skip to main content
10.1145/1364654.1364658acmconferencesArticle/Chapter ViewAbstractPublication PagesconextConference Proceedingsconference-collections
research-article

Practical defenses against BGP prefix hijacking

Published: 10 December 2007 Publication History

Abstract

Prefix hijacking, a misbehavior in which a misconfigured or malicious BGP router originates an IP prefix that the router does not own, is becoming an increasingly serious security problem on the Internet. In this paper, we conduct a first comprehensive study on incrementally deployable mitigation solutions against prefix hijacking. We first propose a novel reactive detection-assisted solution based on the idea of bogus route purging and valid route promotion. Our simulations based on realistic settings show that purging bogus routes at 20 highest-degree ASes reduces the polluted portion of the Internet by a random prefix hijack from 50% down to 24%, and adding promotion further reduces the remaining pollution by 33% ~ 57%, We prove that our proposed route purging and promotion scheme preserve the convergence properties of BGP regardless of the number of promoters. We are the first to demonstrate that detection systems based on a limited number of BGP feeds are subject to detection evasion by hijackers. Motivated the need for proactive defenses to complement reactive mitigation response, we evaluate customer route filtering, a best common practice among large ISPs today, and show its limited effectiveness. We also show the added benefits of combining route purging-promotion with customer route filtering.

References

[1]
RIPE Network Coordination Centre. http://www.ripe.net/.
[2]
Route Views Project. http://www.routeviews.org/.
[3]
The RIPE NCC MyASN service. http://www.ris.ripe.net/myasn.html.
[4]
The Tem Cymru Bogon Route Server Project. http://www.cymru.com/BGP/bogon-rs.html.
[5]
A Border Gateway Protocol 4 (BGP-4), Jan. 2006. RFC 4271.
[6]
BGP-4 Implementation Report, Jan. 2006. RFC 4276.
[7]
D. G. Andersen, H. Balakrishnan, M. F. Kaashoek, and R. Morris. Resilient overlay networks. In Proc. ACM SOSP, 2001.
[8]
H. Ballani, P. Francis, and X. Zhang. A Study of Prefix Hijacking and Interception in the Internet. In Proc. ACM SIGCOMM, 2007.
[9]
V. J. Bono. 7007 Explanation and Apology. NANOG email on Apr 26, 1997.
[10]
K. Butler, P. McDaniel, and W. Aiello. Optimizing bgp security by exploiting path stability. In Proc. Computer and Communications Security (CCS), 2006.
[11]
M. Caesar, D. Caldwell, N. Feamster, J. Rexford, A. Shaikh, and J. van der Merwe. Design and Implementation of a Routing Control Platform. In Proc. NSDI, 2005.
[12]
H. Chan, D. Dash, A. Perrig, and H. Zhang. Modeling Adoptability of Secure BGP Protocol. In Proc. ACM SIGCOMM, 2006.
[13]
X. Dimitropoulos, D. Krioukov, M. Fomenkov, B. Huffaker, Y. Hyun, kc claffy, and G. Riley. AS Relationships: Inference and Validation. ACM SIGCOMM CCR, 37(1):29--40, Jan. 2007.
[14]
L. Gao. On inferring autonomous system relationships in the internet. IEEE/ACM Trans. on Networking (TON), 9(6):733--745, Dec. 2001.
[15]
L. Gao and J. Rexford. Stable internet routing without global coordination. In Proc. ACM SIGMETRICS, 2000.
[16]
X. Hu and Z. M. Mao. Accurate Real-time Identification of IP Prefix Hijacking. In Proc. IEEE Security and Privacy (Oakland), 2007.
[17]
Y.-C. Hu, A. Perrig, and M. Sirbu. SPV: A Secure Path Vector Scheme for Securing BGP. In Proc. ACM SIGCOMM, 2004.
[18]
J. Karlin, J. Karlin, S. Forrest, and J. Rexford. Pretty Good BGP: Improving BGP by Cautiously Adopting Routes. In Proc. IEEE ICNP, 2006.
[19]
S. Kent, C. Lynn, and K. Seo. Secure Border Gateway Protocol (Secure-BGP). IEEE Journal on Selected Areas in Communications (JSAC), 18(4):582--592, Apr. 2000.
[20]
C. Kruegel, D. Mutz, W. Robertson, and F. Valeur. Topology-Based Detection of Anomalous BGP Messages. In Symposium on Recent Advances in Intrusion Detection (RAID), 2003.
[21]
C. Labovitz, A. Ahuja, A. Bose, and F. Jahanian. Delayed internet routing convergence. In Proc. ACM SIGCOMM, 2000.
[22]
M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang. PHAS: A Prefix Hijack Alert System. In Proc. USENIX Security Symposium (Security), 2006.
[23]
M. Lad, R. Oliveira, B. Zhang, and L. Zhang. Understanding resiliency of internet topology against prefix hijack attacks. In Proc. IEEE/IFIP Intl. Conf. on Dependable Systems and Networks (DSN), 2007.
[24]
W. Mhlbauer, A. Feldmann, O. Maennel, M. Roughan, and S. Uhlig. Building an AS-topology model that captures route diversity. In Proc. ACM SIGCOMM, 2006.
[25]
J. Ng. Extensions to BGP to Support Secure Origin BGP (soBGP), Oct. 2002. Internet Draft draft-ng-sobgp-bgp-extensions-00.
[26]
R. Oliveira, B. Zhang, D. Pei, R. Izhak-Ratzin, and L. Zhang. Quantifying Path Exploration in the Internet. In Proc. ACM SIGCOMM IMC, 2006.
[27]
J. Qiu and L. Gao. Hi-BGP: A Lightweight Hijack-proof Inter-domain Routing Protocol. Technical report, Univ. of Massachusetts, 2006.
[28]
J. Qiu, L. G. S. Ranjan, and A. Nucci. Detecting Bogus BGP Route Information: Going Beyond Prefix Hijacking. In Proc. SecureComm, 2007.
[29]
L. Subramanian, V. Roth, I. Stoica, S. Shenker, and R. H. Katz. Listen and Whisper: Security Mechanisms for BGP. In Proc. NSDI, 2004.
[30]
T. Wan, E. Kranakis, and P. van Oorschot. Pretty Secure BGP (psBGP). In Proc. Network and Distributed System Security Symposium (NDSS), 2005.
[31]
F. Wang and L. Gao. Inferring and Characterizing Internet Routing Policies. In Proc. ACM SIGCOMM IMC, 2003.
[32]
D. Wendlandt, I. Avramopoulos, D. Andersen, and J. Rexford. Don't Secure Routing Protocols, Secure Data Delivery. In Proc. ACM HotNets, 2006.
[33]
W. Xu and J. Rexford. MIRO: multi-path interdomain routing. In Proc. ACM SIGCOMM, 2006.
[34]
Z. Zhang, Y. Zhang, Y. C. Hu, and Z. M. Mao. Practical Defenses Against BGP Prefix Hijacking. Technical report, Purdue University, 2007. http://www.ece.purdue.edu/~zhang97/pub/prom.pdf.
[35]
M. Zhao, S. W. Smith, and D. M. Nicol. Aggregated path authentication for efficient bgp security. In Proc. Computer and Communications Security (CCS), 2005.
[36]
X. Zhao, D. Pei, L. Wang, D. Massey, A. Mankin, S. Wu, and L. Zhang. An Analysis of BGP Multiple Origin AS (MOAS) Conflicts. In Proc. ACM SIGCOMM Internet Measurement Workshop, 2001.
[37]
C. Zheng, L. Ji, D. Pei, J. Wang, and P. Francis. Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Realtime. In Proc. ACM SIGCOMM, 2007.

