Lesson 9: Internet Security
It uses three main data sources to identify hosts that likely belong to rogue networks:
1. Botnet command and control providers 2. Drive-by-download hosting providers 3. Phish housing providers
ASwatch is based on monitoring global BGP routing activity to learn the control plane behavior of a network. The system has two phases
1. Training phase 2. Operational phase
Availability
A communication is not useful unless the information (or the service that is provided) is indeed available. So we will need to ensure that multiple aspects of the communication channel are functioning appropriately and we can cope with possible failures such as power outages, hardware failures, etc. or attacks that aim to render the system unavailable such as denial of service attacks.
Example
A given hijacking AS labelled AS2 announces that it has a path to prefix 10.10.0.0/24 which is a part of 10.10.0.0/16 owned by AS1.
Traffic Scrubbing Services
A scrubbing service diverts the incoming traffic to a specialized server, where the traffic is "scrubbed" into either clean or unwanted traffic. The clean traffic is then sent to its original destination. Although this method offers fine-grained filtering of the packets, there are monetary costs required for an in-time subscription, setup and other recurring costs. The other limitations include reduced effectiveness due to per packet processing and challenges in handling Tbps level attacks. There's also a possibility of decreased performance as the traffic may be rerouted and becoming susceptible to evasion attacks.
ACL Filters
Access Control List filters are deployed by ISPs or IXPs at their AS border routers to filter out unwanted traffic. These filters, whose implementation depends on the vendor-specific hardware, are effective when the hardware is homogeneous and the deployment of the filters can be automated. The drawbacks of these filters include limited scalability and since the filtering does not occur at the ingress points, it can exhaust the bandwidth to a neighboring AS.
Malicious Activities
Another factor to consider is the level of malicious activities that are seen to originate from the organization's network and infrastructure. We can determine this using spam traps, darknet monitors, DNS monitors, etc. We create a reputation blacklist of the IP addresses that are involved in some malicious activities. There are 3 such types of malicious activities: 1) Capturing spam activity - for example, CBL, SBL, SpamCop 2) Capturing phishing and malware activities - for example, PhishTank, SURBL 3) Capturing scanning activity - for example, Dshield, OpenBL
BGP hijacking attacks can be classified into the following groups:
Classification by Affected Prefix Sub-prefix hijacking Squatting Classification by AS-Path announcement Type-0 hijacking Type-N hijacking Type-U hijacking Classification by Data-Plane traffic manipulation blackholing (BH) attack man-in-the-middle attack (MM). imposture (IM) attack.
DNS-based content delivery
Content Distribution Networks (CDNs) also use DNS-based techniques to distribute content but using more complex strategies. For example CDNs distribute the load amongst multiple servers at a single location, but also distribute these servers across the world. When accessing the name of the service using DNS, the CDN computes the 'nearest edge server' and returns its IP address to the DNS client. It uses sophisticated techniques based on network topology and current link characteristics to determine the nearest server. This results in the content being moved 'closer' to the DNS client which increases responsiveness and availability. CDNs can react quickly to changes in link characteristics as their TTL is lower than that in RRDNS.
Security Incident Reports
Data based on actual security incidents gives us the ground truth on which to train our machine learning model on. The system uses 3 collections of such reports to ensure a wider coverage area: 1) VERIS Community Database - This is a public effort to collect cyber security incidents in a common format. It is maintained by the Verizon RISK team. It contains more than 5000 incident reports. 2) Hackmageddon - This is an independently maintained blog that aggregates security incidents on a monthly basis. 3) The Web Hacking Incidents Database - This is an actively maintained repository for cyber security incidents.
Drive-by-download hosting providers
Drive-by-download is a method of malware installation without interaction with the user. It commonly occurs when the victim visits a web page that contains an exploit for their vulnerable browser.
blackholing (BH) attack
Dropped, so that it never reaches the intended destination.
man-in-the-middle attack (MM)
Eavesdropped or manipulated before it reaches the receiving AS
Fast-Flux Service Networks
Fast-Flux Service Networks (FFDN) is an extension of the ideas behind RRDNS and CDN. As its name suggests, it is based on a 'rapid' change in DNS answers, with a TTL lower than that of RRDNS and CDN. One key difference between FFDN and the other methods is that after the TTL expires, it returns a different set of A records from a larger set of compromised machines. These compromised machines act as proxies between the incoming request and control node/mothership, forming a resilient, robust, one-hop overlay network.
Operational phase
Given an unknown AS, it then calculates the features for this AS. It uses the model to then assign a reputation score to the AS. If the system assigns the AS a low reputation score for several days in a row (indicating consistent suspicious behavior), it identifies it as malicious.
High Impact Attack
Here, the attacker is obvious in their intent to cause widespread disruption of services. e.g: Pakistan Telecom in a Type-0 sub-prefix hijacking, essentially blackholing all of YouTube's services worldwide for nearly 2 hours.
