IP hijacking - PowerPoint PPT Presentation

About This Presentation

Title:

IP hijacking

Description:

IP hijacking Sagar Vemuri (s, courtesy Z. Morley Mao and Mohit Lad) Agenda What is IP Hijacking? Types of IP Hijacking Detection and Notification of IP Hijacking ... – PowerPoint PPT presentation

Number of Views:135

Avg rating:3.0/5.0

Slides: 51

Provided by: SagarV7

Learn more at: https://users.cs.northwestern.edu

Category:

more less

Transcript and Presenter's Notes

Title: IP hijacking

1
IP hijacking

Sagar Vemuri
(slides, courtesy Z. Morley Mao and Mohit Lad)

2
Agenda

What is IP Hijacking?
Types of IP Hijacking
Detection and Notification of IP Hijacking
Accurate real-time identification of IP hijacking
PHAS A Prefix Hijack Alert System

3
Dynamic adaptation
Internet
Data plane forward traffic
IP traffic
www.cnn.com IP64.236.16.52 Prefix64.236.16.0/20
Bear.eecs.umich.edu IP141.212.110.196 Prefix141.
212.0.0/16
4
What is IP Hijacking

Stealing IP addresses belonging to other networks
Also known as BGP Hijacking, Fraudulent origin
attack
Achieved by announcing unauthorized prefixes on
purpose or by accident

5
IP Hijacking Example
6
Motivation for IP hijacking

Conduct malicious activities
Spamming, illegal file sharing, advertising
Disrupt communication of legitimate hosts
DoS attacks
Inherent advantage
Hide attackers identities
Difficult for trace back

7
Hijacked IP Space for selling
8
MOAS

Multiple Origin AS
Conflicts arise if different origin ASes announce
the same prefix
A prefix is usually originated by a single AS
But several legitimate conflicts also exist
multi-homing without BGP
using private AS numbers

9
subMOAS

Subnet of an existing prefix is announced by a
different origin AS
Example AS1 announces 164.83.0.0./16 and AS2
announces 164.83.240.0/24
Globally propagated and used
BGP uses longest prefix based forwarding of routes

10
Classification of hijacking

Hijack only the prefix
Hijack both the prefix and the AS number
Hijack a subnet of an existing prefix
Hijack a prefix subnet and the AS number

11
Hijacking only the prefix

Attacker announces the prefix belonging to other
ASes using his own AS number.
Leading to MOAS (Multiple Origin AS) conflicts

12
Hijack both the prefix and AS

Announce a path through itself to other ASes and
their prefix
AS M announces a Path AS M, AS 1 to reach
prefix 141.212.110.0/24

13
Hijack a subnet of an existing prefix

In previous attack models, the hijacker has to
compete with victim to attract traffic.
Announcing only a subnet of others prefix avoids
the competition altogether due to the Longest
Prefix Matching rule of BGP
No apparent MOAS Conflicts in routing table!

subMOAS!
14
Hijack a subnet of a prefix and AS number

Announce a path to a subnet of one of victim ASs
Prefix
No subMOAS conflicts! Most stealthy with almost
no abnormal symptom in routing table
Ability to receive all traffic because of longest
prefix matching

Globally propagated and used

15
Hijacking along a legitimate path

Path to the destination goes through the
attackers AS
Violates the rule of forwarding traffic
Instead of forwarding the traffic, the attacker
intercepts the traffic
Originates new traffic as if coming the
legitimate source

16
Prevention Techniques 1

Route Filtering
Analogous to ingress/egress filtering for traffic
Filter route announcements to preclude prefixes
not owned by customers
Proper configuration of route filters at links
b/w providers and customers

17
Prevention Techniques 2

Difficulties with Route Filtering
Lack of knowledge of address blocks owned by
customers
Difficult to enforce across all networks
Filtering impossible along peering edges
SHOULD be enforced properly by all the providers

18
Prevention Techniques 3

Digitally sign routing updates
High overhead in terms of memory, CPU and
additional management
Store a list of originating ASes
Such a list is unauthenticated and optional
Prefer a set of known stable routes over
transient routes
Does not scale well to arbitrary routes

19
Data plane and control plane

Control plane controls the state of network
elements
Route selection
Disseminate connectivity information
Optimal path selection
Data plane determines data packet behavior
Packet forwarding
Packet differentiation (e.g., ACLs)
Buffering, link scheduling

20
Consistency between them

Consistency
(Routing) state advertised by the control plane
is enforced by the data plane
Inconsistency due to
Routing anomalies
Misconfigurations
Protocol anomalies
Malicious behavior
Main insight use expected consistency to
identify routing problems.

