MIT Researchers Modeling….
Routing attacks, including IP hijacks, are a common problem for networks. In 2017, more than 10 percent of routing domains worldwide experienced some form of routing incident. When you send an email or message, data gets routed across the web using Border Gateway Protocol (BGP), a core Internet protocol that directs data where to go. Routers use BGP to decide the best way to get data from one place to another.
Data can take many different routes once it leaves your router, and not all routes are created equally. Some are as fast as Teslas, others as slow as Volkswagen Buses. Nefarious actors can manipulate BGP traffic to have data pass through servers they would not otherwise traverse.
This happened in 2008 when an ISP in the Middle East directed traffic to its own servers causing it to crash, ultimately crashing YouTube as well. In 2014, a hacker rerouted traffic from several countries to Canada in an effort to steal Bitcoin.
In August 2008, two security researchers demonstrated at DEFCON how an attacker could eavesdrop or change a company’s unencrypted data by exploiting BGP. The attacker would reroute all of the company’s traffic through their own network and then send it to its destination without the owner’s knowledge.
Serial hijackers routinely abuse BGP to misdirect Internet traffic. BGP attacks can last for several hours because, until now, there has not been an efficient, reliable way to determine whether incorrectly directed traffic is accidental or malicious.
After detecting and remediating the problem, network operators may choose to notify other potential victims by adding information about the incident to network engineering mailing lists. As a result of haphazard detection and notification, bad actors can continue to commit cybercrimes with impunity.
MIT researchers have produced a study, “Profiling BGP Serial Hijackers: Capturing Persistent Misbehavior in the Global Routing Table,” outlining how they used machine learning to discover characteristics that are indicative of suspicious BGP activity by an Autonomous System (AS). The longitudinal study analyzed BGP traffic over a period of 5 years. The researchers successfully identified approximately 800 suspicious networks, some of which had been active for years.
Characteristics that separated malicious from legitimate BGP activity included:
- Intermittent AS presence: Legitimate ASes are active nearly 100% of the time, but serial hijacker ASes have shorter activity times and frequent drops in activity.
- Volatile prefix origination behavior: A legitimate AS usually is consistent from one month to the next in the number of prefixes it originates. A serial hijacker AS typically has greater volatility in the number of originated prefixes and a higher turnover of prefixes.
- Short prefix origination duration: The average prefix-origination duration for a malicious AS is 27 days versus 264 days for a legitimate AS.
- Fragmentation of originated address space: A Regional Internet Registry (RIR) assigns blocks of IP addresses to an AS. A legitimate AS normally uses a limited set of addresses that it is assigned, showing a high RIR concentration. A serial hijacker AS, however, tends to use a more uniform distribution of RIRs.
- Multi-origin conflicts of originated prefixes: Legitimate ASes typically have a mix of short-term and long-term Multiple Origin ASes (MOAS) durations, but serial hijackers predominantly use short-term MOAS announcements.
The model developed by the MIT researchers has high predictive value in distinguishing malicious ASes from legitimate ones. The ASes flagged by MIT’s new model as potentially malicious are 10 times as likely to be on the Spamhaus Don’t Route or Peer (DROP) list than the unflagged ASes. The DROP list consists of known spammers, hijackers, and other cyber criminals.
The model is not perfect. It flagged 18 DDoS protection networks that perform benign serial hijacking as a DDoS mitigation technique, out of 29 such networks that were present in the data set. There were also a handful of false positives: 4 “large prominent transit provider[s]” were flagged as potential serial hijackers.
In Conclusion
Previous research on serial hijackers has been solely focused on isolated incidents rather than behavior over time, so the MIT research represents a groundbreaking new approach that opens up further avenues of research.
Authored by Julie A. Hanway; IT Veterans Team Member
Research Sources:
Clark, D., Dainotti, A., King, A., Richter, P., and Testart, C. 2019. “Profiling BGP Serial Hijackers: Capturing Persistent Misbehavior in the Global Routing Table.” Accessed November 15.
Conner-Simons, A. 2019. “Using Machine Learning to Hunt Down Cybercriminals.” Accessed November 15.
Edwards, G. 2019. “Machine Learning | An Introduction.” Accessed November 15.
Tung, L. 2019. “MIT AI Researchers Devise Approach to Detect ‘Serial BGP Hijackers.” Accessed November 15.
Tung, L. 2019. “MIT: We’ve Created AI to Detect ‘Serial Internet Address Hijackers.” Accessed November 15
View Cyber Careers