2. Mitigation with Multiple Origin AS (MOAS)
Here, the idea is to have third party organizations and service providers do BGP announcements for a given network. It is akin to the current model that exists for legitimizing network traffic by third parties that mitigate DDoS attacks. When a BGP hijacking event occurs, the following steps occur: a. The third party receives a notification and immediately announces from their locations the hijacked prefix(es). b. In this way, network traffic from across the world is attracted to the third party organization, which then scrubbs it and tunnels it to the legitimate AS
BGP hijacking causes or motivations behind these attacks
Human Error Targeted Attack High Impact Attack
Spoofing:
IP spoofing is the act of setting a false IP address in the source field of a packet with the purpose of impersonating a legitimate server. In DDoS attacks, this can happen in two forms. In the first form, the source IP address is spoofed, resulting in the response of the server sent to some other client instead of the attacker's machine. This results in wastage of network resources and the client resources while also causing denial of service to legitimate users. In the second type of attack, the attacker sets the same IP address in both the source and destination IP fields. This results in the server sending the replies to itself, causing it to crash.
amplification
If the requests are chosen in such a way that the reflectors send large responses to the victim, it is a reflection and amplification attack. Not only would the victim receive traffic from millions of servers, the response sent would be large in size, making it further difficult for the victim to handle it.
Mismanagement symptoms
If there are misconfigurations in an organization's network, it indicates that there may not be policies in place to prevent such attacks or may not have the technological capability to detect these failures. This increases the likelihood of a breach. The features used are: 1) Open Recursive Resolvers - misconfigured open DNS resolvers 2) DNS Source Port Randomization - many servers still do not implement this 3) BGP Misconfiguration - short-lived routes can cause unnecessary updates to the global routing table 4) Untrusted HTTPS Certificates - can detect the validity of a certificate by TLS handshake 5) Open SMTP Mail Relays - servers should filter messages so that only those in the same domain can send mails/messages.
imposture (IM) attack
Impersonated, e.g. In this case the network traffic of the victim AS is impersonated and the response to this network traffic is sent back to the sender.
1. Prefix deaggregation
In a BGP attack scenario, the affected network can either contact other networks or it can simply deaggregate the prefixes that were targeted by announcing more specific prefixes of a certain prefix. Remember our prior discussion of YouTube's services being attacked by Pakistan Telecom. The targeted prefix was 208.65.153.0/24. Within 90 minutes, YouTube started announcing 208.65.153.128/25 and 208.65.153.0/25, thereby counteracting the attack. Although the event required a long term solution, an immediate mitigation was required for services to come back online.
Reflection
In a reflection attack, the attackers use a set of reflectors to initiate an attack on the victim. A reflector is any server that sends a response to a request. For example, any web server or a DNS server would return a SYN ACK in response to a SYN packet as part of TCP handshake. Other examples include query responses sent by a server or Host Unreachable responses to a particular IP
Integrity
In addition to confidentiality, it is important to ensure the message has not been somehow modified while in transit from the sender to the receiver. For example, an intruder could attack by modification, insertion or deletion of part of the messages send. As a countermeasure, we can introduce mechanisms that check for the integrity of the message.
c. Type-U hijacking
In this attack the hijacking AS does not modify the AS-PATH but may change the prefix
2. Classification by AS-Path announcement
In this class of attacks, an illegitimate AS announces the AS-path for a prefix for which it doesn't have ownership rights. There are different ways this can be achieved:
3. Classification by Data-Plane traffic manipulation
In this class of attacks, the intention of the attacker is to hijack the network traffic and manipulate the redirected network traffic on its way to the receiving AS. There are three ways the attack can be realized under this classification, i.e. traffic intercepted by the hijacker can be
1. Classification by Affected Prefix
In this class of hijacking attacks, we are primarily concerned with the IP prefixes that are advertised by BGP. There are different ways the prefix can be targeted, such as:a. Exact prefix hijacking: When two different ASes (one is genuine and the other one is counterfeit) announce a path for the same prefix. This disrupts routing in such a way that traffic is routed towards the hijacker wherever the AS-path route is shortest, thereby disrupting traffic.
c. Squatting
In this type of attack, the hijacking AS announces a prefix that has not yet been announced by the owner AS
Targeted Attack
In this type of attack, the hijacking AS usually intercepts network traffic (MM attack) while operating in stealth mode to remain under the radar on the control plane (Type-N and Type-U attacks). e.g: Visa and Mastercard's traffic were hijacked by Russian networks using this method in 2017
Random Forest There are 3 classes of features used for this model:
Mismanagement symptoms Malicious Activities Security Incident Reports
The authors of the ARTEMIS paper put forth two main findings from their research work:
Outsource the task of BGP announcement to third parties Comparison of outsourcing BGP announcements vs prefix filtering
The ARTEMIS system uses two automated techniques in mitigating these attacks:
Prefix deaggregation Mitigation with Multiple Origin AS (MOAS)
Training phase There are three main families of features:
Rewiring activity IP Space Fragmentation and Churn BGP Routing Dynamics
Botnet command and control providers
Several botnets still rely on centralized command and control (C&C). So a bot-master would prefer to host their C&C on networks where it is unlikely to be taken down. The two main types of botnets this system considers are IRC-based botnets and HTTP-based botnets.
