Border Gateway Protocol (BGP) is the de facto inter-domain routing protocol in the Internet. A major limitation of BGP is its failure to adequately address security [1]. Recent security analyses clearly indicate that the Internet routing infrastructure is highly vulnerable, and there have been enormous proposals to solve the BGP vulnerability of all kinds. In this review, we summarize the state-of-the-art solutions to prefix hijacking attacks.
In general cases, an IP prefix should only be originated by a single Autonomous System (AS) [2]. A Multiple Origin AS (MOAS) conflict occurs when a prefix is originated by more than one AS simultaneously. This can occur legitimately. For instance, a multi-homed AS transitions between preferred routes. However, these MOAS conflicts can also directly indicate prefix hijacking. A recent study of MOAS conflicts shows that potential causes included prefixes associated with exchange point addresses that link ASes, multi-homing without BGP or with private AS numbers, and faulty configurations [3].
[4] proposes to enhance BGP using community attributes [5] to distinguish between valid and invalid MOAS conflicts in response to these operational oddities. The set of ASes authorized to announce a given prefix is appended to the community attribute, which can be used to determine if a MOAS conflict is valid. Because the community attribute is optional and transitive, routers can drop this information without causing an error. Because they are not authenticated, the announcements can be forged or altered by malicious routers. However, the authors suggest that forged routes can be detected by flagging prefixes received with multiple, conflicting AS lists.
Intrusion detection mechanisms are used in [6] to identify forged origin announcements and several metrics for bogus announcements identification are also proposed. In this work, the detection criteria arise from the evaluation of common configurations and AS behavior, rather than derived from the BGP specification. Specifically, any departure from normal ownership behavior, such as a new AS begins to announce the address or a new MOAS occurs, is considered to be malicious and thus is flagged. This scheme produces few incorrect alerts. But the prefix ownership lists are pre-computed, requiring rebuilding the network model whenever the network topology changes.
The Prefix Hijacking Alert System (PHAS) [7] makes further extensions to MOAS detection based on prefix ownership. It relies on the assumption that a prefix owner is the only entity that can differentiate between real routing changes and prefix hijacking attack. It examines routing updates from Route Views [8] and RIPE [9] repositories. If there are changes to the originator of a route, the owner of the prefix is notified through email. The system is incrementally deployable, because a prefix owner only needs to register with the PHAS server. However, the server becomes a single point of failure. If it is compromised, numerous false alarms to prefix owners will be sent out. Moreover, the system relies on the validity of entities registering their prefixes, and there is no protection against an adversary making a false registration. To solve this problem, Route Origin Authorizations (ROAs) provide secure registries for resolving MOAS conflicts [10].
Pretty Good BGP (PGBGP) [11] is another alerting system. It shows misconfigurations and prefix hijacking attacks could be mitigated if routers exercise a certain amount of judgment with the routes in their routing tables. PGBGP maintains states through historical routing data to determine what routes to prefixes are normal. Any incoming routes violating these origins are flagged as suspicious for the time period shown in the data from [12]. The results of this work show that this solution may often protect ASes against hijacking attacks. An administrator deploying this solution must be cognizant of their business relationships and ensure that events causing path changes don’t affect convergence. In addition, sufficiently equipped adversaries can engineer the set of routes the system is forced to accept, in a routing equivalent of the link-cutting attack by Bellovin and Gansner [13].
[14] provides a mechanism for detecting prefix hijacking attacks in real time. The solution is based on fingerprinting techniques for networks and hosts. A number of criteria are used to characterize a particular network prefix, such as operating system of machines within a given prefix, and the identifier field within IP packets, TCP and ICMP timestamps. It takes advertised conflicting origin ASes as potential evidence of a prefix hijacking attack and compare the collected fingerprints against probes set to all origins. Differentiation between fingerprints will provide evidence that updates have been received from different originating machines, and that a newly-advertised prefix with sufficiently different characteristics is not the original network advertising a new path, but rather an adversary attempting to hijack the prefix. This approach relies on a real-time BGP UPDATE monitor, whose availability is critical. If updates are delayed, the ability to collect measures will be compromised. Subsequent work investigates how to optimally place route monitors within the Internet to maximize prefix hijacking detection coverage [15].
