슬라이드 1 - POSTECH CSE DPNM (Distributed Processing
Download
Report
Transcript 슬라이드 1 - POSTECH CSE DPNM (Distributed Processing
Network Reachability-based
IP Prefix Hijacking Detection
- PhD Thesis Defense -
Seongcheol Hong
Supervisor: Prof. James Won-Ki Hong
December 16, 2011
Distributed Processing & Network Management Lab.
Dept. of Computer Science and Engineering
POSTECH, Korea
Seongcheol Hong, POSTECH
PhD Thesis Defense
1/30
Presentation Outline
Introduction
Related Work
Research Approach
Reachability Based Hijacking Detection (RBHD)
Evaluation and Results
Conclusions
Seongcheol Hong, POSTECH
PhD Thesis Defense
2/30
Introduction
Routing protocols communicate reachability
information and perform path selection
BGP is the Internet’s de facto inter-domain routing
protocol
AS 1
Prefix
Path
1.2.0.0/16
2
iBGP
advertise
1.10.0.0/16 AS 1 AS 2
advertise
1.10.0.0/16 AS 2
eBGP
AS 2
AS 300
Seongcheol Hong, POSTECH
PhD Thesis Defense
Prefix
Path
1.2.0.0/16
12
3/30
Introduction
What is IP prefix hijacking?
Stealing IP addresses belonging to other networks
It can occur on purpose or by mistake
Serious threat to the robustness and security of the Internet routing system
IP prefix hijacking attack types
NLRI falsification
AS path falsification
advertise
IP prefix hijacking
incidents
1.2.0.0/16
Attacker
AS 7007 incident
AS
5
YouTube hijacking
Chinese ISP hijacking
AS 4
Prefix
Path
Prefix
Path
1.2.0.0/16
1.2.0.0/16 52, 1
AS 3
AS 1
AS 2
advertise
1.2.0.0/16
Prefix
Path
1.2.0.0/16
1
Prefix
Path
1.2.0.0/16
2, 1
Victim
Seongcheol Hong, POSTECH
PhD Thesis Defense
4/30
Research Motivation
IP prefix hijacking is a crucial problem in the Internet
security
Number of efforts were introduced
Security enabled BGP protocols
Hijacking detection methods
Every existing BGP security solutions have
limitations
Security enabled BGP protocols are impractical to deploy
Hijacking detection methods cannot detect every types of IP
prefix hijacking threats
We need a novel approach which is practical and
covers all types of IP prefix hijacking attacks
Seongcheol Hong, POSTECH
PhD Thesis Defense
5/30
Research Goals
Target approach
Security enabled BGP protocol
IP prefix hijacking detection method
Developing a new approach which is practical and
detects all types of IP prefix hijacking
IP hijacking detection system does not require
cooperation of ASes and does not have to be located
in a specific monitoring point
Proposed approach should be validated in simulated
environments using real network data
Seongcheol Hong, POSTECH
PhD Thesis Defense
6/30
Related Work
Security enabled BGP protocol
BGP Session Protection
• Protecting the underlying TCP session and implementing BGP session defenses
• Not verifying the content of BGP messages
Defensive Filtering
• Filters announcements which are bad and potentially malicious
• It is difficult for an ISP to identify invalid routes originated from several AS hops away
Cryptographic Techniques
• Rely on a shared key between two parties
• Public Key Infrastructure (PKI) requires many resources
Routing Registries
• Shared, global view of ‘correct’ routing information
• Registry itself must be secure, complete and accurate
Seongcheol Hong, POSTECH
PhD Thesis Defense
7/30
Related Work
Existing IP hijacking detection methods
Detection approach
• Victim-centric
• Infrastructurebased
• Peer-centric
Type of used data
• Routing
information
(control-plane)
Attack type
• NLRI falsification
• AS path
falsification
• Data probing
(data-plane)
Seongcheol Hong, POSTECH
PhD Thesis Defense
8/30
Related Work
Comparison among IP hijacking detection methods
Detection approach
Victimcentric
Infrastructurebased
Type of used data
Peercentric
Routing
information
Data
probing
Attack type
NLRI
falsification
AS path
falsification
O
Topology
O
O
O
PHAS
O
O
O
Distance
O
Real-time
Monitoring
O
pgBGP
O
O
O
O
O
O
O
O
O
iSPY
O
O
O
Strobelight
O
O
O
O
O
Reachability
(Proposed)
Seongcheol Hong, POSTECH
O
O
PhD Thesis Defense
O
O
9/30
Research Approach
IP prefix hijacking detection based on network
reachability
advertise
1.2.0.0/16
AS 5
AS 4
Prefix
Path
Prefix
Path
1.2.0.0/16 52 1
1.2.0.0/16
Attacker
Prefix
Path
1.2.0.0/16
21
AS 3
reachability test
This update is
IP hijacking
Multiple
case
origin
AS?
