Download 슬라이드 1 - POSTECH CSE DPNM (Distributed Processing

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
Document related concepts

Network tap wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Airborne Networking wikipedia , lookup

Lag wikipedia , lookup

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Transcript 
Network Reachability-based
IP Prefix Hijacking Detection
- PhD Thesis Defense -
Seongcheol Hong
Supervisor: Prof. James Won-Ki Hong
December 16, 2011
Distributed Processing & Network Management Lab.
Dept. of Computer Science and Engineering
POSTECH, Korea
Seongcheol Hong, POSTECH
PhD Thesis Defense
1/30
Presentation Outline
 Introduction
 Related Work
 Research Approach
 Reachability Based Hijacking Detection (RBHD)
 Evaluation and Results
 Conclusions
Seongcheol Hong, POSTECH
PhD Thesis Defense
2/30
Introduction
 Routing protocols communicate reachability
information and perform path selection
 BGP is the Internet’s de facto inter-domain routing
protocol
AS 1
Prefix
Path
1.2.0.0/16
2
iBGP
advertise
1.10.0.0/16 AS 1 AS 2
advertise
1.10.0.0/16 AS 2
eBGP
AS 2
AS 300
Seongcheol Hong, POSTECH
PhD Thesis Defense
Prefix
Path
1.2.0.0/16
12
3/30
Introduction
 What is IP prefix hijacking?
Stealing IP addresses belonging to other networks
It can occur on purpose or by mistake
Serious threat to the robustness and security of the Internet routing system
 IP prefix hijacking attack types
NLRI falsification
AS path falsification
advertise
 IP prefix hijacking
incidents
1.2.0.0/16
Attacker
AS 7007 incident
AS
5
YouTube hijacking
Chinese ISP hijacking
AS 4
Prefix
Path
Prefix
Path
1.2.0.0/16
1.2.0.0/16 52, 1
AS 3
AS 1
AS 2
advertise
1.2.0.0/16
Prefix
Path
1.2.0.0/16
1
Prefix
Path
1.2.0.0/16
2, 1
Victim
Seongcheol Hong, POSTECH
PhD Thesis Defense
4/30
Research Motivation
 IP prefix hijacking is a crucial problem in the Internet
security
 Number of efforts were introduced
Security enabled BGP protocols
Hijacking detection methods
 Every existing BGP security solutions have
limitations
Security enabled BGP protocols are impractical to deploy
Hijacking detection methods cannot detect every types of IP
prefix hijacking threats
 We need a novel approach which is practical and
covers all types of IP prefix hijacking attacks
Seongcheol Hong, POSTECH
PhD Thesis Defense
5/30
Research Goals
 Target approach
Security enabled BGP protocol
IP prefix hijacking detection method
 Developing a new approach which is practical and
detects all types of IP prefix hijacking
 IP hijacking detection system does not require
cooperation of ASes and does not have to be located
in a specific monitoring point
 Proposed approach should be validated in simulated
environments using real network data
Seongcheol Hong, POSTECH
PhD Thesis Defense
6/30
Related Work
 Security enabled BGP protocol
BGP Session Protection
• Protecting the underlying TCP session and implementing BGP session defenses
• Not verifying the content of BGP messages
Defensive Filtering
• Filters announcements which are bad and potentially malicious
• It is difficult for an ISP to identify invalid routes originated from several AS hops away
Cryptographic Techniques
• Rely on a shared key between two parties
• Public Key Infrastructure (PKI) requires many resources
Routing Registries
• Shared, global view of ‘correct’ routing information
• Registry itself must be secure, complete and accurate
Seongcheol Hong, POSTECH
PhD Thesis Defense
7/30
Related Work
 Existing IP hijacking detection methods
Detection approach
• Victim-centric
• Infrastructurebased
• Peer-centric
Type of used data
• Routing
information
(control-plane)
Attack type
• NLRI falsification
• AS path
falsification
• Data probing
(data-plane)
Seongcheol Hong, POSTECH
PhD Thesis Defense
8/30
Related Work
 Comparison among IP hijacking detection methods
Detection approach
Victimcentric
Infrastructurebased
Type of used data
Peercentric
Routing
information
Data
probing
Attack type
NLRI
falsification
AS path
falsification
O
Topology
O
O
O
PHAS
O
O
O
Distance
O
Real-time
Monitoring
O
pgBGP
O
O
O
O
O
O
O
O
O
iSPY
O
O
O
Strobelight
O
O
O
O
O
Reachability
(Proposed)
Seongcheol Hong, POSTECH
O
O
PhD Thesis Defense
O
O
9/30
Research Approach
 IP prefix hijacking detection based on network
reachability
advertise
1.2.0.0/16
AS 5
AS 4
Prefix
Path
Prefix
Path
1.2.0.0/16 52 1
1.2.0.0/16
Attacker
Prefix
Path
1.2.0.0/16
21
AS 3
reachability test
This update is
IP hijacking
Multiple
case
origin
AS?
