1. Field
The present invention relates to computers and computer networks. More particularly, the present invention relates to detecting Internet Border Gateway Router (BGP) prefix hijacking attacks.
2. Description of Related Art
The Internet routing system is partitioned into tens of thousands of Autonomous Systems (ASs), each of which is an independent administrative domain. It is the Border Gateway Protocol (BGP) that maintains and exchanges routing information between the ASs. However, BGP was designed based on the implicit trust between all participating ASs and border routers and thus provides no explicit mechanism for authenticating the routes injected into or propagated through the systems. Anomalous route injection into the routing system can enable stealthy attacks (e.g., a prefix hijacking attack) in the Internet under the masquerading of routing information manipulation and it has been shown that email spams have indeed been launched under the protection of prefix hijacking for a short period of time. Such attacks are stealthy since temporary presence of route announcements makes it challenging to trace the origin of the route announcement.
Although route announcements can be archived, one can not rely on them to identify the origin. The attacker can easily prepend a number of arbitrary ASs to prevent such traceback. Therefore, it is important for Internet Service Providers (ISPs) to monitor the health of their routing information, and detect prefix hijacking and any anomalous traffic associated with hijacked prefixes in real-time.
Prefix hijacking can appear in various forms. For example, in order to send out email spams, a spammer can hide its identity by using an unallocated address space. In this case, the spammer can set up a BGP speaking router that announces arbitrary prefix to its upstream provider. This enables the spammer to use any address within the prefix to send out spams. Even more stealthier, the spammer can announce the prefix with an arbitrary AS path so that network operators can not discover the origin of the prefix announcement from archived route updates. Prefix hijacking refers to any anomalous origination of route from an unauthorized origin AS to launch attacks on data plane. Note that for any attacker who intends to hide his/her identity and aims to launch an attack requiring two-way communications, prefix hijacking is essential. These attack scenarios include (a) email spams, (b) port scans, which only work when the scanner receives messages indicating whether a port is open or not (e.g., Nmap exploits the default response of a host on sending a TCP or UDP packet to a port of the host. A returned ICMP message indicates that the port is unreachable.), (c) phishing attacks, in which a prefix belonging to a well-known website such as bankofamerica.com is announced and a look alike website is established.
Despite the fact that network operators are highly aware of the destructive effect of prefix hijacking, existing mechanisms to prevent prefix hijacking have not been effective. Network operators have deployed route filters to prevent prefix hijacking. However, the filters are configured in an ad-hoc manner and typically aim at filtering well-known bogon prefixes. Several secure extension of BGP, such as S-BGP and soBGP, have been proposed in recent years. These extensions is far from wide deployment. It is imperative to provide systematic mechanisms for network operators to identify prefix hijacking and thereby to detect anomalous activities associated with them.
It is challenging to detect the bogus routing information such as prefix hijacking routes in a system as large as the inter-domain routing system. In order to prevent prefix hijacking, the list of assigned or allocated prefixes in the Internet and their corresponding legitimate origin Ass are needed. There is no instantly available information sources for the authentication. The Internet WHOIS is a collection of routing information databases maintained by the Regional Internet Registries (RIRs) and some ISPs. Nonetheless, the WHOIS database relies on network operators to update routing information. To ensure the database consistent and up-to-date in such a large system is challenging at the least. For example, some study has found that only 28% of ASs registered consistent and up-to-date routing information in the WHOIS databases. Nonetheless, even for the most carefully maintained database, human-induced errors cannot be always avoided.
Moreover, bogus routing information may not have necessarily resulted from deliberate manipulations. It might be caused by unintentional human-induced misconfigurations. For example, typogrphical errors in the configuration file can lead a BGP router to announce prefixes belonging to other ASs or prefixes in the unused address space. Misuse of BGP commands that redistribute IGP routes into the BGP system can lead an AS to originate other ASs′ prefixes. An AS can prepend its AS number several times in the AS path when a route is announced to its neighbors while typogrphical errors in the pre-pending list can result in false origin AS or AS path. These “noises” make the identification of bogus routes even harder. In addition, prefix hijacking routes can be mixed up in newly emerging legitimate routes. For example, whether a newly assigned prefix is originated from legitimate AS can not be determined without knowing an accurate view of the global address space assignments and allocation status. Meanwhile, transition of prefixes from ASs to ASs are also common. All these facts make the identification of prefix hijacking routes based on routing information solely unsuccessful.
