Network Reachabilitybased IP Prefix Hijacking Detection Ph D
Network Reachability-based IP Prefix Hijacking Detection - Ph. D Thesis Defense - Seongcheol Hong Supervisor: Prof. James Won-Ki Hong December 16, 2011 Distributed Processing & Network Management Lab. Dept. of Computer Science and Engineering POSTECH, Korea eongcheol Hong, POSTECH Ph. D Thesis Defense 1/3
Presentation Outline v Introduction v Related Work v Research Approach v Reachability Based Hijacking Detection (RBHD) v Evaluation and Results v Conclusions eongcheol Hong, POSTECH Ph. D Thesis Defense 2/3
Introduction v Routing protocols communicate reachability information and perform path selection v BGP is the Internet’s de facto inter-domain routing protocol AS 1 Prefix Path 1. 2. 0. 0/16 2 advertise 1. 10. 0. 0/16 AS 2 i. BGP advertise 1. 10. 0. 0/16 AS 1 AS 2 e. BGP AS 2 eongcheol Hong, POSTECH AS 300 Ph. D Thesis Defense Prefix Path 1. 2. 0. 0/16 12 3/3
Introduction v What is IP prefix hijacking? Stealing IP addresses belonging to other networks It can occur on purpose or by mistake Serious threat to the robustness and security of the Internet routing system v IP prefix hijacking attack types NLRI falsification AS path falsification advertise v IP prefix hijacking incidents 1. 2. 0. 0/16 Attacker AS 4 AS 7007 incident AS 5 You. Tube hijacking Chinese ISP hijacking Prefix Path 1. 2. 0. 0/16 52, 1 AS 3 AS 1 advertise 1. 2. 0. 0/16 AS 2 Prefix Path 1. 2. 0. 0/16 1 Prefix Path 1. 2. 0. 0/16 2, 1 Victim eongcheol Hong, POSTECH Ph. D Thesis Defense 4/3
Research Motivation v IP prefix hijacking is a crucial problem in the Internet security v Number of efforts were introduced Security enabled BGP protocols Hijacking detection methods v Every existing BGP security solutions have limitations Security enabled BGP protocols are impractical to deploy Hijacking detection methods cannot detect every types of IP prefix hijacking threats v We need a novel approach which is practical and covers all types of IP prefix hijacking attacks eongcheol Hong, POSTECH Ph. D Thesis Defense 5/3
Research Goals v Target approach Security enabled BGP protocol IP prefix hijacking detection method v Developing a new approach which is practical and detects all types of IP prefix hijacking v IP hijacking detection system does not require cooperation of ASes and does not have to be located in a specific monitoring point v Proposed approach should be validated in simulated environments using real network data eongcheol Hong, POSTECH Ph. D Thesis Defense 6/3
Related Work v Security enabled BGP protocol BGP Session Protection • Protecting the underlying TCP session and implementing BGP session defenses • Not verifying the content of BGP messages Defensive Filtering • Filters announcements which are bad and potentially malicious • It is difficult for an ISP to identify invalid routes originated from several AS hops away Cryptographic Techniques • Rely on a shared key between two parties • Public Key Infrastructure (PKI) requires many resources Routing Registries • Shared, global view of ‘correct’ routing information • Registry itself must be secure, complete and accurate eongcheol Hong, POSTECH Ph. D Thesis Defense 7/3
Related Work v Existing IP hijacking detection methods Detection approach • Victim-centric • Infrastructure-based • Peer-centric eongcheol Hong, POSTECH Type of used data • Routing information (control-plane) • Data probing (data-plane) Ph. D Thesis Defense Attack type • NLRI falsification • AS path falsification 8/3
Related Work v Comparison among IP hijacking detection methods Detection approach Victimcentric Infrastructurebased Type of used data Peercentric Routing information Data probing Attack type NLRI falsification AS path falsification O Topology O O O PHAS O O O Distance O Real-time Monitoring O pg. BGP O O O O O i. SPY O O O Strobelight O O O Reachability (Proposed) eongcheol Hong, POSTECH O O Ph. D Thesis Defense O O 9/3
