While nearly essential for modern-day society, the technologies we use to share information on the Internet are imperfect things. Take the Border Gateway Protocol (BGP), the main routing protocol that allows different parts of the Internet to talk to each other, for example. By taking advantage of the known shortcomings of BGP, hijackers have achieved everything from sending email spam to stealing crypto-currencies. Recently, in one of the most sophisticated uses of BGP hijacking, the cybercriminal group known as “3ve” generated $29 million from a major online advertising fraud operation.
Some of these hijackers’ networks have been active for years, perpetrating multiple hijacking incidents at different times. How can we leverage this behavior to trace attacks back to the hijackers themselves? Let’s find out.
Taking a Closer Look at BGP Hijacking
To get an understanding of how BGP hijacking (aka prefix hijacking, route hijacking or IP hijacking) works, let’s start with some background on BGP. Routers direct traffic on the Internet, forwarding data packets from router to router toward a destination computer. However, a router can’t do this without help. Routers need to know where specific Internet addresses are located on the network so that they can forward packets in the right direction. As such, routers outers rely on routing protocols to determine a route to any intended destination on the network.
BGP is the global protocol that allows the different regions of the Internet (which is a network of networks) to exchange routing information.
Although BGP has been around for over 20 years, it has serious security issues. One problem is that BGP doesn’t provide route authentication and validation. This provides an opening for BGP hijackers, who exploit this lack of protection. Hijackers can make false assertions about where addresses are located on the Internet, and thus corrupt internet routing tables maintained via BGP, thereby taking over IP addresses of victim networks. In this way, the hijackers are able to convince connecting networks that, to access a victim IP address, they should go through their corrupt network.
Currently, most efforts to detect and handle hijacks consider specific events on a case-by-case basis. However, in a novel paper by Cecilia Testart, Philipp Richter, Alistair King, Alberto Dainotti, and David Clark, researchers focus on BGP serial hijackers and networks that have been repeatedly hijacked over long periods of time – sometimes over multiple years. Although these serial hijackers are a continuous problem, there has been minimal empirical assessments about them. The authors even note in their paper that “[t]o the best of our knowledge, this is the first work focusing on the long-term characteristics of this important category of networks, serial hijacker[s].” As such, their paper represents an important milestone in protecting Internet users from a serious, known threat.
How to Identify BGP Serial Hijackers
As of the writing of the paper, there are no reliable or common systems that are able to automatically disregard illegitimate BGP route announcements. Currently, a majority of existing BGP hijack detection systems are either reactive or event-based, tracking individual hijacking events. And, as the authors note, those in the network operator community tend to use mailing lists to exchange information on illegitimate BGP route announcements and coordinate their reactive measures. But if BGP hacking is serial, with consistent action over time, the authors note that this creates “opportunities for methods based on longitudinal analysis, potentially informing proactive approaches (e.g., scoring systems) and providing situational awareness.”
From their collected data, the team was able to determine the dominant routing characteristics of serial hijacker networks, which have distinct origination patterns that differ from legitimate networks.
Observing the differences in long-term prefix announcement behavior for a legitimate network (top) and a serial hijacker (bottom). These charts show how a large portion of the IP prefixes originated by the legitimate network are consistent over time, while the serial hijacker network announces many prefixes over short periods of time. Images by Testart et al. and taken from their paper .
Using this information, the authors determined that they could apply these behavioral differences to train a machine learning model that can automatically identify networks with similar characteristics to serial hijackers. “Our work presents a solid first step towards identifying and understanding this important category of networks, which can aid network operators in taking proactive measures to defend themselves against prefix hijacking and serve as input for current and future detection systems” the researchers conclude. And looking ahead, their research indicates that fully automated detection approaches and scoring systems are also feasible.
Future work on this topic will involve extending the features they use for classification, cross-evaluating their findings with external datasets, and further studying the time-sensitivity of their approach.
The paper, Profiling BGP Serial Hijackers: Capturing Persistent Misbehavior in the Global Routing Table, was partially supported by the MIT Internet Policy Research Initiative, William and Flora Hewlett Foundation grant 2014-1601; the National Science Foundation; the Department of Homeland Security; and the Air Force Research Laboratory. The paper authors are affiliated with MIT and CAIDA.
Get the Full Paper
Read the full paper via the button below: