ABSTRACT
A concurrent prefix hijack happens when an unauthorized network originates IP prefixes of multiple other networks. Its extreme case is leaking the entire routing table, i.e., hijacking all the prefixes in the table. This is a well-known problem and there exists a preventive measure in practice to safeguard against it. However, we investigated and uncovered many concurrent prefix hijacks that didn't involve a full-table leak. We report these events and their impact on Internet routing. y correlating suspicious routing announcements and comparing it with a network's past routing announcements, we develop a method to detect a network's abnormal behavior of offending multiple other networks simultaneously. Applying the detection algorithm to BGP routing updates from 2003 through 2010, we identify five to twenty concurrent prefix hijacks every year, most of which are previously unknown to the research and operation communities at large. They typically hijack prefixes owned by a few tens of networks, last from a few minutes to a few hours, and pollute routes at most vantage points.
Supplemental Material
Available for Download
Summary Review Documentation for "Does Large Route Leak Still Happen?", Authors: V. Khare, Q. Ju, B. Zhang
- AS 7007 incident. http://en.wikipedia.org/wiki/AS_7007_incident.Google Scholar
- ASN 23724. www.merit.edu/mail.archives/nanog/msg07826.html.Google Scholar
- ASN 8997. www.merit.edu/mail.archives/nanog/2008/msg00704.html.Google Scholar
- BGPmon. http://www.bgpmon.net.Google Scholar
- GeoLite City. http://www.maxmind.com/app/geolitecity.Google Scholar
- Internet Alert Registry. http://iar.cs.unm.edu/.Google Scholar
- Internet Topology Collection. http://irl.cs.ucla.edu/topology.Google Scholar
- LRL. dyadis.cs.arizona.edu/projects/lsrl-events.Google Scholar
- North American Network Operators' Group. http://www.nanog.org.Google Scholar
- RIPE myASn System. http://www.ris.ripe.net/myasn.Google Scholar
- Route Views Project. http://www.routeview.org.Google Scholar
- Whois Database. http://www.whois.net/.Google Scholar
- YouTube Hijacking: A RIPE NCC RIS case study. http://www.ripe.net/news/study-youtube-hijacking.html.Google Scholar
- Ballani, H., Francis, P., and Zhang, X. A Study of Prefix Hijacking and Interception in the Internet. In ACM SIGCOMM (2007). Google ScholarDigital Library
- Butler, K., Farley, T., McDaniel, P., and Rexford, J. A survey of bgp security issues and solutions. Proceedings of the IEEE 2010, 1 (Jan. 2010), 100--122.Google ScholarCross Ref
- Chi, Y.-J., Oliveira, R., and Zhang, L. Cyclops: AS-level Connectivity Observatory. SIGCOMM CCR 38, 5 (2008), 5--16. Google ScholarDigital Library
- Feamster, N., and Balakrishnan, H. Detecting BGP Configuration Faults with Static Analysis. In Proc. NSDI (2005). Google ScholarDigital Library
- Feamster, N., Jung, J., and Balakrishnan, H. An empirical study of "bogon" route advertisements. SIGCOMM Comput. Commun. Rev. 35, 1 (Jan. 2005), 63--70. Google ScholarDigital Library
- Gao, L. On Inferring Autonomous System Relationships in the Internet. In IEEE ACM Transactions on Networking (2000), vol. 9, pp. 733--745. Google ScholarDigital Library
- Hu, X., and Mao, Z. M. Accurate Real-time Identification of IP Prefix Hijacking. In IEEE Symposium on Security and Privacy (2007). Google ScholarDigital Library
- Karlin, J., Forrest, S., and Rexford, J. Pretty Good BGP: Improving BGP by Cautiously Adopting Routes. In ICNP (2006). Google ScholarDigital Library
- Kent, S., Lynn, C., Mikkelson, J., and Seo, K. Secure Border Gateway Protocol (S-BGP). IEEE JSAC 18 (2000), 103--116. Google ScholarDigital Library
- Lad, M., Massey, D., Pei, D., Wu, Y., Zhang, B., and Zhang, L. PHAS: A Prefix Hijack Alert System. In USENIX Security (2006). Google ScholarDigital Library
- Mahajan, R., Wetherall, D., and Anderson, T. Understanding bgp misconfiguration. In SIGCOMM '02 (2002). Google ScholarDigital Library
- Meyer, D., Zhang, L., and Fall, K. Report from the IAB Workshop on Routing and Addressing. draft-iab-raws-report-01.txt, 2007.Google Scholar
- Ng, J. BGP Extensions for Secure Origin BGP, April 2004. ftp://ftp-eng.cisco.com/sobgp/drafts/draft-ng-sobgp-bgp-extensions-02.txt.Google Scholar
- Qiu, J., Gao, L., Ranjan, S., and Nucci, A. Detecting Bogus BGP Route Information: Beyond Prefix Hijacking. In SecureComm (2007).Google Scholar
- Ramachandran, A., and Feamster, N. Understanding the Network Level Behavior of Spammers. In ACM SIGCOMM (2006). Google ScholarDigital Library
- Siganos, G., and Faloutsos, M. Neighborhood Watch for Internet Routing. In IEEE INFOCOM (2007).Google Scholar
- Subramanian, L., Roth, V., Stoica, I., Shenker, S., and Katz, R. Listen and Whisper: Security Mechanisms for BGP. In NSDI (2004). Google ScholarDigital Library
- Zhang, M., Liu, B., and Zhang, B. Safeguarding Data Delivery by Decoupling Path Propagation and Adoption. In INFOCOM (2010). Google ScholarDigital Library
- Zhang, Z., Zhang, Y., Hu, Y. C., Mao, Z. M., and Bush, R. iSPY: Detecting IP Prefix Hijacking on My Own. In SIGCOMM (2008). Google ScholarDigital Library
- Zhao, X., Pei, D., Wang, L., Massey, D., Mankin, A., Wu, S., and Zhang, L. BGP Multiple Origin AS Conflicts. In IMW (2001). Google ScholarDigital Library
- Zheng, C., Ji, L., Pei, D., Wang, J., and Francis, P. A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time. In ACM SIGCOMM(2007). Google ScholarDigital Library
Index Terms
- Concurrent prefix hijacks: occurrence and impacts
Recommendations
Detecting prefix hijackings in the internet with argus
IMC '12: Proceedings of the 2012 Internet Measurement ConferenceBorder Gateway Protocol (BGP) plays a critical role in the Internet inter-domain routing reliability. Invalid routes generated by mis-configurations or forged by malicious attacks may hijack the traffic and devastate the Internet routing system, but it ...
A Method to Detect Prefix Hijacking by Using Ping Tests
APNOMS '08: Proceedings of the 11th Asia-Pacific Symposium on Network Operations and Management: Challenges for Next Generation Network Operations and Service ManagementWe propose an improved technique to detect BGP (Border Gateway Protocol) prefix hijacking. BGP prefix hijacking is caused by improper BGP routing information advertisements. When an AS's prefix is hijacked by an improper BGP routing information ...
Understanding the impact of outsourcing mitigation against BGP prefix hijacking
AbstractBGP prefix hijacking caused by a misconfiguration or malicious route announcements brings great trouble to today’s Internet. Outsourcing mitigation is a recently proposed automatic hijacking mitigation method. It mitigates hijacking ...
Comments