Research Approach v IP prefix hijacking detection based on network reachability advertise 1. 2. 0. 0/16 AS 5 AS 4 Prefix Path 1. 2. 0. 0/16 52 1 1. 2. 0. 0/16 Attacker 1. 2. 0. 0/16 AS 1 Path 1. 2. 0. 0/16 21 AS 3 reachability test AS 2 Prefix Path 1. 2. 0. 0/16 1 This update is IP hijacking Multiple case origin AS? Reached the intended network? Victim ongcheol Hong, POSTECH Ph. D Thesis Defense 10/
Reachability-Based Hijacking Detection (RBHD) ongcheol Hong, POSTECH Ph. D Thesis Defense 11/
Network Reachability Examination v IP prefix hijacking is an attack which influences the network reachability v We have developed network fingerprinting techniques for network reachability examination v Network fingerprinting is active or passive collection of characteristics from a target network (AS level) Network fingerprint should be unique to distinguish a certain network A A = B if and only if Fingerprint. A = Fingerprint. B Fingerprint. A ongcheol Hong, POSTECH B Ph. D Thesis Defense 12/
Network Fingerprinting v What can uniquely characterize a network? IP prefix information Number of running servers in the network A static live host or device in the network (e. g. , IDS or IPS) Firewall policy Geographical location of the network Etc. v We have selected static live host information and firewall policy as network fingerprints Static live host: Web server, mail server, DNS server, IPS device, and etc. Firewall policy: allowed port numbers or IP addresses Not changed frequently ongcheol Hong, POSTECH Ph. D Thesis Defense 13/
Static Live Host v Requirements of live hosts Operated in most ASes Easy to obtain IP addresses Always provide services for its AS Allow external connection and respond to active probing v DNS server satisfies all of these requirements Provide a conversion service between domain names and IP addresses Part of the core infrastructure of the Internet Always provide service and allow external connections from any host ongcheol Hong, POSTECH Ph. D Thesis Defense 14/
DNS Server List Collection v BGP-RIB of Route. Views ‘Route. Views’ collects global routing information RIB consists of IP prefixes and AS paths v DNS server collection process 1 • Perform reverse DNS lookup • Obtain the authority server name with authority over a particular IP prefix 2 • Perform DNS lookup with the authority server name • Obtain the IP addresses of the DNS server 3 • Repeat process 1 and 2 over all IP prefixes in BGP-RIB ongcheol Hong, POSTECH Ph. D Thesis Defense 15/
DNS Server Fingerprinting v Host fingerprint of DNS server is used as network fingerprint v DNS server fingerprinting DNS protocol information DNS domain name information DNS server configuration information ongcheol Hong, POSTECH DNS Domain Name (AA flag…) DNS Protocol (implementation …) DNS Server Configuration (DNSSEC…) DNS Host Fingerprint Ph. D Thesis Defense 16/
Firewall Policy as Alternative Fingerprint v DNS host fingerprints are not sufficient for reachability monitoring of all ASes in the Internet The ASes in which a DNS server is not found exist (such as IX) v Suitability of firewall policies as network fingerprints Number of possible combination is huge • Protocol • Port number • IP address • Direction • Permission E. g. ) ACCEPT TCP from anywhere to 224. 0. 0. 251 TCP Port: 80 REJECT ICMP from anywhere to anywhere ICMP unreachable v Firewall policy fingerprinting is performed by active probing Target Network ongcheol Hong, POSTECH Probing packets Ph. D Thesis Defense 17/
