The present application relates generally to network security threats. More specifically, the present application is directed to a system, method and computer storage medium to select monitors that increase the likelihood of detecting prefix hijacking events of a destination prefix on a network, such as the Internet.
Prefix hijacking refers to a misconfigured or a malicious border gateway protocol (BGP) router that originates or announces a route to an Internet Protocol (IP) prefix (e.g., a destination prefix) that it does not own. This is becoming an increasingly serious Internet security thereat.
On a network, such as the Internet, IP packets are routed based on destination IP addresses. Routing tables of BGP routers are also organized based on the destination IP addresses. For scalability, plural destination IP addresses may be represented collectively by an IP destination prefix and routes stored in the BGP routers' routing tables are indexed based on the IP destination prefix. The IP destination prefix indicates an address portion common to the plural destination IP addresses (e.g., destination prefix) and a number of bits associated with the destination prefix. For example, a destination prefix of 168.205.122/24 indicates that a first 24 bits are common to destination IP addresses represented by the destination prefix (e.g., 10101000 11001101 01111010 in binary or 168.205.122 in hexadecimal). The example destination prefix may represent destination IP addresses from 168.205.122.0 to 168.205.122.255.
On the Internet, one or more subnet networks that are under control of an independently administered domain constitute an autonomous system (AS), which is identified via a unique numerical ID (e.g., AS ID) assigned to it by its regional Internet registry. The AS includes one or more BGP routers to facilitate inter-domain routing, e.g. routing of IP traffic to and from neighboring ASes. The AS ID is associated with one or more IP destination prefixes that the AS owns.
The Internet includes tens of thousands of autonomous systems (ASes). ASes establish neighboring relationships, employing BGP to maintain and exchange inter-domain routing information (or routing announcements). BGP operates based on the assumption that there is implicit trust among the ASes. As a result, inter-domain routing between ASes is incapable of preventing a BGP router of a malicious AS from announcing a route to a destination prefix using a fabricated AS path (e.g., false announcement). Such a false announcement may cascade quickly to a large number of BGP routers across multiple ASes and pollute their associated routing tables.
Based on the false announcements, the entries in the routing tables may be updated by the BGP routers for the destination prefix because the BGP router's malicious AS appears to be a very attractive next hop for forwarding traffic towards that destination prefix, resulting in hijacking of the destination prefix. Thus, IP traffic from certain parts of the Internet destined to the destination prefix may be affected. For example, the malicious AS may drop all IP traffic addressed to the destination prefix to effectively cause a denial of service attack against the destination prefix. The malicious AS may also redirect IP traffic to an alternate destination prefix that may operate as a phishing attack. Other types of attacks are also possible by hijacking the destination prefix. As a result, one or more networks of a domain identified by the hijacked destination prefix may experience performance degradation, service outage, and/or a serious security breach.
Destination prefix monitors may be disposed at certain ASes on the Internet to determine routes of IP traffic from the monitors to a destination prefix across the Internet using a traceroute program. Disposing a multiplicity of destination prefix monitors amongst the ASes does not by itself improve the likelihood of detecting a hijack of the destination prefix and inexorably increases the collection and reporting of traceroute information. It would be desirable to select plural destination prefix monitors that increase the likelihood of detecting prefix hijacking events of the destination prefix.
In accordance with a particular embodiment, a method for selecting candidate prefix hijack monitors is disclosed. The method includes assigning each of the candidate prefix hijack monitors to a respective cluster of a plurality of clusters. Each of the candidate prefix hijack monitors is associated with an autonomous system (AS) that indicates an AS path of autonomous systems (ASes) from the AS to a destination prefix associated with a destination AS. The method further includes iteratively merging a pair of clusters with a highest similarity score amongst cluster pairs of the plurality of clusters into a single cluster until a processed number of clusters is less than or equal to a predetermined number of clusters. The method also includes ranking each candidate prefix hijack monitor of each of the processed number of clusters according to a route type from an AS associated with the candidate prefix hijack monitor and an AS distance from the AS associated with the candidate prefix hijack monitor to the destination AS. Yet further, the method includes determining a highest ranked candidate prefix hijack monitor of each of the processed number of clusters.
