HIJACKS - Detecting and Characterizing Internet Traffic Interception based on BGP Hijacking
The objective of this project is to enable near real-time detection and characterization of traffic interception events in the global Internet.
Principal Investigator: Alberto Dainotti
Funding source: CNS-1423659 Period of performance: August 1, 2014 - January 31, 2019.
Project Summary
Recent reports have highlighted incidents of massive Internet traffic interception executed by rerouting BGP paths across the globe (affecting banks, governments, entire network service providers, etc.). The potential impact of these attacks can range from massive eavesdropping to identity spoofing or selective content modification. In addition, executing such attacks does not require access or proximity to the affected links and networks, posing increasing risks to national security. The architectural innovation that mitigates the inherent protocol design flaw exploited by such attacks, is slow to take off, suggesting that this vulnerability will persist, leaving our critical communication infrastructure exposed. Worse yet, the ultimate impact of traffic interception on the Internet is practically unknown, with even large-scale and long-lasting events apparently going unnoticed by the victims.
Devising effective methodologies for the detection and characterization of traffic interception events requires empirical and timely data. Such data must be a combination of passive BGP measurements and active measurements (such as traceroutes), since the mechanism triggering the attack operates on the inter-domain routing control plane, but the actual impact is only verifiable in the data plane. We seek to: (i) investigate, develop, and experimentally evaluate novel methodologies to automatically detect traffic interception events and to characterize their extent, frequency, and impact; (ii) extend our measurement infrastructure to detect in near-realtime and report episodes of traffic interception based on BGP hijacking; (iii) document such events, providing datasets to researchers as well as informing operators, emergency-response teams, law-enforcement agencies, and policy makers. We will quantify increased latency along observed paths, the magnitude of the incident in terms of number of ASes and prefixes intercepted, and the social/political implications of interceptions that take traffic across national borders. To better understand the both technical and political effects of hijacks, we will augment our active measurement framework with algorithmic simulations of BGP routing policies, and qualitative analysis of the organizations involved.
Proposed Timeline of Tasks
The schedule of work below shows how we plan to accomplish the proposed tasks in two years of the project.
| Subtask | Description | Year 1 | Year 2 | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Q1 | Q2 | Q3 | Q4 | Q1 | Q2 | Q3 | Q4 | |||
| Task 1: Infrastructure for data collection and analysis | ||||||||||
| 1.1 | Purchase and deploy storage capacity for databases and historic archives | Q1 | done | |||||||
| 1.2 | Acquire missing databases and integrate them into the system | Q1 | Q2 | done | ||||||
| 1.3 | Develop software for the extraction of control-plane metrics and for anomaly detection | Q1 | done | |||||||
| 1.4 | Develop software for targeted active measurements based on Ark's API | Q2 | done | |||||||
| 1.5 | Software integration | Q3 | Q4 | done | ||||||
| 1.6 | Reduce latency for detection and diagnosis. | Q1 | Q2 | Q3 | Q4 | in progress | ||||
| 1.7 | Implement additional/refined techniques for anomaly detection, correlation, diagnosis | Q1 | Q2 | Q3 | Q4 | in progress | ||||
| 1.8 | Refinement of software integration | Q2 | Q3 | Q4 | in progress | |||||
| Task 2: Detection and characterization of interception attacks | ||||||||||
| 2.1 | Analysis of related work | Q1 | done | |||||||
| 2.2 | Investigate anomaly indicators for the control-plane | Q1 | done | |||||||
| 2.3 | Study correlation between AS paths inferred from data-plane measurements and AS paths announced on the control plane | Q1 | in progress | |||||||
| 2.4 | Modify CAIDA's AS relationship algorithm to serve as a reference for our inferences | Q2 | ||||||||
| 2.5 | Investigate approaches for diagnosis of interception | Q2 | Q3 | Q4 | done | |||||
| 2.6 | Investigate approaches for event characterization and quantification of impact | Q3 | Q4 | Q1 | done | |||||
| 2.7 | Manually investigate selected events when detected | Q3 | Q4 | ongoing | ||||||
| 2.8 | Evaluate update frequency and size of the reference window for databases | Q1 | done | |||||||
| 2.9 | Investigate trade-off of BGP monitoring coverage vs latency of data feed and processing | Q2 | Q3 | done | ||||||
| 2.10 | Refine approaches for diagnosis of interception | Q2 | Q3 | in progress | ||||||
| 2.11 | Refine approaches for event characterization and quantification of impact | Q3 | Q4 | in progress | ||||||
| Task 3: Communication and Dissemination of Results | ||||||||||
| 3.1 | Write a technical report about research activities | Q4 | done | |||||||
| 3.2 | Invite selected researchers and operators to evaluate our approach and results | Q4 | in progress | |||||||
| 3.3 | Organize the workshop | Q4 | Q1 | done | ||||||
| 3.4 | Publish the workshop report and recommendations | Q2 | done | |||||||
| 3.5 | Provide datasets of our results to the scientific community | Q2 | Q3 | Q4 | in progress | |||||
| 3.6 | Provide real-time access to the output of our platform to collaborators, vetted researchers, and operators | Q2 | Q3 | Q4 | ||||||
| 3.7 | Submit scientific papers and present at major workshops and conferences | Q1 | Q2 | Q3 | Q4 | |||||
| 3.8 | Write 2nd technical report about research activities and infrastructure | Q3 | ||||||||