Reachability-Based Hijacking Detection (RBHD) v Identification of NLRI falsification v Identification of AS path falsification BGP update NLRI falsification ? AS path falsification ? N An available DNS server in the target network? Valid update Y Y v DNS host fingerprinting N N Y v Firewall policy fingerprinting ongcheol Hong, POSTECH Collect DNS host fingerprints Match the existing fingerprints ? Collect firewall policy fingerprints Match the existing fingerprints ? N Y Valid update Ph. D Thesis Defense N Y Invalid update 18/
Evaluations and Results ongcheol Hong, POSTECH Ph. D Thesis Defense 19/
DNS Server Collection Result * The number of IP prefixes owned by each AS v Current state of DNS server operation 304, 106 IP prefixes (8, 414, 294 /24 prefixes) in BGP-RIB 77, 530 DNS server’s information using DNS forward/reverse query to /24 prefixes ongcheol Hong, POSTECH Ph. D Thesis Defense 20/
Host Fingerprint Groups v The total number of distinguishable fingerprints are 73, 781 (total DNS server 77, 530) ongcheol Hong, POSTECH * The number of distinguishable DNS server fingerprints Ph. D Thesis Defense 21/
Uniqueness of Fingerprints v N : the total number of collected DNS servers v G : the total number of mutually exclusive fingerprints v For each group, ni is defined as the number of DNS servers that belong to i-th fingerprint group Ni v The collision probability PC : v In our result, N is 77, 530 and G is 73, 781 Pc in our experiment is 2. 69 x 10 -6 We conclude that the sufficient level of distinction can be applied in our proposed host fingerprinting method. ongcheol Hong, POSTECH Ph. D Thesis Defense 22/
Firewall Policy Examples ongcheol Hong, POSTECH Ph. D Thesis Defense 23/
Differences of Firewall Policies * Network B * Network A * Network C ongcheol Hong, POSTECH * Network D Ph. D Thesis Defense 24/
IP Prefix Hijacking Testbed false announcement Collect current fingerprints Collect AS A’s fingerprints two networks are randomly selected (IP address in this slide are anoymized) Translate IP address ex) 192. 168. 1. 0 => 192. 168. 31. 0 ongcheol Hong, POSTECH Ph. D Thesis Defense 25/
Conclusions ongcheol Hong, POSTECH 1. 2. 3. Summary Contributions Future Work Ph. D Thesis Defense 26/
Summary v We proposed a new approach that practically detects IP prefix hijacking based on network reachability monitoring v We used a fingerprinting scheme in order to determine the network reachability of a specific network v We proposed DNS host and firewall policy fingerprinting methods for network reachability monitoring v We validated the effectiveness of the proposed method in the IP hijacking test-bed ongcheol Hong, POSTECH Ph. D Thesis Defense 27/
Contributions v The problems of existing IP prefix hijacking detection techniques are addressed v The absence of detection techniques which deal with all IP prefix hijacking cases leads to the development of new methodologies which are suitable for the current Internet v Our approach provides the practical network fingerprinting method for the reachability test of all ASes DNS host fingerprinting Firewall policy fingerprinting v Novel and real-time IP prefix hijacking detection methods are described and validated with the real network data. ongcheol Hong, POSTECH Ph. D Thesis Defense 28/
Future Work v Enhancement of our DNS server finding and fingerprinting method v Optimization of inferring the firewall policies with small probing packets v Analyzing the performance and feasibility of our fingerprinting approach on the Internet v Applying our hijacking detection system to a real research network ongcheol Hong, POSTECH Ph. D Thesis Defense 29/
ongcheol Hong, POSTECH Q&A Ph. D Thesis Defense, Seongcheol Hong December 16, 2011 Ph. D Thesis Defense 30/
ongcheol Hong, POSTECH Appendix Ph. D Thesis Defense 31/
