TY - GEN
T1 - Investigating the nature of routing anomalies
T2 - 7th International Workshop on Traffic Monitoring and Analysis, TMA 2015
AU - Schlamp, Johann
AU - Holz, Ralph
AU - Gasser, Oliver
AU - Korsten, Andreas
AU - Jacquemart, Quentin
AU - Carle, Georg
AU - Biersack, Ernst W.
N1 - Publisher Copyright:
© IFIP International Federation for Information Processing 2015.
PY - 2015
Y1 - 2015
N2 - The detection of BGP hijacking attacks has been at the focus of research for more than a decade. However, state-of-the-art techniques fall short of detecting subprefix hijacking, where smaller parts of a victim’s networks are targeted by an attacker. The analysis of corresponding routing anomalies, so-called subMOAS events, is tedious since these anomalies are numerous and mostly have legitimate reasons. In this paper, we propose, implement and test a new approach to investigate subMOAS events. Our method combines input from several data sources that can reliably disprove malicious intent. First, we make use of the database of a Internet Routing Registry (IRR) to derive business relations between the parties involved in a subMOAS event. Second, we use a topology-based reasoning algorithm to rule out subMOAS events caused by legitimate network setups. Finally, we use Internet-wide network scans to identify SSL-enabled hosts in a large number of subnets. Where we observe that public/private key pairs do not change during an event, we can eliminate the possibility of an attack. We can show that subprefix announcements with multiple origins are harmless for the largest part. This significantly reduces the search space in which we need to look for hijacking attacks.
AB - The detection of BGP hijacking attacks has been at the focus of research for more than a decade. However, state-of-the-art techniques fall short of detecting subprefix hijacking, where smaller parts of a victim’s networks are targeted by an attacker. The analysis of corresponding routing anomalies, so-called subMOAS events, is tedious since these anomalies are numerous and mostly have legitimate reasons. In this paper, we propose, implement and test a new approach to investigate subMOAS events. Our method combines input from several data sources that can reliably disprove malicious intent. First, we make use of the database of a Internet Routing Registry (IRR) to derive business relations between the parties involved in a subMOAS event. Second, we use a topology-based reasoning algorithm to rule out subMOAS events caused by legitimate network setups. Finally, we use Internet-wide network scans to identify SSL-enabled hosts in a large number of subnets. Where we observe that public/private key pairs do not change during an event, we can eliminate the possibility of an attack. We can show that subprefix announcements with multiple origins are harmless for the largest part. This significantly reduces the search space in which we need to look for hijacking attacks.
UR - http://www.scopus.com/inward/record.url?scp=84929645774&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-17172-2_12
DO - 10.1007/978-3-319-17172-2_12
M3 - Conference contribution
AN - SCOPUS:84929645774
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 173
EP - 187
BT - Traffic Monitoring and Analysis - 7th International Workshop, TMA 2015, Proceedings
A2 - Barlet-Ros, Pere
A2 - Bonaventure, Olivier
A2 - Steiner, Moritz
PB - Springer Verlag
Y2 - 21 April 2015 through 24 April 2015
ER -