection strategy named ARS to help select ASes with high mitigation effectiveness, and conduct extensive analysis to study different factors affecting the mitigation ability of different mitigators. Except for the BGP prefix hijacking, we also study the effectiveness of outsourcing mitigation in mitigating route leaks. To our knowledge, this paper is the first to comprehensively study the deployment of outsourcing mitigation by evaluating the mitigation effectiveness of different ASes from the perspective of network topology.

Our main contributions are summarized as follows: first, a new metric for evaluating the mitigation effectiveness of the hijack-mitigation simulation is proposed. Then, a mitigator selection strategy called ARS is proposed to help filter out ASes with high mitigation effectiveness. After that, different characteristics of ASes that influence the mitigation effectiveness (i.e., AS types, providers, degree, region) are analyzed and different deployment strategies including ARS are evaluated using the proposed evaluation metric. The relationships between the mitigator and hijacker/victim are also investigated. The results show that providers of ASes play a crucial role in mitigating BGP prefix hijacking. The ASes with many Tier-1 providers or high tier providers are more likely to achieve high mitigation effectiveness than Tier-1 ASes. The results also show that ARS can put ASes with a high potential of mitigation ability in front.

The remainder of this paper is organized as follows. The overview of the outsourcing mitigation is presented in Section 2. Section 3 introduces the methodology of this paper, including the BGP hijack-mitigation model, the evaluation of mitigation effectiveness, the definition of ARS, and the simulation setup. Section 4 analyzes mitigation effectiveness with different AS types, AS metrics, and regions. Following that, Section 5 illustrates important findings from the analysis. Section 6 extends the outsourcing mitigation to route leak mitigation and introduces the route leak mitigation details and evaluation results. The related work and conclusions are shown in Section 7 and Section 8 respectively.