In accordance with another embodiment, a monitor selection system to select candidate prefix hijack monitors is disclosed. The system includes a cluster, a rank module, and a determination module. The cluster module configured to assign each of the candidate prefix hijack monitors to a respective cluster of a plurality of clusters. Each of the candidate prefix hijack monitors is associated with an autonomous system (AS) that indicates an AS path of autonomous systems (ASes) from the AS to a destination prefix associated with a destination AS. The cluster module is further configured to iteratively merge a pair of clusters with a highest similarity score amongst cluster pairs of the plurality of clusters into a single cluster until a processed number of clusters is less than or equal to a predetermined number of clusters. The rank module is configured to rank each candidate prefix hijack monitor of each of the processed number of clusters according to a route type from an AS associated with the candidate prefix hijack monitor and an AS distance from the AS associated with the candidate prefix hijack monitor to the destination AS. The determination module is configured to determine a highest ranked candidate prefix hijack monitor of each of the processed number of clusters.
In accordance with a further embodiment, a computer-readable storage medium that includes operational instructions for selecting candidate prefix hijack monitors is disclosed. The medium includes instructions that, when executed by a processor, cause the processor to assign each of the candidate prefix hijack monitors to a respective cluster of a plurality of clusters, each of the candidate prefix hijack monitors associated with an autonomous system (AS) that indicates an AS path of autonomous systems (ASes) from the AS to a destination prefix associated with a destination AS. The medium further includes instructions that, when executed by a processor, cause the processor to iteratively merge a pair of clusters with a highest similarity score amongst cluster pairs of the plurality of clusters into a single cluster until a processed number of clusters is less than or equal to a predetermined number of clusters. The medium also includes instructions that, when executed by a processor, cause the processor to rank each candidate prefix hijack monitor of each of the processed number of clusters according to a route type from an AS associated with the candidate prefix hijack monitor and an AS distance from the AS associated with the candidate prefix hijack monitor to the destination AS. Yet further, the medium includes instructions that, when executed by a processor, cause the processor to determine a highest ranked candidate prefix hijack monitor of each of the processed number of clusters.
Some embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings in which:
System, method and computer-readable storage medium to select monitors that increase the likelihood of detecting prefix hijacking events of a destination prefix are disclosed. In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of example embodiments. It will be evident, however, to one skilled in the art, that an example embodiment may be practiced without all of the disclosed specific details.
The example topology of
In the example distribution topology 100 of
Contemporaneously with or after updating RT 122, BGP router 120 of AS #67 generates and distributes an announcement message to its neighbor ASes (e.g., AS #51) to announce its AS path to the destination prefix (135.207.122/24) of the destination AS (e.g., destination AS #134). An example announcement message 300a of BGP router 120 is depicted in
Similarly, contemporaneously with or after updating RT 118, BGP router 116 of AS #51 generates and distributes an announcement message to its neighbor ASes (e.g., ASes #1257 and #1258) to announce its AS path to the destination prefix (e.g., 135.207.122/24) of the destination AS (e.g., destination AS #134). An example announcement message 300b of BGP router 116 is depicted in
Further, contemporaneously with or after updating RT 112, BGP router 110 of AS #1257 generates and distributes an announcement message to its neighbor ASes (e.g., AS #4) to announce its AS path to the destination prefix (e.g., 135.207.122/24) of the destination AS (e.g., destination AS #134). An example announcement message 300c of BGP router 110 is depicted in
Still further, contemporaneously with or after updating RT 130, BGP router 128 of AS #1258 generates and distributes an announcement message to its neighbor ASes (e.g., AS #6) to announce its AS path to the destination prefix (e.g., 135.207.122/24) of the destination AS (e.g., destination AS #134). An example announcement message 300d of BGP router 128 is depicted in
In response to receiving the announcement message 600a from BGP router 422 of AS #93, BGP router 110 of AS #1257 determines whether the announced AS path (e.g., AS path=[#93, #134]) to the destination prefix (e.g., 135.207.122/24) of the destination AS #134 is a better AS path than a current AS path (e.g., AS path=[#1257, #51, #67 #134]), as particularly shown in