1.2.0.0/16
AS 2
AS 1
Prefix
Path
1.2.0.0/16
1
Reached
the intended
network?
Victim
Seongcheol Hong, POSTECH
PhD Thesis Defense
10/30
Reachability-Based
Hijacking Detection (RBHD)
Seongcheol Hong, POSTECH
PhD Thesis Defense
11/30
Network Reachability Examination
IP prefix hijacking is an attack which influences the
network reachability
We have developed network fingerprinting
techniques for network reachability examination
Network fingerprinting is active or passive collection
of characteristics from a target network (AS level)
Network fingerprint should be unique to distinguish a certain
network
A
A = B if and only if
FingerprintA = FingerprintB
FingerprintB
FingerprintA
Seongcheol Hong, POSTECH
B
PhD Thesis Defense
12/30
Network Fingerprinting
What can uniquely characterize a network?
IP prefix information
Number of running servers in the network
A static live host or device in the network (e.g., IDS or IPS)
Firewall policy
Geographical location of the network
Etc.
We have selected static live host information and
firewall policy as network fingerprints
Static live host: Web server, mail server, DNS server, IPS device,
and etc.
Firewall policy: allowed port numbers or IP addresses
Not changed frequently
Seongcheol Hong, POSTECH
PhD Thesis Defense
13/30
Static Live Host
Requirements of live hosts
Operated in most ASes
Easy to obtain IP addresses
Always provide services for its AS
Allow external connection and respond to active probing
DNS server satisfies all of these requirements
Provide a conversion service between domain names and IP
addresses
Part of the core infrastructure of the Internet
Always provide service and allow external connections from any
host
Seongcheol Hong, POSTECH
PhD Thesis Defense
14/30
DNS Server List Collection
BGP-RIB of RouteViews
‘RouteViews’ collects global routing information
RIB consists of IP prefixes and AS paths
DNS server collection process
• Perform reverse DNS lookup
1
• Obtain the authority server name with authority over a particular IP prefix
• Perform DNS lookup with the authority server name
2
3
• Obtain the IP addresses of the DNS server
• Repeat process 1 and 2 over all IP prefixes in BGP-RIB
Seongcheol Hong, POSTECH
PhD Thesis Defense
15/30
DNS Server Fingerprinting
Host fingerprint of DNS
server is used as network
fingerprint
DNS server fingerprinting
DNS protocol information
DNS domain name information
DNS server configuration
information
DNS
Domain
Name
(AA flag…)
DNS Protocol
(implementation
…)
DNS Server
Configuratio
n (DNSSEC…)
DNS Host Fingerprint
Seongcheol Hong, POSTECH
PhD Thesis Defense
16/30
Firewall Policy as Alternative Fingerprint
DNS host fingerprints are not sufficient for reachability
monitoring of all ASes in the Internet
The ASes in which a DNS server is not found exist (such as IX)
Suitability of firewall policies as network fingerprints
Number of possible combination is huge
• Protocol
• Port number
• IP address
•Direction
•Permission
E.g.) ACCEPT TCP from anywhere to 224.0.0.251 TCP Port:80
REJECT ICMP from anywhere to anywhere
ICMP unreachable
Firewall policy fingerprinting is performed by active
probing
Target
Network
Seongcheol Hong, POSTECH
Probing
packets
PhD Thesis Defense
17/30
Reachability-Based Hijacking Detection (RBHD)
Identification of NLRI
falsification
Identification of AS
path falsification
BGP update
NLRI
falsification?
N
AS path
falsification?
An
available
DNS server
in the
target
network?
Valid update
Y
Y
DNS host
fingerprinting
N
N
Y
Firewall policy
fingerprinting
Collect DNS host
fingerprints
Match the
existing
fingerprints?
Collect firewall
policy fingerprints
Match the
existing
fingerprints?
