Real-time system for detecting inter-domain routing man-in-the-middle attacks
LI Song1, DUAN Haixin2, LI xing1,2
1. Department of Electronic Engineering, Tsinghua University, Beijing 100084, China;
2. Institute of Network Science and Cyberspace, Tsinghua University, Beijing 100084, China
Abstract:Man-in-the-middle attacks have become a new serious threat to inter-domain routing. This paper presents a real-time system for detecting inter-domain routing man-in-the-middle attacks based on an analysis of a threat model and key features in the control plane and the data plane. The detection system first monitors the anomalous route in the control plane and then probes the data plane to identify the inter-domain routing man-in-the-middle attack. Internet tests show that the detection system is light-weight and effectively detects probable man-in-the-middle attacks in inter-domain routing in real time.
[1] 黎松, 诸葛建伟, 李星. BGP安全研究[J]. 软件学报, 2013, 24(1):121-138.Li S, Zhuge J W, Li X. Study on BGP security[J]. Ruanjian Xuebao/Journal of Software, 2013, 24(1):121-138.(in Chinese)
[2] Hiran R, Carlsson N, Gill P. Characterizing large-scale routing anomalies:A case study of the China Telecom incident[J]. Lecture Notes in Computer Science, 2013:229-238.
[3] Dyn Research. The new threat:Targeted internet traffic misdirection[EB/OL].(2013-11-19). http://research.dyn.com/2013/11/mitm-internet-hijacking.
[4] Dyn Research. Uk traffic diverted through Ukraine[EB/OL].(2015-3-13). http://research.dyn.com/2015/03/uk-traffic-diverted-ukraine.
[5] Hu X, Mao Z M. Accurate real-time identification of IP prefix hijacking[C]//Security and Privacy, 2007. Oakland, California, USA:IEEE, 2007:3-17.
[6] Zhang Z, Zhang Y, Hu Y C, et al. iSPY:Detecting IP prefix hijacking on my own[J]. IEEE/ACM Transactions on Networking(TON), 2010, 18(6):1815-1828.
[7] Xiang Y, Wang Z, Yin X, et al. Argus:An accurate and agile system to detecting IP prefix hijacking[C]//Proc 19th IEEE International Conf Network Protocols. Vancouver, BC, Canada:IEEE, 2011:43-48.
[8] Ballani H, Francis P, Zhang X. A study of prefix hijacking and interception in the internet[J]. ACM Sigcomm Computer Communication Review, 2007, 37(4):265-276.
[9] Zhang Y, Pourzandi M. Studying impacts of prefix interception attack by exploring BGP AS-PATH prepending[C]//Proc 32nd IEEE International Conf Distributed Computing Systems. Macau, China:IEEE, 2012:667-677.
[10] Zheng C, Ji L, Pei D, et al. A light-weight distributed scheme for detecting ip prefix hijacks in real-time[J]. ACM Sigcomm Computer Communication Review, 2007, 37(4):277-288.
[11] Zhao X, Pei D, Wang L, et al. An analysis of BGP multiple origin AS(MOAS) conflicts[C]//Proc 1st ACM SIGCOMM Workshop on Internet Measurement. San Francisco, California, USA:ACM, 2001:31-35.
[12] Colorado State University. Welcome to BGPmon[DB/OL].[2015-08-18] http://www.bgpmon.io.
[13] University of Oregon's Advanced Network Technology Center. University of oregon route views project[DB/OL].[2015-08-18] http://www.routeviews.org.
[14] Jared Mauch. Open DNS Resolver Project[DB/OL].[2015-08-18] http://openresolverproject.org.
[15] Madhyastha H V, Isdal T, Piatek M, et al. iPlane:An information plane for distributed services[C]//Proc 7th symposium on Operating systems design and implementation. Seattle, WA, USA:USENIX Association, 2006:367-380.
[16] China Education and Research Network Center. CERNET-中国教育和科研计算机网[EB/OL].[2015-08-18] http://www.edu.cn/cernet_fu_wu/.
[17] Gao L. On inferring autonomous system relationships in the Internet[J]. IEEE/ACM Transactions on Networking(ToN), 2001, 9(6):733-745.
[18] Center for Applied Internet Data Analysis. The caida ucsd as-relationships[DB/OL].[2015-08-01] http://data.caida.org/datasets/as-relationships/serial-1.