Author: Adam Conner-Simons | MIT CSAIL<\/p>\n
Hijacking IP addresses is an increasingly popular form of cyber-attack. This is done for a range of reasons, from sending spam<\/a> and malware<\/a> to stealing Bitcoin<\/a>. It\u2019s estimated that in 2017 alone, routing incidents such as IP hijacks affected more than 10 percent<\/a> of all the world\u2019s routing domains. There have been major incidents at Amazon<\/a> and Google<\/a> and even in nation-states \u2014 a study last year<\/a> suggested that a Chinese telecom company used the approach to gather intelligence on western countries by rerouting their internet traffic through China.<\/p>\n Existing efforts to detect IP hijacks tend to look at specific cases when they\u2019re already in process. But what if we could predict these incidents in advance by tracing things back to the hijackers themselves?\u00a0\u00a0<\/p>\n That\u2019s the idea behind a new machine-learning system developed by researchers at MIT and the University of California at San Diego (UCSD). By illuminating some of the common qualities of what they call \u201cserial hijackers,\u201d the team trained their system to be able to identify roughly 800 suspicious networks \u2014 and found that some of them had been hijacking IP addresses for years.\u00a0<\/p>\n \u201cNetwork operators normally have to handle such incidents reactively and on a case-by-case basis, making it easy for cybercriminals to continue to thrive,\u201d says lead author Cecilia Testart, a graduate student at MIT\u2019s Computer Science and Artificial Intelligence Laboratory (CSAIL) who will present the paper at the ACM Internet Measurement Conference in Amsterdam on Oct. 23. \u201cThis is a key first step in being able to shed light on serial hijackers\u2019 behavior and proactively defend against their attacks.\u201d<\/p>\n The paper is a collaboration between CSAIL<\/a> and the Center for Applied Internet Data Analysis<\/a> at UCSD\u2019s Supercomputer Center. The paper was written by Testart and David Clark, an MIT senior research scientist, alongside MIT postdoc Philipp Richter and data scientist Alistair King as well as research scientist Alberto Dainotti of UCSD.<\/p>\n The nature of nearby networks<\/strong><\/p>\n IP hijackers exploit a key shortcoming in the Border Gateway Protocol (BGP), a routing mechanism that essentially allows different parts of the internet to talk to each other. Through BGP, networks exchange routing information so that data packets find their way to the correct destination.\u00a0<\/p>\n In a BGP hijack, a malicious actor convinces nearby networks that the best path to reach a specific IP address is through their network. That\u2019s unfortunately not very hard to do, since BGP itself doesn\u2019t have any security procedures for validating that a message is actually coming from the place it says it\u2019s coming from.<\/p>\n \u201cIt\u2019s like a game of Telephone, where you know who your nearest neighbor is, but you don\u2019t know the neighbors five or 10 nodes away,\u201d says Testart.<\/p>\n In 1998 the U.S. Senate’s first-ever cybersecurity hearing featured a team of hackers who claimed that they could use IP hijacking to take down the Internet in under 30 minutes<\/a>. Dainotti says that, more than 20 years later, the lack of deployment of security mechanisms in BGP is still a serious concern.<\/p>\n To better pinpoint serial attacks, the group first pulled data from several years\u2019 worth of network operator mailing lists, as well as historical BGP data taken every five minutes from the global routing table. From that, they observed particular qualities of malicious actors and then trained a machine-learning model to automatically identify such behaviors.<\/p>\n The system flagged networks that had several key characteristics, particularly with respect to the nature of the specific blocks of IP addresses they use:<\/p>\n Identifying false positives<\/strong><\/p>\n Testart said that one challenge in developing the system was that events that look like IP hijacks can often be the result of human error, or otherwise legitimate. For example, a network operator might use BGP to defend against distributed denial-of-service attacks in which there\u2019s huge amounts of traffic going to their network. Modifying the route is a legitimate way to shut down the attack, but it looks virtually identical to an actual hijack.<\/p>\n Because of this issue, the team often had to manually jump in to identify false positives, which accounted for roughly 20 percent of the cases identified by their classifier. Moving forward, the researchers are hopeful that future iterations will require minimal human supervision and could eventually be deployed in production environments.<\/p>\n \u201cThe authors’ results show that past behaviors are clearly not being used to limit bad behaviors and prevent subsequent attacks,\u201d says David Plonka, a senior research scientist at Akamai Technologies who was not involved in the work. \u201cOne implication of this work is that network operators can take a step back and examine global Internet routing across years, rather than just myopically focusing on individual incidents.\u201d<\/p>\n As people increasingly rely on the Internet for critical transactions, Testart says that she expects IP hijacking\u2019s potential for damage to only get worse. But she is also hopeful that it could be made more difficult by new security measures. In particular, large backbone networks such as AT&T have recently announced<\/a> the adoption of resource public key infrastructure (RPKI), a mechanism that uses cryptographic certificates to ensure that a network announces only its legitimate IP addresses.\u00a0<\/p>\n \u201cThis project could nicely complement the existing best solutions to prevent such abuse that include filtering, antispoofing, coordination via contact databases, and sharing routing policies so that other networks can validate it,\u201d says Plonka. \u201cIt remains to be seen whether misbehaving networks will continue to be able to game their way to a good reputation. But this work is a great way to either validate or redirect the network operator community’s efforts to put an end to these present dangers.\u201d<\/p>\n The project was supported, in part, by the MIT Internet Policy Research Initiative, the William and Flora Hewlett Foundation, the National Science Foundation, the Department of Homeland Security, and the Air Force Research Laboratory.<\/p>\n<\/div>\n Go to Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"\n