N
Y
Valid update
Seongcheol Hong, POSTECH
N
Y
Invalid update
PhD Thesis Defense
18/30
Evaluations and
Results
Seongcheol Hong, POSTECH
PhD Thesis Defense
19/30
DNS Server Collection Result
* The number of IP prefixes owned by each AS
Current state of DNS server operation
304,106 IP prefixes (8,414,294 /24 prefixes) in BGP-RIB
77,530 DNS server’s information using DNS forward/reverse
query to /24 prefixes
Seongcheol Hong, POSTECH
PhD Thesis Defense
20/30
Host Fingerprint Groups
The total number of distinguishable fingerprints are
73,781 (total DNS server 77,530)
* The number of distinguishable DNS server fingerprints
Seongcheol Hong, POSTECH
PhD Thesis Defense
21/30
Uniqueness of Fingerprints
N : the total number of collected DNS servers
G : the total number of mutually exclusive fingerprints
For each group, ni is defined as the number of DNS
servers that belong to i-th fingerprint group Ni
The collision probability PC :
In our result,
N is 77,530 and G is 73,781
Pc in our experiment is 2.69 x 10-6
We conclude that the sufficient level of distinction can be applied in
our proposed host fingerprinting method.
Seongcheol Hong, POSTECH
PhD Thesis Defense
22/30
Firewall Policy Examples
Seongcheol Hong, POSTECH
PhD Thesis Defense
23/30
Differences of Firewall Policies
* Network B
* Network A
* Network C
Seongcheol Hong, POSTECH
* Network D
PhD Thesis Defense
24/30
IP Prefix Hijacking Testbed
false
announcement
Collect
current
fingerprints
Collect
AS A’s
fingerprints
two networks are randomly selected
(IP address in this slide are anoymized)
Translate IP address
ex) 192.168.1.0 => 192.168.31.0
Seongcheol Hong, POSTECH
PhD Thesis Defense
25/30
Conclusions
1.
2.
3.
Seongcheol Hong, POSTECH
Summary
Contributions
Future Work
PhD Thesis Defense
26/30
Summary
We proposed a new approach that practically detects
IP prefix hijacking based on network reachability
monitoring
We used a fingerprinting scheme in order to
determine the network reachability of a specific
network
We proposed DNS host and firewall policy
fingerprinting methods for network reachability
monitoring
We validated the effectiveness of the proposed
method in the IP hijacking test-bed
Seongcheol Hong, POSTECH
PhD Thesis Defense
27/30
Contributions
The problems of existing IP prefix hijacking detection
techniques are addressed
The absence of detection techniques which deal with all
IP prefix hijacking cases leads to the development of new
methodologies which are suitable for the current Internet
Our approach provides the practical network
fingerprinting method for the reachability test of all ASes
DNS host fingerprinting
Firewall policy fingerprinting
Novel and real-time IP prefix hijacking detection methods
are described and validated with the real network data.
Seongcheol Hong, POSTECH
PhD Thesis Defense
28/30
Future Work
Enhancement of our DNS server finding and
fingerprinting method
Optimization of inferring the firewall policies with
small probing packets
Analyzing the performance and feasibility of our
fingerprinting approach on the Internet
Applying our hijacking detection system to a real
research network
Seongcheol Hong, POSTECH
PhD Thesis Defense
29/30
Q&A
PhD Thesis Defense, Seongcheol Hong
December 16, 2011
Seongcheol Hong, POSTECH
PhD Thesis Defense
30/30
Appendix
Seongcheol Hong, POSTECH
PhD Thesis Defense
31/30
IP Prefix Hijacking Incidents
AS7007 incident
April 25 1997
Caused by a misconfigured router that flooded the Internet with
incorrect advertisement
YouTube Hijacking
February 24 2008
Pakistan's attempt to block YouTube access within their country
takes down YouTube entirely
Chinese ISP hijacks the Internet
April 8 2010
China Telecom originated 37,000 prefixes not belonging to them
Seongcheol Hong, POSTECH
PhD Thesis Defense
32/30
Related Work
Security enabled BGP protocol
BGP Session Protection
• Protecting the underlying TCP session and implementing BGP session defenses
• Not verifying the content of BGP messages
Defensive Filtering
• Filters announcements which are bad and potentially malicious
• It is difficult for an ISP to identify invalid routes originated from several AS hops away
Cryptographic Techniques
• Rely on a shared key between two parties
• Public Key Infrastructure (PKI) requires many resources
Routing Registries
• Shared, global view of ‘correct’ routing information
• Registry itself must be secure, complete and accurate
Seongcheol Hong, POSTECH
PhD Thesis Defense
33/30
Related Work
Existing IP hijacking detection methods
Detection approach
• Victim-centric
• Infrastructurebased
• Peer-centric
Type of used data
• Routing
information
(control-plane)
Attack type
• NLRI falsification
• AS path
falsification
• Data probing
(data-plane)
Seongcheol Hong, POSTECH
PhD Thesis Defense
34/30
Solution Approach
Research Hypothesis
An independent system can perform real-time
IP prefix hijacking detection using network
reachability monitoring without any changes
of existing Internet infrastructure
Seongcheol Hong, POSTECH
PhD Thesis Defense
35/30
Legitimate Case
advertise
1.2.0.0/16
AS 5
AS 4
Static link
AS 1
1.2.0.0/16
Seongcheol Hong, POSTECH
Prefix
Path
Prefix
Path
1.2.0.0/16 52 1
1.2.0.0/16
Path
1.2.0.0/16
21
AS 3
reachability test
AS 2
Prefix
Prefix
Path
1.2.0.0/16
1
PhD Thesis Defense
This update
Multiple
is valid
origin
AS?
