iSPY: Detecting IP Prefix Hijacking on My Own
|
|
|
What is iSPY?
iSPY is a defense system against IP prefix hijacking.
IP prefix hijacking poses a serious threat to the robustness and
security of the Internet routing system. Any network whose prefix is
hijacked may experience reachability problems and cannot easily
identify the actual cause. IP prefix hijacking is essentially a
special form of denial of service attack. Hijacked prefixes can also
be used for carrying out malicious activities, raising the
challenge of identifying the actual perpetrator. Eliminating IP prefix
hijacking is close to impossible given today's routing design, partly
due to the lack of authoritative information on prefix
ownerships. Even with such information, topology can still be spoofed
without modifying prefix owners, resulting in intercepted
traffic. Thus, there is a critical need to design an
effective IP prefix hijacking detection system to inform the
mitigation response and help locate the responsible AS for the
attack. Such a detection system should satisfy all of the following
critical requirements:
-
Real-time: Detection should be real-time to identify
short-lived attacks and minimize potential damage.
-
Accurate: The detection accuracy must be high, with both low
false positive and false negative ratios.
-
Light-weight: Detection should be light-weight and
scale well with the number of protected IP
prefixes and networks without sacrificing the detection
accuracy.
-
Easy to deploy: The detection system can be easily deployed
incrementally without requiring privileged access to data such as live
BGP feeds from many ASes.
-
Incentive to deploy: The system is designed to tie the
deployment effort to the direct benefits of the deploying organization
and hence creates strong incentives for wide-spread deployment.
-
Robust in victim notification: The system is able to notify the
victim (owner) of the hijacked IP prefix in a robust fashion. In
addition, it is desirable that the system accurately identifies
and notifies the polluted networks.
iSPY is an IP prefix hijacking detection system that
satisfies all of the above requirements.
It exploits a key observation about IP prefix hijacking:
due to the rich connectivity of the ASes in the Internet, a prefix
hijack almost always pollutes a significant percentage of the ASes,
i.e., those ASes will route any packet destined to the hijacked prefix
to the attacker's network, as opposed to the victim's network.
In other words, when a prefix hijack is ongoing, the victim's network
will experience failure in probing a large number of networks, as the
probe reply will be routed to the attacker's network. This observation
motivates our prefix-owner-centric data-plane-based hijacking
detection system. Essentially, each network deploys iSPY to detect
hijacking of its own prefixes, and iSPY simply performs continuous
probing to transit ASes and detects hijacking events based
on the observed reachability to these ASes.
A fundamental difference between iSPY and previous approaches using
data-plane information is that iSPY is
prefix-owner-centric in that each network performs real-time
probing in the data plane to detect potential hijacking of its own
prefix(es). This approach makes the detection system not only
- real-time, and
- easy to deploy,
same as previous proposals, but
also exhibit the following additional properties:
- accurate, as the detection accuracy is not limited by the placement of any
vantage points,
- creating strong incentives to deploy as
deployment by each prefix owner directly benefits itself,
- light-weight, as it is fully decentralized among the prefix owner
networks, and each prefix owner just needs to continuously probe the over
3000 transit ASes, and
- intrinsically robust in victim notification as the prefix owner makes hijacking detection decision
locally.
Furthermore, the prefix-owner-initiated probing for AS-level
paths in iSPY avoids the firewall problem in previous
vantage-point-based probing: since the probing is initiated from
inside the network, the probe packets can usually exit the prefix
owner's network. Most transit networks enable ICMP replies; thus, the
probes can effectively test reachability to such networks. Lastly,
upon detecting a hijacking event, the victim network has also
identified the set of polluted networks and can notify them of the
event, e.g., using a different prefix.
iSPY Software Download
People
Faculty: Y. Charlie Hu, Z. Morley Mao
Students: Zheng Zhang, Ying Zhang
and Randy Bush
Paper
iSPY: Detecting IP Prefix Hijacking on My Own.
Zheng Zhang, Ying Zhang, Y. Charlie Hu, Z. Morley Mao, and Randy Bush.
To appear in ACM/IEEE Transactions on Networking (ToN),
2010.
iSPY: Detecting IP Prefix Hijacking on My Own.
Zheng Zhang, Ying Zhang, Y. Charlie Hu, Z. Morley Mao, and Randy Bush.
Proceedings of ACM SIGCOMM, Seattle, WA, August 17-22, 2008.
Last
updated: