VERVIER Pierre-antoine

Thesis

Detection, analysis and mitigation of malicious BGP hijack attacks

The vulnerability of the Internet inter-domain routing infrastructure against BGP hijacking has gained a lot of attention in the last few years due to several hijack incidents being reported. In 2006, Ramachandran et al. presented evidence of blocksof IP addresses being stolen by BGP hijackers to launch spam campaigns. They coined the expression “BGP spectrum agility” to refer to this threat. Since then, only a very few anecdotal cases have been reported. However, it is a common beliefamong network operators and ISPs that these attacks could be taking place but, so far, no one has produced evidence to back up that claim. The main goal of this thesis is to determine whether BGP spectrum agility is still, as of today, a problemworth of consideration. If yes, we further aim at rigorously assessing the frequency and the prevalence of these attacks and characterise the attackers’ modus operandi.

A wide range of tools have been proposed to help network operators defend against accidental BGP hijacks but they either suffer from high deployment cost or are cluttered with high false-positives rate, which limits their usage to networkoperators who have the ground truth about their network. The contribution of this thesis is threefold.

First, motivated by the lack of tool readily available to study at large scale the phenomenon of malicious BGP hijacks, we propose our own data collection and analysis framework, called SpamTracer. The data collection part consists in collectinga combination of control plane (BGP) data and data plane (traceroute) measurements related networks generating malicious network traffic, such as spam emails.

These network traces are further enriched with registration information from IRRs to provide a comprehensive set of features to characterise the routing behavior of the offending networks. For the data analysis part we propose a novel approachto identify and validate possible cases of malicious BGP hijacks from the Spam-Tracer dataset. The methodology consists of a multi-stage scoring and filtering process, whose results are enriched by means of external data sources and feedbackfrom network operators to validate candidate hijack cases.

Secondly, we applied our methodology on data collected over a period of almost two years and reveal what we believe to be more than 2,000 malicious hijacks, which have taken place on a regular basis over the whole period of the experiment. Some ofthem were confirmed by the victim network owners and an ISP who was unwittingly involved in several hijack cases.

Thirdly, we unveil a sophisticated modus operandi used by cybercriminals to stealthily hijack blocks of IP addresses. Our results show that the identified attacks were rather successful at circumventing BGP hijack and spam mitigating techniques.

In the light of these findings, we propose some directions to defend more effectively against this emerging threat and take a final step towards helping mitigate such attacks by leveraging characteristics of the identified hijacks into a real-time blacklistof hijacked IP address blocks.

Finally, this thesis aims at being an eye opener for the community to the fact that frequent, persistent and stealthy BGP hijack attacks have taken place in the Internet for months or even years. We also hope that it will spur new research to understand why these hijacks are taking place and how they can be mitigated.