Improving IP Prefix Hijacking Detection by Tracing Hijack Fingerprints and Verifying Them through RIR Databases

Hussain Alshamrani, Bogdan Ghita

Abstract

In spite of significant on-going research, the Border Gateway Protocol (BGP) still encompasses conceptual vulnerability issues regarding impersonating the ownership of IP prefixes for ASes (Autonomous Systems). In this context, a number of research studies focused on securing BGP through historical-based and statistical-based behavioural models. This paper improves the earlier IP prefix hijack detection method presented in (Alshamrani et al. 2015) by identifying false positives showing up due to the organisations that may use multiple ASNs (Autonomous System Numbers) to advertise their routes. To solve this issue, we link a Verification Database to the previously proposed detection method to improve the accuracy. The method extracts the organisation names (unique code) and associated ASNs from different ASN delegators and RIRs (Regional Internet Registries), more specifically the RIPE (Reseaux IP Europeans) dump database (John Stamatakis 2014) in order to evaluate the method. Since the organisation name is not available in the BGP updates, the data are extracted and processed to produce a structured database (Verification DB). The algorithm excludes false positive IP prefix hijack detection events in the SFL (Suspicious Findings List) introduced in (Alshamrani et al. 2015). Finally, the algorithm is validated using the 2008 YouTube Pakistan hijack event and the Con-Edison hijack (2006); the analysis demonstrates that the improved algorithm qualitatively increases the accuracy of detecting the IP prefix hijacks, specifically reducing the false positives.

References

  1. Alshamrani, H., Ghita, B. & Lancaster, D., 2015. Detecting IP prefix hijacking using data reductionbased and Binary Search Algorithm. In 2015 Internet Technologies and Applications (ITA). Wrexham: IEEE, pp. 78-84. Available at: http://ieeexplore.iee e.org/lpdocs/epic03/wrapper.htm?arnumber=7317374.
  2. Cao, H. et al., 2009. A Packet-Based Anomaly Detection Model for Inter-domain Routing. In 2009 IEEE International Conference on Networking, Architecture, and Storage. Hunan: IEEE, pp. 192-195. Available at: http://ieeexplore.ieee.org/lpdocs/epic03 /wrapper.htm?arnumber=5197320 [Accessed December 6, 2013].
  3. Dalal, A., 2004. Searching and Sorting Algorithms. , (100), pp.1-13. Available at: http://www.cs.carle ton.edu/faculty/adalal/teaching/f04/117/notes/searchSo rt.pdf [Accessed December 8, 2014].
  4. Goldberg, S., 2014. Why is it taking so long to secure internet routing? Communications of the ACM, 57(10), pp.56-63. Available at: http://dl.acm.org/citation.cfm? doid=2661061.2659899.
  5. Horvath, A., 2012. Quicksort, binary search and linear search performance - far from what you believe. , p.6. Available at: http://blog.teamleadnet.com/2012/02/q uicksort-binary-search-and-linear.html [Accessed August 5, 2013].
  6. John Stamatakis, 2014. Pen Test Live: Download Database. Available at: http://www.pentestlive.com [Accessed January 9, 2014].
  7. Meyer, D., University of Oregon Route Views Archive Project. University of Oregon. Available at: http://archive.routeviews.org/bgpdata/2008.02/UPDA TES/ [Accessed October 5, 2013].
  8. Schlamp, J. et al., 2015. The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire. In arXiv preprint arXiv: …. pp. 188- 201. Available at: http://link.springer.com/10.1007 /978-3-319-17172-2_13.
  9. de Urbina Cazenave, I.O., Kosluk, E. & Ganiz, M.C., 2011. An anomaly detection framework for BGP. In 2011 International Symposium on Innovations in Intelligent Systems and Applications. Istanbul: IEEE, pp. 107-111. Available at: http://ieeexplore.ieee.org/l pdocs/epic03/wrapper.htm?arnumber=5946083.
  10. Vervier, P., Thonnard, O. & Dacier, M., 2015. Mind Your Blocks: On the Stealthiness of Malicious BGP Hijacks. In Proceedings 2015 Network and Distributed System Security Symposium. Reston, VA: Internet Society, pp. 8-11. Available at: http://www.internetsociety.org/doc/mind-your-blocksstealthiness-malicious-bgp-hijacks.
  11. Wählisch, M., Maennel, O. & Schmidt, T.C., 2012. Towards detecting BGP route hijacking using the RPKI. ACM SIGCOMM Computer Communication Review, 42(4), p.103. Available at: http://dl.acm .org/citation.cfm?doid=2377677.2377702.
Download


Paper Citation


in Harvard Style

Alshamrani H. and Ghita B. (2016). Improving IP Prefix Hijacking Detection by Tracing Hijack Fingerprints and Verifying Them through RIR Databases . In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 1: DCNET, (ICETE 2016) ISBN 978-989-758-196-0, pages 57-63. DOI: 10.5220/0005934200570063


in Bibtex Style

@conference{dcnet16,
author={Hussain Alshamrani and Bogdan Ghita},
title={Improving IP Prefix Hijacking Detection by Tracing Hijack Fingerprints and Verifying Them through RIR Databases},
booktitle={Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 1: DCNET, (ICETE 2016)},
year={2016},
pages={57-63},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005934200570063},
isbn={978-989-758-196-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 1: DCNET, (ICETE 2016)
TI - Improving IP Prefix Hijacking Detection by Tracing Hijack Fingerprints and Verifying Them through RIR Databases
SN - 978-989-758-196-0
AU - Alshamrani H.
AU - Ghita B.
PY - 2016
SP - 57
EP - 63
DO - 10.5220/0005934200570063