21
Accurate real-time identification of IP hijacking

Xin Hu
Z. Morley Mao

22
Approach

Goal
Detect and thwart potential IP hijacking attempts
Light-weight and real-time detection
Approach
Real-time monitoring and active/passive
fingerprinting triggered by suspicious routing
updates
Identify conflicting data-plane fingerprints
indicating successful IP hijacking

23
Methodology

Monitor all route updates in real time
Given suspicious updates, use data-plane
fingerprinting to reduce false positive/negative
rate
Our key insight A real hijacking will result in
conflicting fingerprints describing the edge
networks

24
Fingerprinting

Technique for remotely determining the
characteristics or identity of devices
A given IP address in the hijacked prefix is used
by different end hosts
Faking a fingerprint is extremely difficult and
challenging

25
Fingerprinting 2

Host-based
Operating System
Actual physical device
Host software
Host services
Network-based
Firewall properties
Bandwidth information

26
Fingerprinting 3

The system employs four main type of
fingerprints
OS detection
IP ID probing
TCP round trip time
ICMP timestamp

27
Probe place selection

From a single place, the probing packets can only
reach either attackers or victims AS, not both.
To probe both, we need multiple probing points.
Use Planetlab, which consists of more than 600
machines all over the world.
Select probing places that are near the targets,
in terms of AS path.

28
Detection of hijacking a prefix

Candidates are prefixes that have MOAS conflicts.
Build path tree for the prefix
Select Planetlab nodes near different origin ASes
and probing live hosts in the prefix

29
Detection of hijacking a prefix and AS number

Candidates are BGP Updates that violates
Geographical constraint
Edge popularity Constraint
The invalid path announced by attacker will be
very likely to violate these constraint
Geographical location of prefixes and ASes can be
obtained from a number of commercial and public
database such as IP2Location, Netgeo
Netgeo Record for prefix 141.212.0.0/16

141.212.0.0/16237 COUNTRY US NAME UMNET2
CITY ANN ARBOR STATE MICHIGAN LAT 42.29
LONG -83.72
30
Detection of hijacking a subnet of prefix --
Reflect scan
If not hijacking, the reflected SYN/ACK packet
will be sent to H2 IP ID value of H2 will
increase
During hijacking, the reflected SYN/ACK packet
will not reach H2 IP ID value of H2 will not
increase.
31
Detection of hijacking a prefix subnet and AS
number

Candidate is every new prefix that is a subnet of
some prefix in its origin AS.
To detect, combine
Geographical constraint
Reflect scan

32
System architecture
33
Classifier

For each BGP update, classifier decides whether
it is a valid update and classify those invalid
updates into separate types
Then feed the classification results to probing
module for selecting proper probing methods

34
Different signatures, example

63.130.249.0/2463.130.249.11273
35611273planetlab-1.eecs.cwru.edu
3561node1.lbnl.nodes.planet-lab.org

planetlab-1.eecs.cwru.edu Interesting ports
on 63.130.249.1 (The 1664 ports scanned but not
shown below are in state closed) PORT STATE
SERVICE 23/tcp open telnet 1214/tcp
filtered fasttrack 6346/tcp filtered
gnutella 6699/tcp filtered napster No exact OS
matches for host
node1.lbnl.nodes.planet-lab.org Interesting
ports on 63.130.249.1 (The 1663 ports scanned
but not shown below are in state closed) PORT
STATE SERVICE 7/tcp open echo 9/tcp open
discard 13/tcp open daytime 19/tcp open
chargen 23/tcp open telnet No exact OS matches
for host
35
K-root server results
Local Machine root_at_wing statistic nmap -O
193.0.14.129 Warning OS detection will be MUCH
less reliable because we did not find at least 1
open and 1 closed TCP port Interesting ports on
k.root-servers.net (193.0.14.129) (The 1667
ports scanned but not shown below are in state
filtered) PORT STATE SERVICE 53/tcp open
domain Device type general purpose Running
Linux 2.4.X2.5.X OS details Linux 2.4.0 -
2.5.20 Uptime 26.048 days (since Thu Mar 23
061724 2006) Nmap finished 1 IP address (1
host up) scanned in 43.319 seconds