BGP Routing Dynamics
The BGP announcements and withdrawals for malicious ASes follow different patterns from legitimate ones - such as periodically announcing prefixes for short periods of time.
BGP Flowspec
The flow specification feature of BGP, called Flowspec, helps to mitigate DDoS attacks by supporting the deployment and propagation of fine-grained filters across AS domain borders. It can be designed to match a specific flow or be based on packet attributes like length and fragment. It can also be based on the drop rate limit. Although flowspec has been effective in intra-domain environment, it is not so popular in inter-domain environments as it depends on trust and cooperation among competitive networks. BGP Flowspec is an extension to the BGP protocol which allows rules to be created on the traffic flows and take corresponding actions. This feature of BGP can help mitigate DDoS attacks by specifying appropriate rules. The AS domain borders supporting BGP Flowspec are capable of matching packets in a specific flow based on a variety of parameters such as source IP, destination IP, packet length, protocol used, etc.
Training phase
The system learns control-plane behavior typical of both types of ASes. The system is given a list of known malicious and legitimate ASes. It then tracks the behavior of these ASes over time to track their business relationships with other ASes and their BGP updates/withdrawals patterns. ASwatch then computes statistical features of each AS.
Phish housing providers
This data source contains URLs of servers that host phishing pages. Phishing pages usually mimic authentic sites to steal login credentials, credit card numbers and other personal information. These pages are hosted on compromised servers and usually are up only for a short period of time.
Human Error
This is an accidental routing misconfiguration due to manual errors. This can lead to large scale exact-prefix hijacking. e.g: China Telecom accidentally leaked a full BGP table that led to large-scale Type-0 hijacking
b. Type-N hijacking
This is an attack where the counterfeit AS announces an illegitimate path for a prefix that it does not own to create a fake link (path) between different ASes.
b. Sub-prefix hijacking
This is an extension of exact prefix hijacking, except that in this case, the hijacking AS works with a sub-prefix of the genuine prefix of the real AS. This exploits the characteristic of BGP to favor more specific prefixes, and as a result route large/entire amount of traffic to the hijacking AS.
Confidentiality
This is perhaps the first thing that comes to our mind when we think about a secure communication. We want to ensure that the message that is sent from the sender to the receiver is only available to the two parties. An attack scenario is that we have an intruder that can eavesdrop on the communication by sniffing or recording the exchanged messages. One measure to increase the chances that a communication is confidential is to encrypt the message so that even if the communication is intercepted, the message would be meaningless to the attacker.
a. Type-0 hijacking
This is simply an AS announcing a prefix not owned by itself.
Round Robin DNS (RRDNS)
This method is used by large websites to distribute the load of incoming requests to several servers at a single physical location. It responds to a DNS request with a list of DNS A records, which it then cycles through in a round robin manner. The DNS client can then choose a record using different strategies -choose the first record each time, use the closest record in terms of network proximity, etc. Each A record also has a Time to Live (TTL) for this mapping which specifies the number of seconds the response is valid. If the lookup is repeated while the mapping is still active, the DNS client will receive the same set of records, albeit in a different order.
BGP Blackholing
This technique is implemented either the help of the upstream provider or with the help of the IXP (if the network is peering at an IXP). With this technique, the victim AS uses BGP to communicate the attacked destination prefix to its upstream AS, which then drops the attack traffic towards this prefix. Then either the provider (or the IXP) will advertise a more specific prefix and modifying the next-hop address that will divert the attack traffic to a null interface. The blackhole messages are tagged with a specific BGP blackhole community attribute, usually publicly available, to differentiate it from the regular routing updates.
Outsource the task of BGP announcement to third parties
To combat against BGP hijacking attacks, having even just one single external organization to mitigate BGP attacks is highly effective against BGP attacks.
Comparison of outsourcing BGP announcements vs prefix filtering
When compared against prefix filtering, which is the current standard defense mechanism, the research work found that filtering is less optimal when compared against BGP announcements.
Authentication
When two parties are communicating, it is important to ensure that the two parties are who they say they are. For example, an intruder may try to steal information by impersonating another entity on the network. As a countermeasure against these attacks we use authentication mechanisms to verify the identity of a user.
FInding Rogue Networks
a system that monitors the Internet for rogue networks. Rogue networks are networks whose main purpose is malicious activity such as phishing, hosting spam pages, hosting pirated software, etc.
Distributed Denial of Service (DDoS)
attack is an attempt to compromise a server or network resources with a flood of traffic. To achieve this, the attacker first compromises and deploys flooding servers (slaves).
Rewiring activity
based on changes in the AS connecting activity. Frequent changes in customers/providers, connecting with less popular providers, etc. is usually suspicious behavior.
IP Space Fragmentation and Churn
based on the advertised prefixes. Malicious ASes are likely to use small BGP prefixes to partition their IP address space and only advertise a small section of these (to avoid all of them being taken down at one if detected).
The key ideas behind ARTEMIS are:
configuration file mechanism for receiving BGP updates
A mechanism for receiving BGP updates
this allows receiving updates from local routers and monitoring services. This is built into the system
A configuration file
where all the prefixes owned by the network are listed here for reference. This configuration file is populated by the network operator.