Eurecom - Networking and Security
ThesisDetection, Analysis and Mitigation of malicious BGP hijack attacks
The current Internet routing infrastructure is built upon several legacy protocols that
rely on the concept of trust among the interconnected entities. Although this was not
considered a weakness in the early days of the Internet, cybercriminals now appear to take
advantage of this vulnerability to launch different types of attacks against the routing infrastructure.
One such attack is known as BGP hijacking or IP prefix hijacking [4, 5]. This
attack consists in taking control of blocks of IP addresses owned by a given administrative
entity, e.g., a company or a governmental institution, without their authorization. This
enables the attacker to disrupt or spy on the communications related to these addresses or
to use the network as a base to perform other malicious activities, e.g., spamming, phishing,
malware hosting. Despite the fact that some very well documented cases of intentional
[2, 1], yet non malicious, BGP hijacks highlight the feasibility of such attacks, it remains
to be seen if we can find some others carried out by malicious actors, and, if yes, how
prevalent such attacks are.
Several works and studies [9, 3, 5, 13, 14, 11] have already been done on the detection of
accidental BGP hijacks as well as on solutions to bring authentication and integrity in BGP
[7, 8, 10, 6] usually using cryptography. Current BGP hijacking detection solutions are
developed to alert individual network owners as soon as an assumed hijack occurs. They
actually leverage anomalies in the routing infrastructure generated when a hijacker injects
erroneous routing information. Solutions to securing BGP induce a heavy computational
burden on routers when using cryptography and require important changes in the protocol
or the infrastructure which eventually retain their large-scale deployment.
Recent studies [12, 5] as well as informal discussions with people having hands on BGP
experience, suggest that cybercriminals could use BGP hijacking as a means to launch other
types of attacks, like spam campaigns. Only anecdotal observations exist though. There
is a need for some rigorous analysis of the reality of these attacks in order i) to assess
its prevalence, ii) to identify the most reliable ways to detect them, iii) to implement
techniques to mitigate them. These are the three objectives of the proposed thesis. In
order to reach these goals, the following steps will be followed: i) collecting data about
security events (e.g., spam messages) and about the state of the routing infrastructure at
the same time (e.g., BGP routes and traceroutes), ii) identifying routing anomalies likely
due to BGP hijacks and discover how they actually assist the other malicious activities
and iii) leverage the information uncovered from these attack scenarios and the behavior
of the attackers to build a reliable detection and/or mitigation framework.
If this thesis reaches its goals, its likely impact will be to provide better insights into
the reasons why attackers perform BGP hijacking as well as how they do it in practice.
Because hijackers can use someone else's IP identity, this will also have an impact on
current security systems relying on IP reputation, e.g., email sender reputation lists in
spam filters, phishing website backlists, etc. Finally, this will encourage people to seriously
consider developing and deploying secured BGP solutions.