TY - JOUR
T1 - HEAP
T2 - Reliable Assessment of BGP Hijacking Attacks
AU - Schlamp, Johann
AU - Holz, Ralph
AU - Jacquemart, Quentin
AU - Carle, Georg
AU - Biersack, Ernst W.
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/6
Y1 - 2016/6
N2 - The detection of BGP prefix hijacking attacks has been the focus of research for more than a decade. However, the state-of-the-art techniques fall short of detecting more elaborate types of attack. To study such attacks, we devise a novel formalization of Internet routing, and apply this model to routing anomalies in order to establish a comprehensive attacker model. We use this model to precisely classify attacks and to evaluate their impact and detectability. We analyze the eligibility of attack tactics that suit an attacker's goals and demonstrate that related work mostly focuses on less impactful kinds of attacks. We further propose, implement, and test the Hijacking Event Analysis Program (HEAP), a new approach to investigate hijacking alarms. Our approach is designed to seamlessly integrate with the previous work in order to reduce the high rates of false alarms inherent to these techniques. We leverage several unique data sources that can reliably disprove malicious intent. First, we make use of an Internet routing registry to derive business or organizational relationships between the parties involved in an event. Second, we use a topology-based reasoning algorithm to rule out events caused by legitimate operational practice. Finally, we use Internet-wide network scans to identify SSL/TLS-enabled hosts, which helps to identify non-malicious events by comparing public keys prior to and during an event. In our evaluation, we prove the effectiveness of our approach, and show that day-to-day routing anomalies are harmless for the most part. More importantly, we use HEAP to assess the validity of publicly reported alarms. We invite researchers to interface with HEAP in order to crosscheck and narrow down their hijacking alerts.
AB - The detection of BGP prefix hijacking attacks has been the focus of research for more than a decade. However, the state-of-the-art techniques fall short of detecting more elaborate types of attack. To study such attacks, we devise a novel formalization of Internet routing, and apply this model to routing anomalies in order to establish a comprehensive attacker model. We use this model to precisely classify attacks and to evaluate their impact and detectability. We analyze the eligibility of attack tactics that suit an attacker's goals and demonstrate that related work mostly focuses on less impactful kinds of attacks. We further propose, implement, and test the Hijacking Event Analysis Program (HEAP), a new approach to investigate hijacking alarms. Our approach is designed to seamlessly integrate with the previous work in order to reduce the high rates of false alarms inherent to these techniques. We leverage several unique data sources that can reliably disprove malicious intent. First, we make use of an Internet routing registry to derive business or organizational relationships between the parties involved in an event. Second, we use a topology-based reasoning algorithm to rule out events caused by legitimate operational practice. Finally, we use Internet-wide network scans to identify SSL/TLS-enabled hosts, which helps to identify non-malicious events by comparing public keys prior to and during an event. In our evaluation, we prove the effectiveness of our approach, and show that day-to-day routing anomalies are harmless for the most part. More importantly, we use HEAP to assess the validity of publicly reported alarms. We invite researchers to interface with HEAP in order to crosscheck and narrow down their hijacking alerts.
KW - BGP hijacking
KW - IRR analysis
KW - Routing model
KW - SSL/TLS measurements
UR - http://www.scopus.com/inward/record.url?scp=84976476602&partnerID=8YFLogxK
U2 - 10.1109/JSAC.2016.2558978
DO - 10.1109/JSAC.2016.2558978
M3 - Article
AN - SCOPUS:84976476602
SN - 0733-8716
VL - 34
SP - 1849
EP - 1861
JO - IEEE Journal on Selected Areas in Communications
JF - IEEE Journal on Selected Areas in Communications
IS - 6
M1 - 7460217
ER -