A System to Detect Forged-Origin Hijacks
(2024) 21th USENIX Symposium on Networked Systems Design and Implementation (NSDI 24) — Location: Santa Clara, CA, US (16.April.2024)
Files
paper.pdf
Open Access - Adobe PDF
- 397.2 KB
Details
- Authors
- et. al.
- Abstract
- Despite global efforts to secure Internet routing, attack- ers still successfully exploit the lack of strong BGP security mechanisms. This paper focuses on an attack vector that is frequently used: Forged-origin hijacks, a type of BGP hijack where the attacker manipulates the AS path to make it im- mune to RPKI-ROV filters and appear as legitimate routing updates from a BGP monitoring standpoint. Our contribution is DFOH, a system that quickly and consistently detects forged- origin hijacks in the whole Internet. Detecting forged-origin hijacks boils down to inferring whether the AS path in a BGP route is legitimate or has been manipulated. We demonstrate that current state-of-art approaches to detect BGP anomalies are insufficient to deal with forged-origin hijacks. We identify the key properties that make the inference of forged AS paths challenging, and design DFOH to be robust against real-world factors (e.g., data biases). Our inference pipeline includes two key ingredients: (i) a set of strategically selected features, and (ii) a training scheme adapted to topological biases. DFOH detects 90.9% of the forged-origin hijacks within only ≈5min. In addition, it only reports ≈17.5 suspicious cases every day for the whole Internet, a small number that allows operators to investigate the reported cases and take countermeasures.
- Affiliations
Citations
Thomas Holterbach, Thomas Alfroy, Amreesh D. Phokeer, Alberto Dainotti, Pelsser, C., & et al. (2024). A System to Detect Forged-Origin Hijacks. 21th USENIX Symposium on Networked Systems Design and Implementation (NSDI 24), Santa Clara, CA, US.