Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis
www.caida.org > funding : hijacks
HIJACKS: Detecting and Characterizing Internet Traffic Interception based on BGP Hijacking
Sponsored by:
National Science Foundation (NSF)

The objective of this project is to enable near real-time detection and characterization of traffic interception events in the global Internet.

Funding source: NSF CNS-1423659. Period of performance: August 1, 2014 - July 31, 2017.

|   Project Summary    Proposal   |

Project Summary

Recent reports have highlighted incidents of massive Internet traffic interception executed by rerouting BGP paths across the globe (affecting banks, governments, entire network service providers, etc.). The potential impact of these attacks can range from massive eavesdropping to identity spoofing or selective content modification. In addition, executing such attacks does not require access or proximity to the affected links and networks, posing increasing risks to national security. The architectural innovation that mitigates the inherent protocol design flaw exploited by such attacks, is slow to take off, suggesting that this vulnerability will persist, leaving our critical communication infrastructure exposed. Worse yet, the ultimate impact of traffic interception on the Internet is practically unknown, with even large-scale and long-lasting events apparently going unnoticed by the victims.

Devising effective methodologies for the detection and characterization of traffic interception events requires empirical and timely data. Such data must be a combination of passive BGP measurements and active measurements (such as traceroutes), since the mechanism triggering the attack operates on the inter-domain routing control plane, but the actual impact is only verifiable in the data plane. We seek to: (i) investigate, develop, and experimentally evaluate novel methodologies to automatically detect traffic interception events and to characterize their extent, frequency, and impact; (ii) extend our measurement infrastructure to detect in near-realtime and report episodes of traffic interception based on BGP hijacking; (iii) document such events, providing datasets to researchers as well as informing operators, emergency-response teams, law-enforcement agencies, and policy makers. We will quantify increased latency along observed paths, the magnitude of the incident in terms of number of ASes and prefixes intercepted, and the social/political implications of interceptions that take traffic across national borders. To better understand the both technical and political effects of hijacks, we will augment our active measurement framework with algorithmic simulations of BGP routing policies, and qualitative analysis of the organizations involved.

Proposed Timeline of Tasks

The schedule of work below shows how we plan to accomplish the proposed tasks in two years of the project.

SubtaskDescriptionYear 1Year 2Status
Q1Q2Q3Q4Q1Q2Q3Q4
Task 1: Infrastructure for data collection and analysis
1.1Purchase and deploy storage capacity for databases and historic archivesQ1done
1.2Acquire missing databases and integrate them into the systemQ1Q2done
1.3Develop software for the extraction of control-plane metrics and for anomaly detectionQ1done
1.4Develop software for targeted active measurements based on Ark's APIQ2done
1.5Software integrationQ3Q4done
1.6Reduce latency for detection and diagnosis.Q1Q2Q3Q4in progress
1.7Implement additional/refined techniques for anomaly detection, correlation, diagnosisQ1Q2Q3Q4in progress
1.8Refinement of software integrationQ2Q3Q4in progress
Task 2: Detection and characterization of interception attacks
2.1Analysis of related workQ1done
2.2Investigate anomaly indicators for the control-planeQ1done
2.3Study correlation between AS paths inferred from data-plane measurements and AS paths announced on the control planeQ1in progress
2.4Modify CAIDA's AS relationship algorithm to serve as a reference for our inferencesQ2
2.5Investigate approaches for diagnosis of interceptionQ2Q3Q4done
2.6Investigate approaches for event characterization and quantification of impactQ3Q4Q1done
2.7Manually investigate selected events when detectedQ3Q4ongoing
2.8Evaluate update frequency and size of the reference window for databasesQ1done
2.9Investigate trade-off of BGP monitoring coverage vs latency of data feed and processingQ2Q3done
2.10Refine approaches for diagnosis of interceptionQ2Q3in progress
2.11Refine approaches for event characterization and quantification of impactQ3Q4in progress
Task 3: Communication and Dissemination of Results
3.1Write a technical report about research activitiesQ4done
3.2Invite selected researchers and operators to evaluate our approach and resultsQ4in progress
3.3Organize the workshopQ4Q1done
3.4Publish the workshop report and recommendationsQ2done
3.5Provide datasets of our results to the scientific communityQ2Q3Q4in progress
3.6Provide real-time access to the output of our platform to collaborators, vetted researchers, and operatorsQ2Q3Q4
3.7Submit scientific papers and present at major workshops and conferencesQ1Q2Q3Q4
3.8Write 2nd technical report about research activities and infrastructureQ3
  Last Modified: Fri Aug-5-2016 12:08:21 PDT
  Page URL: http://www.caida.org/funding/hijacks/index.xml