Ecole d'ingénieur et centre de recherche en Sciences du numérique

Investigating the nature of routing anomalies: Closing in on subprefix hijacking attacks

Schlamp, Johann; Holz, Ralph; Gasser, Oliver; Korsten, Andreas; Jacquemart, Quentin; Carle, Georg; Biersack, Ernst W

TMA 2015, 7th International Workshop on Traffic Monitoring and Analysis, Barcelona, Spain, April 21-24, 2015 / Also published as Book chapter in "Traffic Monitoring and Analysis", LNCS Volume 9053/2015, April 2015

Best Paper Award

The detection of BGP hijacking attacks has been at the focus of research for more than a decade. However, state-of-the-art techniques fall short of detecting subprefix hijacking, where smaller parts of a victim's networks are targeted by an attacker. The analysis of corresponding routing anomalies, so-called subMOAS events, is tedious since these anomalies are numerous and mostly have legitimate reasons. In this paper, we propose, implement and test a new approach to investigate subMOAS events. Our method combines input from several data sources that can reliably disprove malicious intent. First, we make use of the database of a Internet Routing Registry (IRR) to derive business relations between the parties involved in a subMOAS event. Second, we use a topology-based reasoning algorithm to rule out subMOAS events caused by legitimate network setups. Finally, we use Internet-wide network scans to identify SSL-enabled hosts in a large number of subnets. Where we observe that public/private key pairs do not change during an event, we can eliminate the possibility of an attack. We can show that subprefix announcements with multiple origins are harmless for the largest part. This significantly reduces the search space in which we need to look for hijacking attacks.

Document Doi Hal Bibtex

Titre:Investigating the nature of routing anomalies: Closing in on subprefix hijacking attacks
Type:Conférence
Langue:English
Ville:Barcelona
Pays:ESPAGNE
Date:
Département:Sécurité numérique
Eurecom ref:4567
Copyright: © Springer. Personal use of this material is permitted. The definitive version of this paper was published in TMA 2015, 7th International Workshop on Traffic Monitoring and Analysis, Barcelona, Spain, April 21-24, 2015 / Also published as Book chapter in "Traffic Monitoring and Analysis", LNCS Volume 9053/2015, April 2015 and is available at : http://dx.doi.org/10.1007/978-3-319-17172-2_12
Bibtex: @inproceedings{EURECOM+4567, doi = {http://dx.doi.org/10.1007/978-3-319-17172-2_12}, year = {2015}, title = {{I}nvestigating the nature of routing anomalies: {C}losing in on subprefix hijacking attacks}, author = {{S}chlamp, {J}ohann and {H}olz, {R}alph and {G}asser, {O}liver and {K}orsten, {A}ndreas and {J}acquemart, {Q}uentin and {C}arle, {G}eorg and {B}iersack, {E}rnst {W}}, booktitle = {{TMA} 2015, 7th {I}nternational {W}orkshop on {T}raffic {M}onitoring and {A}nalysis, {B}arcelona, {S}pain, {A}pril 21-24, 2015 / {A}lso published as {B}ook chapter in "{T}raffic {M}onitoring and {A}nalysis", {LNCS} {V}olume 9053/2015, {A}pril 2015 }, address = {{B}arcelona, {ESPAGNE}}, month = {04}, url = {http://www.eurecom.fr/publication/4567} }
Voir aussi: