inter-AS routing on the Internet is usually governed by routing policies set up and kept private by network owners because they reflect business agreements between them. We finally need to rigorously and scientifically evaluate the assumptions made and the ability of our methodology under these assumptions to detect such attacks from the data collected and the routing anomalies extracted using it.
1.1.3 (P3) If existent, assessment of the prevalence of malicious BGP hijacks and characterisation of the attackers’ behavior If the conjecture turns out to be true, there is a need to assess the prevalence of these attacks to determine the potential effect on current security systems relying on IP reputation and in the Internet routing infrastructure. Upon detection of instances of BGP hijacks performed to support other malicious activities, the attack scenarios should also be leveraged torefine the data collection process by adding new discrim-inative features of the attackers’ behavior. It should also be leveraged to improve detection and mitigation techniques.
1.2 Research objectives
This work aims at addressing the previously introduced challenges by building an environment for collecting and analysing data for the study of malicious BGP hijack attacks.
Claim: Despite the fact that several techniques and deployed envi-ronments exist for monitoring the inter-domain routing infrastruc-ture and detecting BGP hijack attacks, there is no environment read-ily usable for the study of BGP hijacks specifically performed to sup-port other malicious activities such as spamming, hosting of phishing or malware distributing websites, or launching DDoS attacks.
This claim, addressed thoroughly in Chapter2, stems from three limitations of cur-rent approaches to detect and mitigate BGP hijacking attacks on the Internet, which limit their use for solving the problems described here above. This claim can be ar-ticulated in the following three points.
1. Most current approaches to monitor the inter-domain routing infrastructure for BGP hijack attacks are solely based on monitoring the control plane [59,116, 144, 189] and thus suffer from the high similarity between routing anomalies resulting from BGP hijacks and those resulting from benign BGP practices or misconfigurations. These BGP hijack detection techniques are thus primarily useful to network operators who want to monitor their own network since they have the ground-truth information about it. Other methods [96, 157, 194] leverage data plane traces to complement BGP-based routing anomaly detection by assessing the impact of BGP routing changes on the forwarding
plane in an effort to reduce the number of false-positive alarms. However, the usage of additional data plane traces does not necessarily result in a reduced, manageable number of false-positive alerts. Moreover, these techniques are not able to deal with the wide range of BGP hijack types that need to be looked at.
2. Alternatively, BGP hijack prevention techniques, such as the RPKI frame-work [120], are developed to bring security into the trust-based BGP ecosys-tem, usually by means of cryptography-based protocol extensions, but they currently fail to be widely adopted and deployed due to required router soft-ware changes and more expensive hardsoft-ware requirements.
3. In 2006, Ramachandran et al. [148] reported on the observation of “BGP spec-trum agility”, a phenomenon where spammers hijack, for a very short period of time (i.e., less than a day) large blocks (i.e., /8’s) of unannounced IP ad-dresses. However both BGP hijack detection and prevention techniques prove to be ineffective against this type of hijack.
In order to address the challenges described here above, this work makes the following assumptions.
Assumption 1: The first observations of “BGP spectrum agility”
described spammers carrying out BGP hijacking attacks to steal blocks of IP addresses and use them to launch spam campaigns in an effort to hinder their traceability and circumvent IP-based black-listing. In an effort to assess the existence, as of 2014, of “BGP spectrum agility” in the wild Internet, we envision spammers use BGP hijacking.
Assumption 2: Hijacking a block of IP addresses requires an at-tacker to modify the routes taken by data packets so that they reach its physical network instead of the victim’s one. Consequently, mon-itoring both the control and data planes from sufficiently distributed viewpoints should expose such hijack attacks.
This thesis builds upon these two assumptions to solve the research problems in the following ways.
To address the first problem (P1) and based on the first observations of the
“BGP spectrum agility” phenomenon, our approach consists in correlating malicious activities and abnormal routing behaviors. Our objective is to design and implement a comprehensive data collection system that will enable us to study the routing behavior of networks performing malicious activities and demonstrate rigorously and scientifically the existence or the absence of malicious BGP hijacks. The system relies on the collection of (i) data plane network traces towards offending networks, (ii) control plane (BGP) data, and (iii) registration information related to these networks extracted from Internet Routing Registry (IRR) databases.
To address the second problem (P2), we anticipate that existing BGP hijack detection techniques can be extended and improved with new algorithms to detect
1.2. Research objectives 5 potential malicious BGP hijack cases. Validating a hijack case based solely on rout-ing changes observed from outside a monitored network can be very challengrout-ing due to the lack of ground-truth data. To achieve this goal, we are considering the use of external data sources, such as Internet Routing Registries (IRRs) providing registra-tion informaregistra-tion related to IP and AS resources on the Internet as well as feedback from network owners.
To address the thirdproblem (P3), that is if malicious BGP hijacks really occur on the Internet, we want to assess their prevalence both in terms of the amount of malicious activities performed from stolen networks and in terms of the number of networks involved in those attacks. This will determine the impact of these attacks on the Internet routing infrastructure and on the current security systems and, in particular, the ones relying on IP reputation, such as spam sender IP-based blacklists.
We also want to take advantage of the heterogenous collected data, i.e., data plane network traces, BGP and registration data, to be able to gain more insights into the attackers’ behavior and characterise the modus operandi used to hijack blocks of IP addresses and use the available IP addresses to launch other types of attacks from them.
Thesis: this thesis will demonstrate the following statements.
• Correlating security-related data, in particular spam emails, with routing data related to networks emitting this malicious traffic enables us to uncover candidate hijacked networks. The collected data enriched with registration information from IRRs and direct feedback from network operators enable us to validate the malicious nature of these attacks.
• As of 2014,BGP spectrum agility can be observed in the real-world in the form of stealthy and persistent campaigns of ma-licious BGP hijacks.
• There exists a specific class of agile spammers that are able to hijack routinely, persistently and -quite likely- automatically a large number of blocks of IP addresses to send spam from and host scam websites on the stolen IP address space.
• Malicious BGP hijacks are carried out using a stealthy modus operandi consisting in hijacking previously unadver-tised blocks of IP addresses and announcing these blocks in BGP using AS numbers stolen from their legitimate owner to hinder traceability. Such hijacks proves to be rather successful at circumventing traditional BGP hijack and spam protection techniques.
• Some characteristics of uncovered malicious BGP hijack cam-paigns, such as the AS numbers used by attackers, can suc-cessfully be leveraged to detect other attack instances and mitigate, for example by means of a blacklist of hijacked IP address blocks, their effects on the inter-domain routing in-frastructure and the security of networks and end hosts on the Internet.
This work has led to the development of SpamTracer, a framework for the study of malicious BGP hijacks on the Internet via the collection and analysis of BGP data and traceroute measurements related to networks sourcing malicious network traffic, in particular spam emails.