As a path-vector routing protocol, a route in BGP system mainly consists of a prefix, which represents the destination network, and an AS path, which is a sequence of ASs that the traffic should traverse from the local AS to the origin AS of the prefix. A valid route must be originated from the legitimate AS, to which the relevant prefixes are legitimately assigned by the relevant ISPs or the RIRs. In contrast, in an anomalous prefix announcement (e.g., a prefix hijacking announcement), a rogue AS announces itself as the origin of a prefix which it does not own. The underlying exploit by which an attacker announces the prefix from a false AS, could be as simple as breaking in to a BGP enabled router or the more cunning method of setting up a rogue ISP and purchasing access from an upstream ISP.
Prefix hijacking can be carried out in various forms. For example, the rogue AS can hijack prefixes completely identical to other ASs′, or just the subnets, or even an unannounced prefixes. Because packets in the Internet are routed based on the longest matching prefixes, different hijacking strategy can impose different impact on the legitimate users in the Internet. Accordingly, the prefix hijacking attacks can be classified as the following:
1. Duplicate-prefix hijacking: The rogue origin AS originates exact same prefixes owned by other legitimate ASs.
2. Sub-prefix hijacking: The rogue origin AS originates prefixes that are subnets of the legitimate address space of other ASs.
3. Super-prefix hijacking: The rogue origin AS originates prefixes that are super-nets of the legitimate address space of other ASs.
4. Independent-prefix hijacking: The rogue origin AS originates prefixes that are completely in the “free” address space and independent of the legitimate address space of other ASs.
The hijacked prefixes in the first two cases may directly affect the traffic delivery of the legitimate prefixes. When a BGP router accepts the bogus routes, it forwards the relevant traffic to the rogue origin AS instead of the legitimate one. On the other hand, the latter two kinds of prefix hijacking attacks steal the address spaces that have not been legitimately assigned or allocated to any AS. The attacker can use these routes to send and receive traffic without interfering with any legitimate prefixes. For example, it has been reported that some ASs announce super-nets of the allocated address spaces, such as 61/8, 82/8, and use the unused IP-addresses within the block to send spam.
Prefix hijacking attacks manifest themselves on the data traffic plane in different ways, depending on the type of hijacking. An attacker may exploit duplicate-prefix or sub-prefix hijacking in the following way. Since the relevant address space targeted by such attacks is already used in the Internet, the announcement of the anomalous prefix may disrupt the existing communication between the address space and the parts of the Internet that select the false routes, resulting in traffic being routed somewhere other than the original owner of the address space. The motive of an attacker to launch such an attack could be to cause drastic traffic shifts and he/she can sometimes even be successful in reducing all traffic to and from the hijacked address space to a trickle. Such an attack is classified as Denial-of-Reachability attack, where the reachability of that prefix from parts of the Internet can be affected by the attacker.
An attacker may exploit all sorts of prefix hijacking to either launch spams, network or port scans or Distributed Denial-of-Service (DDoS) attacks. A sophisticated attacker may set up a botnet (i.e., a collection of compromised machines running programs such as worms, trojan horses, or other anomalous programs.) command and control server behind the disguise of a hijacked prefix making it difficult for anyone to trace back to the server. On the other hand, an attacker may announce anomalous prefixes with the motive of attracting traffic. This may be necessary for certain application layer attacks which rely on getting the response back or those that require the attacker to get back the response from his attack packets, as in port scans or botnet control commands. An attacker may even hijack an existing prefix via a duplicate prefix hijacking attack and set up a lookalike web site in order to attract traffic in a sophisticated phishing attack. These exploits are referred to as Injection attacks.