1.2.0.0/16
AS 2
AS 1
Prefix
Path
1.2.0.0/16
1
Reached
the intended
network?
Victim
Seongcheol Hong, POSTECH
PhD Thesis Defense
10/30
Reachability-Based
Hijacking Detection (RBHD)
Seongcheol Hong, POSTECH
PhD Thesis Defense
11/30
Network Reachability Examination
 IP prefix hijacking is an attack which influences the
network reachability
 We have developed network fingerprinting
techniques for network reachability examination
 Network fingerprinting is active or passive collection
of characteristics from a target network (AS level)
Network fingerprint should be unique to distinguish a certain
network
A
A = B if and only if
FingerprintA = FingerprintB
FingerprintB
FingerprintA
Seongcheol Hong, POSTECH
B
PhD Thesis Defense
12/30
Network Fingerprinting
 What can uniquely characterize a network?
IP prefix information
Number of running servers in the network
A static live host or device in the network (e.g., IDS or IPS)
Firewall policy
Geographical location of the network
Etc.
 We have selected static live host information and
firewall policy as network fingerprints
Static live host: Web server, mail server, DNS server, IPS device,
and etc.
Firewall policy: allowed port numbers or IP addresses
 Not changed frequently
Seongcheol Hong, POSTECH
PhD Thesis Defense
13/30
Static Live Host
 Requirements of live hosts
Operated in most ASes
Easy to obtain IP addresses
Always provide services for its AS
Allow external connection and respond to active probing
 DNS server satisfies all of these requirements
Provide a conversion service between domain names and IP
addresses
Part of the core infrastructure of the Internet
Always provide service and allow external connections from any
host
Seongcheol Hong, POSTECH
PhD Thesis Defense
14/30
DNS Server List Collection
 BGP-RIB of RouteViews
‘RouteViews’ collects global routing information
RIB consists of IP prefixes and AS paths
 DNS server collection process
• Perform reverse DNS lookup
1
• Obtain the authority server name with authority over a particular IP prefix
• Perform DNS lookup with the authority server name
2
3
• Obtain the IP addresses of the DNS server
• Repeat process 1 and 2 over all IP prefixes in BGP-RIB
Seongcheol Hong, POSTECH
PhD Thesis Defense
15/30
DNS Server Fingerprinting
 Host fingerprint of DNS
server is used as network
fingerprint
 DNS server fingerprinting
DNS protocol information
DNS domain name information
DNS server configuration
information
DNS
Domain
Name
(AA flag…)
DNS Protocol
(implementation
…)
DNS Server
Configuratio
n (DNSSEC…)
DNS Host Fingerprint
Seongcheol Hong, POSTECH
PhD Thesis Defense
16/30
Firewall Policy as Alternative Fingerprint
 DNS host fingerprints are not sufficient for reachability
monitoring of all ASes in the Internet
The ASes in which a DNS server is not found exist (such as IX)
 Suitability of firewall policies as network fingerprints
Number of possible combination is huge
• Protocol
• Port number
• IP address
•Direction
•Permission
E.g.) ACCEPT TCP from anywhere to 224.0.0.251 TCP Port:80
REJECT ICMP from anywhere to anywhere
ICMP unreachable
 Firewall policy fingerprinting is performed by active
probing
Target
Network
Seongcheol Hong, POSTECH
Probing
packets
PhD Thesis Defense
17/30
Reachability-Based Hijacking Detection (RBHD)
 Identification of NLRI
falsification
 Identification of AS
path falsification
BGP update
NLRI
falsification?
N
AS path
falsification?
An
available
DNS server
in the
target
network?
Valid update
Y
Y
 DNS host
fingerprinting
N
N
Y
 Firewall policy
fingerprinting
Collect DNS host
fingerprints
Match the
existing
fingerprints?
Collect firewall
policy fingerprints
Match the
existing
fingerprints?