IP Prefix Hijacking Incidents v AS 7007 incident April 25 1997 Caused by a misconfigured router that flooded the Internet with incorrect advertisement v You. Tube Hijacking February 24 2008 Pakistan's attempt to block You. Tube access within their country takes down You. Tube entirely v Chinese ISP hijacks the Internet April 8 2010 China Telecom originated 37, 000 prefixes not belonging to them ongcheol Hong, POSTECH Ph. D Thesis Defense 32/
Related Work v Security enabled BGP protocol BGP Session Protection • Protecting the underlying TCP session and implementing BGP session defenses • Not verifying the content of BGP messages Defensive Filtering • Filters announcements which are bad and potentially malicious • It is difficult for an ISP to identify invalid routes originated from several AS hops away Cryptographic Techniques • Rely on a shared key between two parties • Public Key Infrastructure (PKI) requires many resources Routing Registries • Shared, global view of ‘correct’ routing information • Registry itself must be secure, complete and accurate ongcheol Hong, POSTECH Ph. D Thesis Defense 33/
Related Work v Existing IP hijacking detection methods Detection approach • Victimcentric • Infrastructure -based • Peer-centric ongcheol Hong, POSTECH Type of used data • Routing information (controlplane) • Data probing (dataplane) Ph. D Thesis Defense Attack type • NLRI falsification • AS path falsification 34/
Solution Approach Research Hypothesis An independent system can perform real-time IP prefix hijacking detection using network reachability monitoring without any changes of existing Internet infrastructure ongcheol Hong, POSTECH Ph. D Thesis Defense 35/
Legitimate Case advertise 1. 2. 0. 0/16 AS 5 Static link AS 1 1. 2. 0. 0/16 ongcheol Hong, POSTECH AS 4 Prefix Path 1. 2. 0. 0/16 52 1 1. 2. 0. 0/16 Path 1. 2. 0. 0/16 21 AS 3 reachability test AS 2 Prefix Path 1. 2. 0. 0/16 1 Ph. D Thesis Defense This update Multiple is valid origin AS? Reached the intended network? O 36/
Common Legitimate Cases v Xin Hu and Z. Morley Mao, “Accurate Real-time Identification of IP Prefix Hijacking” ongcheol Hong, POSTECH Ph. D Thesis Defense 37/
DNS Server Collection Process ongcheol Hong, POSTECH Ph. D Thesis Defense 38/
Distinguishable Groups of Each fingerprints * DNS protocol information ongcheol Hong, POSTECH * DNS domain name information * DNS server configuration Ph. D Thesis Defense 39/
DNS Server Fingerprint ongcheol Hong, POSTECH * DNS server fingerprinting process * Structure of DNS server fingerprint Ph. D Thesis Defense 40/
DNS Server Fingerprint Examples ongcheol Hong, POSTECH Ph. D Thesis Defense 41/
The Use of Sweep Line for Firewall Policy Inference v Example of the sweep line algorithm on a 2 dimensional space ongcheol Hong, POSTECH Ph. D Thesis Defense 42/
Inferring the Firewall Policy Protocol Destination IP Destination Port Option TTL ICMP 192. 168. 10. 0/24 - echo router + 1 TCP 192. 168. 10. 0/24 1: 1023 SYN router + 1 UDP 192. 168. 10. 0/24 1: 1023 - router + 1 Protocol ICMP TCP UDP ongcheol Hong, POSTECH Response packet Permission echo reply accept - deny ICMP Time Exceeded accept ICMP Destination Unreachable deny - accept ICMP Destination Unreachable deny Ph. D Thesis Defense 43/
Inferring the Firewall Policy Protocol Destination IP Destination Port Option TTL ICMP 192. 168. 10. 0/24 - echo 255 TCP 192. 168. 10. 0/24 1: 1023 SYN 255 UDP 192. 168. 10. 0/24 1: 1023 - 255 Protocol ICMP TCP UDP ongcheol Hong, POSTECH Response packet Permission echo reply accept - deny SYN/ACK accept RST accept ICMP Destination Unreachable deny - accept ICMP Destination Unreachable deny Ph. D Thesis Defense 44/
Suspicious Update Frequency v Suspicious update frequency During 2 weeks monitoring from BGP-RIB Anomalous update type Total number Average rate (/ min) NLRI 1234 0. 12 AS path 12632 1. 02 ongcheol Hong, POSTECH Ph. D Thesis Defense 45/
- Slides: 45