Cited By

View all
  • (2024)The Resource Public Key Infrastructure (RPKI): A Survey on Measurements and Future ProspectsIEEE Transactions on Network and Service Management10.1109/TNSM.2023.332745521:2(2353-2373)Online publication date: Apr-2024
  • (2024)A Multidimensional Node Selection Method Towards MOAS Outsourcing Mitigation2024 IEEE 16th International Conference on Advanced Infocomm Technology (ICAIT)10.1109/ICAIT62580.2024.10807904(43-48)Online publication date: 16-Aug-2024
  • (2023)A Practical Heartbeat-based Defense Scheme Against Cloning Attacks in PoA BlockchainComputer Standards & Interfaces10.1016/j.csi.2022.10365683:COnline publication date: 1-Jan-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CoNEXT '07: Proceedings of the 2007 ACM CoNEXT conference
December 2007
448 pages
ISBN:9781595937704
DOI:10.1145/1364654
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 December 2007

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Funding Sources

Acceptance Rates

Overall Acceptance Rate 198 of 789 submissions, 25%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)31
  • Downloads (Last 6 weeks)2
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)The Resource Public Key Infrastructure (RPKI): A Survey on Measurements and Future ProspectsIEEE Transactions on Network and Service Management10.1109/TNSM.2023.332745521:2(2353-2373)Online publication date: Apr-2024
  • (2024)A Multidimensional Node Selection Method Towards MOAS Outsourcing Mitigation2024 IEEE 16th International Conference on Advanced Infocomm Technology (ICAIT)10.1109/ICAIT62580.2024.10807904(43-48)Online publication date: 16-Aug-2024
  • (2023)A Practical Heartbeat-based Defense Scheme Against Cloning Attacks in PoA BlockchainComputer Standards & Interfaces10.1016/j.csi.2022.10365683:COnline publication date: 1-Jan-2023
  • (2022)Understanding the impact of outsourcing mitigation against BGP prefix hijackingComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2021.108650202:COnline publication date: 15-Jan-2022
  • (2021)Exploring Partitioning Attacks on the Bitcoin NetworkIEEE/ACM Transactions on Networking10.1109/TNET.2021.310560430:1(202-214)Online publication date: 24-Aug-2021
  • (2020)An Ontological Graph Identification Method for Improving Localization of IP Prefix Hijacking in Network SystemsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2019.293697515(1164-1174)Online publication date: 2020
  • (2020)Next Generation Information Warfare: Rationales, Scenarios, Threats, and Open IssuesInformation Systems Security and Privacy10.1007/978-3-030-49443-8_2(24-47)Online publication date: 28-Jun-2020
  • (2019)Partitioning Attacks on Bitcoin: Colliding Space, Time, and Logic2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS.2019.00119(1175-1187)Online publication date: Jul-2019
  • (2018)ARTEMISIEEE/ACM Transactions on Networking10.1109/TNET.2018.286979826:6(2471-2486)Online publication date: 1-Dec-2018
  • (2017)The Waterfall of LibertyProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security10.1145/3133956.3134075(2037-2052)Online publication date: 30-Oct-2017
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media