HIJACKS - Detecting and Characterizing Internet Traffic Interception based on BGP Hijacking

The objective of this project is to enable near real-time detection and characterization of traffic interception events in the global Internet.

Sponsored by:
National Science Foundation (NSF)

Principal Investigator: Alberto Dainotti

Funding source:  CNS-1423659 Period of performance: August 1, 2014 - January 31, 2019.


Project Summary

Recent reports have highlighted incidents of massive Internet traffic interception executed by rerouting BGP paths across the globe (affecting banks, governments, entire network service providers, etc.). The potential impact of these attacks can range from massive eavesdropping to identity spoofing or selective content modification. In addition, executing such attacks does not require access or proximity to the affected links and networks, posing increasing risks to national security. The architectural innovation that mitigates the inherent protocol design flaw exploited by such attacks, is slow to take off, suggesting that this vulnerability will persist, leaving our critical communication infrastructure exposed. Worse yet, the ultimate impact of traffic interception on the Internet is practically unknown, with even large-scale and long-lasting events apparently going unnoticed by the victims.

Devising effective methodologies for the detection and characterization of traffic interception events requires empirical and timely data. Such data must be a combination of passive BGP measurements and active measurements (such as traceroutes), since the mechanism triggering the attack operates on the inter-domain routing control plane, but the actual impact is only verifiable in the data plane. We seek to: (i) investigate, develop, and experimentally evaluate novel methodologies to automatically detect traffic interception events and to characterize their extent, frequency, and impact; (ii) extend our measurement infrastructure to detect in near-realtime and report episodes of traffic interception based on BGP hijacking; (iii) document such events, providing datasets to researchers as well as informing operators, emergency-response teams, law-enforcement agencies, and policy makers. We will quantify increased latency along observed paths, the magnitude of the incident in terms of number of ASes and prefixes intercepted, and the social/political implications of interceptions that take traffic across national borders. To better understand the both technical and political effects of hijacks, we will augment our active measurement framework with algorithmic simulations of BGP routing policies, and qualitative analysis of the organizations involved.

Proposed Timeline of Tasks

The schedule of work below shows how we plan to accomplish the proposed tasks in two years of the project.

Subtask Description Year 1 Year 2 Status
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Task 1: Infrastructure for data collection and analysis
1.1 Purchase and deploy storage capacity for databases and historic archives Q1 done
1.2 Acquire missing databases and integrate them into the system Q1 Q2 done
1.3 Develop software for the extraction of control-plane metrics and for anomaly detection Q1 done
1.4 Develop software for targeted active measurements based on Ark's API Q2 done
1.5 Software integration Q3 Q4 done
1.6 Reduce latency for detection and diagnosis. Q1 Q2 Q3 Q4 in progress
1.7 Implement additional/refined techniques for anomaly detection, correlation, diagnosis Q1 Q2 Q3 Q4 in progress
1.8 Refinement of software integration Q2 Q3 Q4 in progress
Task 2: Detection and characterization of interception attacks
2.1 Analysis of related work Q1 done
2.2 Investigate anomaly indicators for the control-plane Q1 done
2.3 Study correlation between AS paths inferred from data-plane measurements and AS paths announced on the control plane Q1 in progress
2.4 Modify CAIDA's AS relationship algorithm to serve as a reference for our inferences Q2
2.5 Investigate approaches for diagnosis of interception Q2 Q3 Q4 done
2.6 Investigate approaches for event characterization and quantification of impact Q3 Q4 Q1 done
2.7 Manually investigate selected events when detected Q3 Q4 ongoing
2.8 Evaluate update frequency and size of the reference window for databases Q1 done
2.9 Investigate trade-off of BGP monitoring coverage vs latency of data feed and processing Q2 Q3 done
2.10 Refine approaches for diagnosis of interception Q2 Q3 in progress
2.11 Refine approaches for event characterization and quantification of impact Q3 Q4 in progress
Task 3: Communication and Dissemination of Results
3.1 Write a technical report about research activities Q4 done
3.2 Invite selected researchers and operators to evaluate our approach and results Q4 in progress
3.3 Organize the workshop Q4 Q1 done
3.4 Publish the workshop report and recommendations Q2 done
3.5 Provide datasets of our results to the scientific community Q2 Q3 Q4 in progress
3.6 Provide real-time access to the output of our platform to collaborators, vetted researchers, and operators Q2 Q3 Q4
3.7 Submit scientific papers and present at major workshops and conferences Q1 Q2 Q3 Q4
3.8 Write 2nd technical report about research activities and infrastructure Q3
Published
Last Modified