Contemporaneously with or after updating RT 112, BGP router 110 of AS #1257 generates and distributes an announcement message to its neighbor ASes (e.g., ASes #4 and #1258) to announce its new AS path to the destination prefix (e.g., 135.207.122/24) of the destination AS (e.g., destination AS #134). An example announcement message 600b of BGP router 110 is depicted in
Also, in response to receiving the announcement message 600b from BGP router 110 of AS #1257, BGP router 116 of AS #51 determines whether the announced AS path (e.g., AS path=[#1257, #93, #134]) to the destination prefix (e.g., 135.207.122/24) of the destination AS #134 is a better AS path than a current AS path (e.g., AS path=[#51, #67, #134]), as particularly shown in
To monitor for the possible hijacking of a destination prefix (e.g., 135.207.122/24) of a destination AS (e.g., destination AS #134), a set of candidate prefix hijack monitors may be disposed at certain ASes on the transmission network 402 to determine routes of IP traffic from the candidate prefix hijack monitors to the destination prefix of the destination AS across the network 402 (e.g. Internet), using a traceroute program. For example, the set of candidate prefix hijack monitors may include candidate prefix hijack monitors 406, 408 and 410, which may be disposed at ASes #4, #1257 and #6, respectively. It should be noted that the number of candidate hijack monitors in the set of candidate prefix hijack monitors may be substantially larger based on the number of ASes in network 402.
The distribution topology 400 includes a monitor selection system 412 that is configured to select a desired number of prefix hijack monitors from the set of candidate prefix hijack monitors that are most likely to detect a prefix hijack event of the destination prefix of the destination AS #134. The monitor selection system includes a route type acquisition module 411, a cluster module 414, a rank module 416, a determination module 418 and an assignment module 420.
The route type acquisition module 411 is configured to acquire a route type associated with an AS. The route type may be a provider, peer or customer route. The route type acquisition module 411 may acquire the route type associated with an AS by querying a regional Internet registry with which the AS is registered, querying the AS for its route type, or defaulting to a route type based on a number of neighbors of the AS. As an example, if the number of neighbors of an AS is fewer than 1000, the default route type may be a customer route. As another example, if the number of neighbors of an AS is greater than 1000, the default route type may be a provider route.
The cluster module 414 is configured to cluster the candidate prefix hijack monitors from the set of candidate hijack monitors into a predetermined or desired number of clusters. Each cluster will include one or more of the candidate prefix hijack monitors with similar AS paths to the destination prefix of the destination AS #134. Although a cluster may include only one candidate prefix hijack monitor if the desired number of clusters has been reached, in most instances, each cluster will include a plurality of candidate prefix hijack monitors that have similar AS to the destination prefix of the destination AS #134.
As will be described in greater detail with reference to
The rank module 414 is configured to rank each candidate prefix hijack monitor of each cluster according to a type of AS route from an AS associated with that candidate prefix hijack monitor to a next hop AS (e.g. provider route, peer route, customer route) and a distance from the AS to the destination AS (e.g., to destination AS #134). A provider route is highest, a peer route is next highest and the customer route is lowest. This is due to a common practice among Internet service providers in deciding which route type to pick when there are multiple route types available. When an AS has a choice to which neighboring AS to forward IP traffic, it prefers the most to forward data to a neighbor AS that is its customer, e.g. an AS whose route type is that of a customer. This is because IP traffic forwarded over this route generates revenue. However, a neighbor AS whose route type is that of provider to a forwarding AS is a least preferred alternative because forwarding IP traffic to such as AS incurs cost. Therefore, a route through a provider is most likely to be hijacked. A numerical value may be assigned to the candidate prefix hijack monitor to indicate the type of AS route from its associated AS to a next hop AS. For example, the candidate prefix hijack monitor 406 may be assigned a value of 100 to indicate that the AS route form AS #4 to AS #1257 is a customer route (e.g., AS #4 is a customer of AS #1257); the candidate prefix hijack monitor 408 may be assigned a value of 300 to indicate that the AS route form AS #1257 to AS #51 is a provider route (e.g., AS #51 is a provider to As #1257); and the candidate prefix hijack monitor 410 may be assigned a value of 200 to indicate that the AS route form AS #6 to AS #1258 is a peer route (e.g., AS #6 and AS #1258 are peers).
