The present invention relates generally to networking, and more particularly to detecting computer-related attacks.
Each computer on the Internet can be identified by its Internet Protocol (IP) network address or addresses. FIG. 1 shows a block diagram of a network address 100. Network address 100 includes two parts—a prefix 104 and a host number 108. The prefix 104 uniquely identifies a network which is recognizable and routable by Internet routers. The host number 108 uniquely identifies a communication end point on the network that is specified by the prefix 104. Because the IP network address identifies a communication end point, which is often referred to as a Network Interface (NI), a device may have multiple NIs and therefore multiple IP addresses.
Data communication on the Internet is conducted in units called IP packets. Each IP packet contains the IP address of its source, where the packet is generated, the IP address of its destination, where the packet is intended to be received, and other information such as Time-To-Live (TTL), which specifies how many times this IP packet can be forwarded. On each router there is a routing table which directs how a received packet should be forwarded based on the prefix of the packet's destination address.
Traditionally, authorities allocate prefixes, hence the block of IP addresses represented by the prefixes, to Internet Service Providers (ISPs). When an ISP obtains a prefix, the ISP (i.e., its routers) “announces” or advertises the prefix to other routers on the Internet, and in doing so, own responsibility for exchanging routes with the neighboring routers so that the ISP can gain connectivity to the rest of the Internet.
From a routing point of view, the Internet can be considered to be partitioned into a number of independently administrated entities called autonomous systems (ASes). An AS is a collection of networks (i.e., the routers joining those networks) under the same administrative authority and that share a common routing strategy. Today's Internet includes over 20,000 inter-connected ASes controlled by different administrative domains such as ISPs, corporations, universities, and research institutions.
Different ASes interact with each other in a complex manner through the use of a Border Gateway Protocol (BGP), which is a protocol for exchanging routing information between nodes (e.g., routers). Each AS may own one or multiple prefixes, and hence the networks that the prefixes identify. BGP enables each individual administrative domain to specify its own internal routing policies. Inside each AS, local routing policy decides how to forward packets among its networks. Overall, IP data packets are routed in a hierarchical fashion. First, the packet is forwarded from a source node to a first hop router by local area network forwarding policy. Then the packet enters the ISP AS to be forwarded by the ISP's local routing policy to reach an exterior router of the ISP AS. The exterior router then uses BGP route information to identify which AS is the next AS along the direction towards the packet destination and forwards the packet to this next AS, which again forwards using its local routing policy. These forwardings are based on the prefix of the packet's destination address. Once the packet reaches its destination network, the network uses the host number of the packet's destination address to locate where the packet should be delivered using a local area network mechanism such as Ethernet forwarding.
The BGP routing protocol, however, has no mechanism for authenticating routing announcements. Thus, routers can arbitrarily announce or advertise routes for prefixes and/or fabricate AS paths associated with the prefixes. These false announcements reroute packets destined for a destination network. Such false announcements can be quickly spread to a large number of BGP routers across multiple ASes and affect their routing tables.
This rerouting of packets is known as a prefix hijacking attack and is performed by a hijacker or attacker. The detour of the hijacked traffic passes through sites under the attacker's control. A purpose of prefix hijacking attacks is to intercept data traffic destined for the destination network so the attacker can conduct a number of operations, such as retaining a copy of the communication, conducting man-in-the-middle attacks, or impersonating the destination network. Destination networks may also suffer from degraded network performance and endangered information security. Hijacked prefixes can also be used to spread viruses.
There have been several proposed solutions for detecting prefix hijacking attacks. Some of these proposed solutions use control plane data (i.e., data contained within BGP routing messages sent between routers) to discover routes that are inconsistent with routing principles (i.e., shortest path) and configurations. Control plane data, however, does not always follow general routing principles and, unfortunately, erroneous routing configurations (i.e., route anomalies) are not uncommon.
As a result, these proposed control plane data solutions tend to generate false alarms from route anomalies caused by network operators instead of hijackers. Additional analysis and filtering are needed to handle these false positives. Correcting false positives is generally a difficult task, as it often requires detailed configuration information that network operators may be unwilling to share with others. Also, monitoring control plane data is typically difficult because of the large size of the Internet. Thus, the proposed control plane data solutions are often slow to implement and, as a result, do not react quickly to a problem. Additionally, these proposed control plane data solutions are typically only available among ISPs.
Therefore, there remains a need to more accurately identify prefix hijacking attacks compared with route anomalies produced by network operators.