Reached
the intended
network?
O
36/30
Common Legitimate Cases
Xin Hu and Z. Morley Mao, “Accurate Real-time
Identification of IP Prefix Hijacking”
Seongcheol Hong, POSTECH
PhD Thesis Defense
37/30
DNS Server Collection Process
Start
BGP-RIB at
RouteViews
Get IP prefix and
AS path
information
More IP prefix?
No
End
Yes
Do reverse query about an IP address
in the IP prefix to local DNS server
Do reverse query about an IP address
in the IP prefix to global DNS server
No
Query result exists?
Query result exists?
Yes
Yes
No
Print ‘no DNS server
in the IP prefix’
No
Authority Section exists
in the result?
Yes
Do forward query about an IP address
in the Authority Section
Print ‘DNS server infomation
in the IP prefix’
Seongcheol Hong, POSTECH
Get domain name and IP address
about the DNS server
PhD Thesis Defense
38/30
Distinguishable Groups of Each fingerprints
* DNS protocol information
* DNS domain name information
* DNS server configuration
Seongcheol Hong, POSTECH
PhD Thesis Defense
39/30
DNS Server Fingerprint
* DNS server fingerprinting process
* Structure of DNS server fingerprint
Seongcheol Hong, POSTECH
PhD Thesis Defense
40/30
DNS Server Fingerprint Examples
Seongcheol Hong, POSTECH
PhD Thesis Defense
41/30
The Use of Sweep Line for Firewall Policy Inference
Example of the sweep line algorithm on a 2dimensional space
Seongcheol Hong, POSTECH
PhD Thesis Defense
42/30
Inferring the Firewall Policy
Protocol
Destination IP
Destination Port
Option
TTL
ICMP
192.168.10.0/24
-
echo
router + 1
TCP
192.168.10.0/24
1:1023
SYN
router + 1
UDP
192.168.10.0/24
1:1023
-
router + 1
Protocol
ICMP
TCP
UDP
Seongcheol Hong, POSTECH
Response packet
Permission
echo reply
accept
-
deny
ICMP Time Exceeded
accept
ICMP Destination Unreachable
deny
-
deny
-
accept
ICMP Destination Unreachable
deny
PhD Thesis Defense
43/30
Inferring the Firewall Policy
Protocol
Destination IP
Destination Port
Option
TTL
ICMP
192.168.10.0/24
-
echo
255
TCP
192.168.10.0/24
1:1023
SYN
255
UDP
192.168.10.0/24
1:1023
-
255
Protocol
ICMP
TCP
UDP
Seongcheol Hong, POSTECH
Response packet
Permission
echo reply
accept
-
deny
SYN/ACK
accept
RST/ACK
accept
RST
accept
ICMP Destination Unreachable
deny
-
deny
-
accept
ICMP Destination Unreachable
deny
PhD Thesis Defense
44/30
Suspicious Update Frequency
Suspicious update frequency
During 2 weeks monitoring from BGP-RIB
Anomalous update type
Total number
Average rate
(/ min)
NLRI
1234
0.12
AS path
12632
1.02
Seongcheol Hong, POSTECH
PhD Thesis Defense
45/30