Understanding IP Hijack Events

Internet protocol (IP) addresses are a valuable resource of every organization. In recent years, a new kind of attack prevails in which the attacker hijacks the IP space of an organization, either a company of a public body, and exposes it to unlimited potential damage:

1. It is the first stage in man‐in‐the‐middle attacks that can penetrate the organization firewall. This gives the malicious attacker access to the organization network for stilling valuable data, and planting Trojans and engaging local communication, e.g., using SCADA.
2. It can be used for phishing attacks that allow the malicious attacker to harvest passwords of the organization web site users.
3. It can disconnect part of the organization network from the Internet. In addition, an attacker can hijack the IP address of an organization service provider and spy on its intellectual property. This may include mail server traffic, VoIP and conference call traffic, and backup traffic. Even seemingly benign traffic such as web searches can expose future interests and technology directions. Hijacking of HTTP traffic can also enable the attacker to inject malicious code to the surfing machine inside the organization network.

Renesys (now Dyn) and other organizations identify hijack attacks by analyzing BGP announcements. While this approach is capable of detecting hijack that is based on false BGP announcement it suffers from several drawbacks. First, since they rely on BGP feeds from a limited number of sources they based their analysis on partial view of the network, and due to the intrinsic filtering of BGP it may miss many hijack events. It is suspected that many hijack events are local and their messages may thus be filtered out when propagating through the system. The other major drawback on relying on BGP announcement is that they can only detect hijack events that are based on the BGP protocol. However, there can be other ways to perform hijack, e.g., by changing a DNS server content, by inserting static entries to forwarding tables at strategic points, and by altering BGP announcement en route.

The proposed Research:

We will analyze hijack events over time, and compare active monitoring with BGP based detection. The proposal includes:

1. Building a BGP analysis tool improving previous published techniques. Identifying hijack events using data from RouteViews, RIPE, and others. Analyzing the hijack events to better understand their duration, target types, time of day, distance, etc.
2. Building a traceroute analysis tool improving previous published techniques. Identifying hijack events using data from at least two companies that already agreed to share data with us, and based on data from the DIMES project at Tel Aviv University. Analyzing the hijack events as above.
3. Comparing the two methods by identifying areas cover by both. We expect to find hijack events that are not seen by BGP and attempt to understand the technique used for the hijack. We can also use active monitoring to check if hijack at the BGP level always result in packets following the new route.

Characterizing the hijack attacks is an important block in understanding how to build a detection system, how to tune hijack anomaly algorithms, and how to automatically fight hijack events.