In addition to the route type, distance is also a concern when an AS decides how to forward IP traffic. To the assigned type of route value for each candidate prefix hijack monitor an AS distance value is added. More specifically, the AS distance value is an AS hop distance from the AS associated with each candidate prefix hijack monitor to the destination AS. For example, for the candidate prefix hijack monitor 406 an AS distance value of 4 may be added to its assigned value of 100 for a total value of 104 (e.g., distance value from AS #4 to AS #134); for the candidate prefix hijack monitor 408 an AS distance value of 3 may be added to its assigned value of 300 for a total value of 303 (e.g., distance value from AS #1257 to AS #134); for the candidate prefix hijack monitor 410 an AS distance value of 5 may be added to its assigned value of 200 for a total value of 205 (e.g., distance value from AS #6 to AS #134).
The determination module 418 is configured to determine a highest ranked candidate prefix hijack monitor in each cluster based on its assigned value determined by the rank module 416. The determined highest-ranked candidate prefix hijack monitors of the clusters are the most likely of detecting prefix hijack events of the destination prefix of the destination AS #134. For example, based on the foregoing types or routes and distance values, the highest ranked candidate prefix hijack monitor determined from the first cluster is candidate prefix hijack monitor 408 and the highest ranked candidate prefix hijack monitor determined from the second cluster is candidate prefix hijack monitor 410.
The assignment module 420 may assign or configure only the highest rank candidate prefix hijack monitors (e.g. prefix hijack monitors 408 and 410) determined from the set of candidate prefix hijack monitors (e.g., prefix hijack monitors 406, 408 and 410) to monitor the destination prefix (e.g., 135.207.122/24) of the destination AS (e.g., destination AS #134), as they are likely of detecting prefix hijack events of the destination prefix of the destination AS #134.
Operations 706-712 are performed until the number of clusters is less than or equal to a predetermined number of clusters (e.g., m<=2). Operations 706-712 may be performed by cluster module 414. At operation 706, a similarity score is computed for each pair of clusters. The similarity score may be based on a similarity of AS paths of ASes associated with the candidate prefix hijack monitors to the destination prefix of the destination AS. The similarity score between two clusters is determined as a largest similarity score among all possible similarity scores between any two member ASes, one from each cluster. Further, the similarity score between two candidate prefix hijack monitors may be computed by inspecting their AS paths, an AS path from each candidate prefix hijack monitor's AS to the destination AS. Particularly, the similarity score may be computed by a number of common ASes (hops) in the two AS paths divided by a length of a shorter AS path (number of hops) to the destination AS amongst the two AS paths. For example, the AS path of AS #4 associated with candidate prefix hijack monitor 406 is [#4, #1257, 93, #134] and the AS path of AS #1257 associated with monitor 408 is [#1257, 93, #134]. These candidate prefix hijack monitors share three (3) common hops (e.g., ASes #1257, 93, #134) and the length of the shorter AS path to the destination AS #134 is three (3) hops. Consequently, the similarity score between candidate prefix hijack monitors 406 and 408 is 3/3 or 1.0. The similarity score between candidate prefix hijack monitors 406 and 410 is ¼ or 0.25. The similarity score between candidate prefix hijack monitors 408 and 410 is ⅓ or 0.33.
