Towards uncovering BGP hijacking attacks

Abstract : The Internet is composed of tens of thousands Autonomous Systems (ASes) that exchange routing information using the Border Gateway Protocol (BGP). Consequently, every AS implicitly trusts every other ASes to provide accurate routing information. Prefix hijacking is an attack against the inter-domain routing infrastructure that abuses mutual trust in order to propagate fallacious routes. The current detection techniques pathologically raise a large number of alerts, mostly composed of false positives resulting from benign routing practices. In this Dissertation, we seek the root cause of routing events beyond reasonable doubts. First, we reduce the global number of alerts by analyzing false positive alerts, from which we extract constructs that reflect real-world standard routing practices. We then consider the security threat associated with these constructs in a prefix hijacking scenario. Second, we use a variety of auxiliary datasets that reflect distinct facets of the networks involved in a suspicious routing event in order to closely approximate the ground-truth, which is traditionally only known by the network owner. Specifically, we investigate Multiple Origin AS (MOAS) prefixes, and introduce a classification that we use to discard up to 80% of false positive. Then we show a real-world case where a MOAS coincided with spam and web scam traffic. We look at prefix overlaps, clarify their global use, and present a prototype that discards around 50% of false positive sub-MOAS alerts. Finally, we explore the IP blackspace, study the routing-level characteristics of those networks, find live IP addresses, and uncover a large amount of spam and scam activities.
Complete list of metadatas

Cited literature [89 references]  Display  Hide  Download

https://pastel.archives-ouvertes.fr/tel-01412800
Contributor : Abes Star <>
Submitted on : Thursday, December 8, 2016 - 6:17:06 PM
Last modification on : Friday, June 7, 2019 - 11:08:29 AM
Long-term archiving on : Thursday, March 23, 2017 - 8:51:54 AM

File

TheseJacquemart.pdf
Version validated by the jury (STAR)

Identifiers

  • HAL Id : tel-01412800, version 1

Citation

Quentin Jacquemart. Towards uncovering BGP hijacking attacks. Networking and Internet Architecture [cs.NI]. Télécom ParisTech, 2015. English. ⟨NNT : 2015ENST0063⟩. ⟨tel-01412800⟩

Share

Metrics

Record views

829

Files downloads

1736