The Whisper protocol [16] is designed to validate the initial source of path information. Instead of providing explicit route authentication, it seeks to alert network administrators of potential routing inconsistencies. In its weakest form, a hash chain is used in a similar fashion to the cumulative authentication mechanism described in [17]. A random value is initially assigned to each prefix by the originator, which is repeatedly hashed at each hop as it is propagated from AS to AS. Received paths are validated by receiving routers by comparing received hash values. If the hash values are the same, then they must have come from the same source. Stronger protocols make the initial value more difficult to guess, using heavyweight modular exponentiation. One variant uses a construction similar to RSA [18], where a random initial value is by the AS numbers of the ASes a route traverses. Another variant, using a series of hash constructions, is complicated by the fact that only the route originator can verify the route because of the non-invertibility of secure hash functions.
References
[1] K. Butler, T. Farley, P. McDaniel, and J. Rexford, RexfordA survey of BGP Security Issues and Solutions, in Proc. IEEE, Jan, 2010.
[2] J. Hawkinson and T. Bates, Guidelines for Creation, Selection, and Registration of an Autonomous System (AS), RFC 1930, 1996.
[3] X. Zhao, D. Pei, L. Wang, D. Massey, A. Mankin, S. F. Wu, and L. Zhang, An analysis of BGP multiple origin AS (MOAS) conflicts, in Proc. ACM SIGCOMM Internet Measurement Workshop, 2001,San Francisco, CA, Nov. 2001.
[4] X. Zhao, D. Pei, L. Wang, D. Massey, A. Mankin, S. Wu, and L. Zhang, Detection of invalid routing announcement in the Internet, in IEEE DSN 2002, Washington, DC, Jun. 2002.
[5] R. Chandra, P. Traina, and T. Li, BGP Community Attribute, RFC 1997, Aug. 1996.
[6] C. Kruegel, D. Mutz, W. Robertson, and F. Valeur, Topology-based detection of anomalous BGP messages, in Proc. 6th Symp. Recent Advances in Intrusion Detection (RAID), Sep. 2003, pp. 17–35.
[7] M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang, BPHAS: A prefix hijack alert system, in Proc. 15th USENIX Security Symp., Vancouver, BC, Canada, Aug. 2006.
[8] http://www.routeviews.org/
[10] G. Huston and G. Michaelson, Validation of Route Origination in BGP Using the Resource Certificate PKI and ROAs,
Internet Draft, Aug. 2009.
[11] J. Karlin, S. Forrest, and J. Rexford, Autonomous security for autonomous systems, Computer Networks, Oct. 2008.
[12] R. Mahajan, D. Wetherall, and T. Anderson, Understanding BGP misconfiguration, in Proc. ACM SIGCOMM 2002, Pittsburgh, PA, Aug. 2002.
[13] S. Bellovin and E. Gansner. (2003, May). Using Link Cuts to Attack Internet Routing. [Online]. Available: http://www.cs. columbia.edu/smb/papers/reroute.pd
[14] X. Hu and Z. M. Mao, Accurate real-time identification of IP prefix hijacking, in Proc. IEEE Symp. Security and Privacy, Oakland, CA, May 2007.
[15] Y. Zhang, Z. Zhang, Z. M. Mao, Y. C. Hu, and B. M. Maggs, On the impact of route monitor selection,[ in Proc. ACM Internet Measurement Conf. (IMC), San Diego, CA, Oct. 2007.
[16] L. Subramanian, V. Roth, I. Stoica, S. Shenker, and R. Katz, Listen and Whisper: Security mechanisms for BGP, in Proc. Symp. Networked Systems Design and Implementation (NSDI), San Francisco, CA, Mar. 2004.
[17] Y. Hu, A. Perrig, and D. Johnson, Efficient security mechanisms for routing protocols, in Proc. ISOC Network and Distributed Systems Security Symp. (NDSS), San Diego, CA, Feb. 2003.
[18] R. Rivest, A. Shamir, and L. M. Adelman, BA method for obtaining digital signatures and public-key cryptosystems, Commun. ACM, vol. 21, no. 2, pp. 120–126, Feb. 1978.