At operation 708, a pair of clusters with a largest similarly score are identified amongst the clusters. For example, in the first iteration of 706-712, the similarity scores between any two clusters are: similarity score of (1.0) for clusters 1 and 2 (e.g., similarity score amongst prefix hijack monitors 406 and 408); similarity score of (0.25) for clusters 1 and 3 (e.g., similarity score between prefix hijack monitors 406 and 410); and similarity score of (0.33) for clusters 2 and 3 (e.g., similarity score between prefix hijack monitors 408 and 410). At operation 710, cluster 1 and cluster 2 are merged into one newly-formed cluster (denoted as cluster 1-2) because they have the largest similarity score. Now there are two clusters, clusters 1-2 and 3. Cluster 1 and cluster 2 are no longer included in the subsequent iterations.
At operation 712, a determination is made as to whether the number of clusters is less than or equal to predetermined m clusters (e.g., 2 clusters). If it is determined at operation 712 that the number of cluster is not less not than m clusters, then the method 700 continues to perform operations 706-712 to reduce the number of cluster to less than or equal to m clusters. If it is determined at operation 712 that the number of cluster is less than or equal to m clusters, as is in this example, the method 700 continues at operation 714 below. In this example, only one iteration through operations 706-712 is performed because the number of clusters reaches (e.g., equals) m clusters in one iteration. However, if a next iteration were performed, because the similarity score for clusters that include multiple candidate prefix hijack monitors is computed based on a maximum similarity score from any one of the candidate prefix hijack monitors of a first cluster to any one of the candidate prefix hijack monitors of a second cluster, a similarity score between clusters 1-2 and 3 would be (0.33), which is a similarity score between prefix hijack monitor 408 from cluster 1-2 and prefix hijack monitor 410 from cluster 3.
At operation 714, each candidate prefix hijack monitor in each cluster (e.g., clusters 1-2 and 3) is ranked according to a route type from an AS associated with that candidate prefix hijack monitor to a next hop AS (e.g. provider, peer or customer route) plus a distance from the AS to the destination AS. The rank module 416 may perform operation 714. An example implementation of the route type was described in relation to
At operation 716, a highest ranked candidate prefix hijack monitor in each cluster (e.g., clusters 1-2 and 3) is determined based on the ranking, as most likely of detecting a prefix hijack event of the destination prefix 135.207.122/24 of the destination AS #134. For example, candidate prefix hijack monitors 408 and 410 are determined to be highest ranked at operation 716. At operation 718, candidate prefix hijack monitors that are determined to be highest ranked (e.g. candidate prefix hijack monitors 408 and 410) are assigned to detect prefix hijack events of the destination prefix. For example, the assignment module 420 may assign candidate prefix hijack monitors 408 and 410 to monitor the destination prefix 135.207.122/24 of the destination AS #134. The method 700 ends at operation 720.
In a networked deployment, the computer system 800 may operate in the capacity of a BGP router, an IGP router, a prefix hijack monitor, or a monitor selection system. The computer system 800 may also be implemented as or incorporated into various devices, such as a personal computer (PC), a tablet PC, a personal digital assistant (PDA), a mobile device, a palmtop computer, a laptop computer, a desktop computer, a communications device, a wireless telephone, a land-line telephone, a control system, a camera, a scanner, a facsimile machine, a printer, a pager, a personal trusted device, a web appliance, a network router, switch or bridge, or any other machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while a single computer system 800 is illustrated, the term “system” shall also be taken to include any collection of systems or sub-systems that individually or jointly execute a set, or multiple sets, of instructions to perform one or more computer functions.
As illustrated in
In a particular embodiment, as depicted in
In an alternative embodiment, dedicated hardware implementations, such as application specific integrated circuits, programmable logic arrays and other hardware devices, may be constructed to implement one or more of the methods described herein. Applications that may include the apparatus and systems of various embodiments may broadly include a variety of electronic and computer systems. One or more embodiments described herein may implement functions using two or more specific interconnected hardware modules or devices with related control and data signals that may be communicated between and through the modules, or as portions of an application-specific integrated circuit. Accordingly, the present system encompasses software, firmware, and hardware implementations.
