Network Reachability-based IP Prefix Hijacking Detection

Abstract

The Internet is a decentralized network comprised of many interconnected networks and designed to provide communication on the basis of trust between networks. Each network communicates reachability information using Border Gateway Protocol (BGP). The Internet was designed to provide communication on the basis of trust between networks, but has proved to be a misguided assumption, due to the various types of attacks that have taken advantage of this trust. Autonomous Systems (ASes) that exchange BGP information directly with each other are assumed to be trusted, so BGP does not implement security checks to protect against receiving bad or invalid routing information from other routers, such as checking the authenticity of origin information and path attributes. As such, the Internet routing infrastructure is vulnerable to attack.IP prefix hijacking is the major threat to the security of the Internet routing system due to the lack of authoritative prefix ownership information. It is a BGP security attack, in which a BGP router, either with malicious purposes or simple due to misconfiguration, announces an IP prefix that the router does not own. This false announcement creates reachability problems and communication failures throughout the Internet. This problem has some common characteristics such as MOAS conflicts and invalid routes in BGP messages. Despite many efforts in designing IP prefix hijack detection schemes no existing design satisfies all the critical requirements of a truly effective system, that is, it must be real-time, deployable, as well as robust.In this thesis, we present a novel approach that detects IP prefix hijacking in the current Internet environment. The focus of this work is keeping the BGP routing infrastructure and not relying on mutual cooperation, to ensure ease of deployment. Also we look at fingerprinting two ASes that have the same IP prefix to distinguish IP prefix hijacking events from legitimate routing updates. This paper proposes a practical and deployable IP prefix hijacking detection algorithm with live hosts on the Internet.