Planetlab in China
bash-2.05b nmap -O 193.0.14.129
Interesting ports on k.root-servers.net
(193.0.14.129)
(The 1664 ports scanned but not shown below are
in state closed)
PORT STATE SERVICE
53/tcp open domain
179/tcp open bgp
2601/tcp open zebra
2605/tcp open bgpd
Device type general purpose
Running FreeBSD 5.X6.X
OS details FreeBSD 5.2-CURRENT - 5.3 (x86) with
pf scrub all, FreeBSD 5.2.1-RELEASE or
6.0-CURRENT
Uptime 119.383 days (since Mon Dec 19 221354
2005)
Nmap finished 1 IP address (1 host up) scanned
in 15.899 seconds

36
Limitations

No proper way to inform the owner of the
legitimate prefix/AS
Accuracy of fingerprinting techniques
Choosing a probing location might be difficult

37
PHAS A Prefix Hijack Alert System

Dan Massey and Yan Chen
Colorado State University
Mohit Lad, Lixia Zhang
UCLA
Beichuan Zhang
University of Arizona

38
Necessities for a viable Detection system

Ability to see the bad information
Use BGP Data Collectors (like RouteViews)
Ability to distinguish between good and bad
information
Prefix owner knows legitimate origin,
suballocations, and last hop.
Incentive to fix the problem if one is found
Prefix owner is affected directly

39
Objectives of PHAS

Goal Report origin changes
If a new origin appears, report immediately
Potential Attack
If an origin has not been in use for some time,
report origin removal.
Attack stopped.
Prevent replay attacks.
Why not report origin removals immediately?
Origins very dynamic.
Most of the dynamics are legitimate.

40
RouteViews based PHAS

Step 1 Monitor RouteViews BGP tables and updates
in (near) Real-Time
Step 2 Keep a database of Origins used to reach
each Prefix
Step 3 Report any change in Origins used to
reach the Prefix
Step 4 Owner applies local filter rules to
determine significance

41
Components of PHAS
42
Email Registration

The owner should first register with the PHAS to
get notifications
Attacker registers as owner
PHAS alarms are based on public information
Attacker tries to unsubscribe or modify owner
registration
Slice secret and send one part to each mailbox.
Require all parts assembled to confirm change.

43
Origin Monitor
P 65.173.134.0/24 PathD A Q
P65.173.134.0/24 PathD X
Data Collector
D
P 65.173.134.0/24 PathB A Q
Origin set Set of origins seen by all the
monitors
B
Origin Set
Prefix Origin set
65.173.134.0/24 Q
ALARM Origin set for 65.173.134.0/24 changed
Q,X
Instantaneous origin set has lots of dynamics
44
Message Delivery
PHAS detects origin change for prefix
65.173.134.0/24
65.173.134.0/24
D
A
X
65.173.134.0/24
Q
Hijacker
C
True origin
B
Alarm can be delivered to hijacker instead of
true origin.
Z
Y
RV
PHAS
Problem One or more nodes on path from PHAS to
origin could believe the hijacker.
45
Multipath Delivery
Origin specifies multiple webmail servers
A,B,C as intermediate storage points
A
PHAS
Origin
B
C
?
Hijacker
It is difficult for hijacker to compromise all
paths, i.e. cut this graph.
46
Message Delivery
WebMail B
131.179.0.0/16
D
A
X
131.179.0.0/16
Q
Hijacker
C
C is affected by hijack, but since WebMail A and
B are not hijacked, C delivers to WebMail.
UCLA
B
Z
Y
RV
WebMail A
PHAS
If no mailbox can be reached, then ALARM raised
47
Local Notification Filter