In accordance with various embodiments, the methods described herein may be implemented by software programs tangibly embodied in a processor-readable medium and may be executed by a processor. Further, in an exemplary, non-limited embodiment, implementations may include distributed processing, component/object distributed processing, and parallel processing. Alternatively, virtual computer system processing may be constructed to implement one or more of the methods or functionality as described herein.
The present application contemplates a computer-readable medium that includes instructions 820 or receives and executes instructions 820 responsive to a propagated signal, so that a device connected to a network 824 may communicate voice, video or data over the network 824. Further, the instructions 820 may be transmitted or received over the network 824 via the network interface device 808.
While the computer-readable medium is shown to be a single medium, the term “computer-readable medium” includes a single medium or multiple media, such as a centralized or distributed database, and/or associated caches and servers that store one or more sets of instructions. The term “computer-readable medium” shall also include any medium that is capable of storing, encoding or carrying a set of instructions for execution by a processor or that cause a computer system to perform any one or more of the methods or operations disclosed herein.
In a particular non-limiting, exemplary embodiment, the computer-readable medium may include a solid-state memory such as a memory card or other package that houses one or more non-volatile read-only memories. Further, the computer-readable medium may be a random access memory or other volatile re-writable memory. Additionally, the computer-readable medium may include a magneto-optical or optical medium, such as a disk or tapes or other storage device to capture carrier wave signals such as a signal communicated over a transmission medium. A digital file attachment to an e-mail or other self-contained information archive or set of archives may be considered a medium that is equivalent to a tangible storage medium. Accordingly, the application is considered to include any one or more of a computer-readable medium and other equivalents and successor media, in which data or instructions may be stored.
Although the present application describes components and functions that may be implemented in particular embodiments with reference to particular standards and protocols, the application is not limited to such standards and protocols. Such standards and protocols are periodically superseded by faster or more efficient equivalents having essentially the same functions. Accordingly, replacement standards and protocols having the same or similar functions as those disclosed herein are considered equivalents thereof.
Thus, a system, method and computer-readable storage medium to select monitors that increase the likelihood of detecting prefix hijacking events of a destination prefix on a network have been described. Although specific example embodiments have been described, it will be evident that various modifications and changes may be made to these embodiments without departing from the broader spirit and scope of the invention. Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense. The accompanying drawings that form a part hereof, show by way of illustration, and not of limitation, specific embodiments in which the subject matter may be practiced. The embodiments illustrated are described in sufficient detail to enable those skilled in the art to practice the teachings disclosed herein. Other embodiments may be utilized and derived therefrom, such that structural and logical substitutions and changes may be made without departing from the scope of this application. This Detailed Description, therefore, is not to be taken in a limiting sense, and the scope of various embodiments is defined only by the appended claims, along with the full range of equivalents to which such claims are entitled.
Such embodiments of the inventive subject matter may be referred to herein, individually and/or collectively, by the term “invention” merely for convenience and without intending to voluntarily limit the scope of this application to any single invention or inventive concept. Thus, although specific embodiments have been illustrated and described herein, it should be appreciated that any arrangement calculated to achieve the same purpose may be substituted for the specific embodiments shown. This application is intended to cover any and all adaptations or variations of various embodiments. Combinations of the above embodiments and other embodiments not specifically described herein, will be apparent to those of skill in the art upon reviewing the above description.
The Abstract is provided to comply with 37 C.F.R. §1.72(b) and will allow the reader to quickly ascertain the nature of the technical disclosure of this application. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims.
In the foregoing description of the embodiments, various features may be grouped together in a single embodiment for the purpose of streamlining the disclosure of this application. This method of disclosure is not to be interpreted as reflecting that the claimed embodiments have more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive subject matter lies in less than all features of a single disclosed embodiment.
Number | Name | Date | Kind |
---|---|---|---|
7839850 | Kompella | Nov 2010 | B2 |
20020078202 | Ando et al. | Jun 2002 | A1 |
20030115340 | Sagula et al. | Jun 2003 | A1 |
Number | Date | Country | |
---|---|---|---|
20100132039 A1 | May 2010 | US |