Detecting IP Prefix Hijack Events Using BGP Activity and AS Connectivity Analysis

Detecting IP Prefix Hijack Events Using BGP Activity and AS Connectivity Analysis

University of Plymouth PEARL https://pearl.plymouth.ac.uk 04 University of Plymouth Research Theses 01 Research Theses Main Collection 2017 Detecting IP prefix hijack events using BGP activity and AS connectivity analysis Alshamrani, Hussain Hameed http://hdl.handle.net/10026.1/9566 University of Plymouth All content in PEARL is protected by copyright law. Author manuscripts are made available in accordance with publisher policies. Please cite only the published version using the details provided on the item record or document. In the absence of an open licence (e.g. Creative Commons), permissions for further reuse of content should be sought from the publisher or author. Detecting IP prefix hijack events using BGP activity and AS connectivity analysis BY Hussain Hameed Alshamrani A thesis submitted to the University of Plymouth in partial fulfilment for the degree of Doctor of Philosophy Centre for Security, Communications and Network (CSCAN) Plymouth University February 2017 Copyright This copy of the thesis has been supplied on condition that anyone who consults it is understood to recognise that its copyright rests with its author and that no quotation from the thesis and no information derived from it may be published without the author’s prior consent. Abstract The Border Gateway Protocol (BGP), the main component of core Internet connectivity, suffers vulnerability issues related to the impersonation of the ownership of IP prefixes for Autonomous Systems (ASes). In this context, a number of studies have focused on securing the BGP through several techniques, such as monitoring-based, historical-based and statistical-based behavioural models. In spite of the significant research undertaken, the proposed solutions cannot detect the IP prefix hijack accurately or even differentiate it from other types of attacks that could threaten the performance of the BGP. This research proposes three novel detection methods aimed at tracking the behaviour of BGP edge routers and detecting IP prefix hijacks based on statistical analysis of variance, the attack signature approach and a classification-based technique. The first detection method uses statistical analysis of variance to identify hijacking behaviour through the normal operation of routing information being exchanged among routers and their behaviour during the occurrence of IP prefix hijacking. However, this method failed to find any indication of IP prefix hijacking because of the difficulty of having raw BGP data hijacking-free. The research also proposes another detection method that parses BGP advertisements (announcements) and checks whether IP prefixes are announced or advertised by more than one AS. If so, events are selected for further validation using Regional Internet Registry (RIR) databases to determine whether the ASes announcing the prefixes are owned by the same organisation or different organisations. Advertisements for the same IP prefix made by ASes owned by different organisations are subsequently identified as hijacking events. The I proposed algorithm of the detection method was validated using the 2008 YouTube Pakistan hijack event; the analysis demonstrates that the algorithm qualitatively increases the accuracy of detecting IP prefix hijacks. The algorithm is very accurate as long as the RIRs (Regional Internet Registries) are updated concurrently with hijacking detection. The detection method and can be integrated and work with BGP routers separately. Another detection method is proposed to detect IP prefix hijacking using a combination of signature-based (parsing-based) and classification-based techniques. The parsing technique is used as a pre-processing phase before the classification-based method. Some features are extracted based on the connectivity behaviour of the suspicious ASes given by the parsing technique. In other words, this detection method tracks the behaviour of the suspicious ASes and follows up with an analysis of their interaction with directly and indirectly connected neighbours based on a set of features extracted from the ASPATH information about the suspicious ASes. Before sending the extracted feature values to the best five classifiers that can work with the specifications of an implemented classification dataset, the detection method computes the similarity between benign and malicious behaviours to determine to what extent the classifiers can distinguish suspicious behaviour from benign behaviour and then detect the hijacking. Evaluation tests of the proposed algorithm demonstrated that the detection method was able to detect the hijacks with 96% accuracy and can be integrated and work with BGP routers separately. II Acknowledgement Regarding the occasion of finishing the research, I would like to thank my mother and father for their patience while I was far away for obtaining my PhD certificate. I would also like to thank my supervisors for their useful guidance, and my wife and children for being here to support me during the research period. Special thanks to Bogdan Ghita for his guidance and corrections to my papers and thesis. I also would like to acknowledge Rana Moyeed and Irene Kaimi for their helpful statistical guidance, and my friend Ali Hussain Al-Timemy for his advice during using machine learning as a tool to detect IP prefix hijacking. Finally, many thanks to all my colleagues for their technical assistance and moral support. III Table of Contents ABSTRACT ........................................................................................................................................... I ACKNOWLEDGEMENT ................................................................................................................. III TABLE OF CONTENTS ................................................................................................................... IV GLOSSARY ........................................................................................................................................ IX AUTHOR’S DECLARATION ......................................................................................................... XII LIST OF FIGURES ......................................................................................................................... XIII LIST OF TABLES ........................................................................................................................... XIV CHAPTER : 1 INTRODUCTION ....................................................................................................... 1 1.1 AIM AND OBJECTIVES ................................................................................................................ 3 1.2 THESIS CONTENTS ...................................................................................................................... 5 CHAPTER : 2 BGP SECURITY AND IP PREFIX HIJACK ATTACKS ...................................... 9 2.1 BGP BACKGROUND ................................................................................................................. 10 2.1.1 BGP architecture and communication ............................................................................. 10 2.1.2 Vulnerabilities .................................................................................................................. 12 2.1.3 Built-in security ................................................................................................................ 13 2.2 IP PREFIX HIJACKING ............................................................................................................... 14 2.2.1 History of IP prefix hijacking ........................................................................................... 15 2.2.2 Process of IP prefix hijacking .......................................................................................... 18 2.3 SECURING THE BGP ................................................................................................................. 21 2.3.1 secure Border Gateway Protocol (sBGP) ........................................................................ 21 2.3.1.1 sBGP mechanism ...................................................................................................................................... 22 2.3.1.2 Benefits and limitations ............................................................................................................................. 23 2.3.2 secure origin Border Gateway Protocol (soBGP) ........................................................... 24 2.3.2.1 soBGP mechanism .................................................................................................................................... 25 IV 2.3.2.2 Benefits and limitations ............................................................................................................................. 26 2.3.3 pretty secure Border Gateway Protocol (psBGP) ............................................................ 27 2.3.3.1 psBGP mechanism .................................................................................................................................... 27 2.3.3.2 Benefits and limitations ............................................................................................................................. 30 2.3.4 Preventing IP prefix hijacking using the RPKI ................................................................ 31 2.3.4.1 RPKI mechanism ......................................................................................................................................

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    280 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us