Investigating the Nature of Routing Anomalies: Closing in on Subprefix Hijacking Attacks

Select |




Print


Schlamp, Johann; Holz, Ralph; Gasser, Oliver; Korsten, Andreas; Quentin, Jacuemart; Carle, Georg; Biersack, Ernst


2015-04-23


Conference Material


7th Int Workshop on Traffic Monitoring and Analysis


Barcelona, Spain


-


The detection of BGP hijacking attacks has been at the focus of research for more than a decade. However, state-of-the-art techniques fall short to detect subprefix hijacking, where smaller parts of a victim's networks are targeted by an attacker. The analysis of corresponding routing anomalies, so-called subMOAS events, is tedious, since these anomalies are numerous and mostly have legitimate reasons. In this paper, we propose, implement and test a new approach to investigate subMOAS events. Our method combines input from several data sources that can reliably disprove malicious intent. First, we make use of the database of a Internet Routing Registry (IRR) to derive business relations between the parties involved in a subMOAS event. Second, we use Internet-wide network scans to identify SSL-enabled hosts in a large number of subnets. Where we observe that public/private key pairs do not change during an event, we can eliminate the possibility of an attack. Finally, we use a topology-based reasoning algorithm to further rule out subMOAS events resulting from legitimate network setups. We can show that subprefix announcements with multiple origins are harmless for the largest part, leaving only few cases as suspect to hijacking attacks.


http://tma-2015.cba.upc.edu/


nicta:8524


Schlamp, Johann; Holz, Ralph; Gasser, Oliver; Korsten, Andreas; Quentin, Jacuemart; Carle, Georg; Biersack, Ernst. Investigating the Nature of Routing Anomalies: Closing in on Subprefix Hijacking Attacks.[Conference Material]. 2015-04-23. <a href="http://hdl.handle.net/102.100.100/92831?index=1" target="_blank">http://hdl.handle.net/102.100.100/92831?index=1</a>



Loading citation data...

Citation counts
(Requires subscription to view)