N
Y
Valid update
Seongcheol Hong, POSTECH
N
Y
Invalid update
PhD Thesis Defense
18/30
Evaluations and
Results
Seongcheol Hong, POSTECH
PhD Thesis Defense
19/30
DNS Server Collection Result
* The number of IP prefixes owned by each AS
 Current state of DNS server operation
304,106 IP prefixes (8,414,294 /24 prefixes) in BGP-RIB
77,530 DNS server’s information using DNS forward/reverse
query to /24 prefixes
Seongcheol Hong, POSTECH
PhD Thesis Defense
20/30
Host Fingerprint Groups
 The total number of distinguishable fingerprints are
73,781 (total DNS server 77,530)
* The number of distinguishable DNS server fingerprints
Seongcheol Hong, POSTECH
PhD Thesis Defense
21/30
Uniqueness of Fingerprints
 N : the total number of collected DNS servers
 G : the total number of mutually exclusive fingerprints
 For each group, ni is defined as the number of DNS
servers that belong to i-th fingerprint group Ni
 The collision probability PC :
 In our result,
N is 77,530 and G is 73,781
Pc in our experiment is 2.69 x 10-6
We conclude that the sufficient level of distinction can be applied in
our proposed host fingerprinting method.
Seongcheol Hong, POSTECH
PhD Thesis Defense
22/30
Firewall Policy Examples
Seongcheol Hong, POSTECH
PhD Thesis Defense
23/30
Differences of Firewall Policies
* Network B
* Network A
* Network C
Seongcheol Hong, POSTECH
* Network D
PhD Thesis Defense
24/30
IP Prefix Hijacking Testbed
false
announcement
Collect
current
fingerprints
Collect
AS A’s
fingerprints
two networks are randomly selected
(IP address in this slide are anoymized)
Translate IP address
ex) 192.168.1.0 => 192.168.31.0
Seongcheol Hong, POSTECH
PhD Thesis Defense
25/30
Conclusions
1.
2.
3.
Seongcheol Hong, POSTECH
Summary
Contributions
Future Work
PhD Thesis Defense
26/30
Summary
 We proposed a new approach that practically detects
IP prefix hijacking based on network reachability
monitoring
 We used a fingerprinting scheme in order to
determine the network reachability of a specific
network
 We proposed DNS host and firewall policy
fingerprinting methods for network reachability
monitoring
 We validated the effectiveness of the proposed
method in the IP hijacking test-bed
Seongcheol Hong, POSTECH
PhD Thesis Defense
27/30
Contributions
 The problems of existing IP prefix hijacking detection
techniques are addressed
 The absence of detection techniques which deal with all
IP prefix hijacking cases leads to the development of new
methodologies which are suitable for the current Internet
 Our approach provides the practical network
fingerprinting method for the reachability test of all ASes
DNS host fingerprinting
Firewall policy fingerprinting
 Novel and real-time IP prefix hijacking detection methods
are described and validated with the real network data.
Seongcheol Hong, POSTECH
PhD Thesis Defense
28/30
Future Work
 Enhancement of our DNS server finding and
fingerprinting method
 Optimization of inferring the firewall policies with
small probing packets
 Analyzing the performance and feasibility of our
fingerprinting approach on the Internet
 Applying our hijacking detection system to a real
research network
Seongcheol Hong, POSTECH
PhD Thesis Defense
29/30
Q&A
PhD Thesis Defense, Seongcheol Hong
December 16, 2011
Seongcheol Hong, POSTECH
PhD Thesis Defense
30/30
Appendix
Seongcheol Hong, POSTECH
PhD Thesis Defense
31/30
IP Prefix Hijacking Incidents
 AS7007 incident
April 25 1997
Caused by a misconfigured router that flooded the Internet with
incorrect advertisement
 YouTube Hijacking
February 24 2008
Pakistan's attempt to block YouTube access within their country
takes down YouTube entirely
 Chinese ISP hijacks the Internet
April 8 2010
China Telecom originated 37,000 prefixes not belonging to them
Seongcheol Hong, POSTECH
PhD Thesis Defense
32/30
Related Work
 Security enabled BGP protocol
BGP Session Protection
• Protecting the underlying TCP session and implementing BGP session defenses
• Not verifying the content of BGP messages
Defensive Filtering
• Filters announcements which are bad and potentially malicious
• It is difficult for an ISP to identify invalid routes originated from several AS hops away
Cryptographic Techniques
• Rely on a shared key between two parties
• Public Key Infrastructure (PKI) requires many resources
Routing Registries
• Shared, global view of ‘correct’ routing information
• Registry itself must be secure, complete and accurate
Seongcheol Hong, POSTECH
PhD Thesis Defense
33/30
Related Work
 Existing IP hijacking detection methods
Detection approach
• Victim-centric
• Infrastructurebased
• Peer-centric
Type of used data
• Routing
information
(control-plane)
Attack type
• NLRI falsification
• AS path
falsification
• Data probing
(data-plane)
Seongcheol Hong, POSTECH
PhD Thesis Defense
34/30
Solution Approach
Research Hypothesis
An independent system can perform real-time
IP prefix hijacking detection using network
reachability monitoring without any changes
of existing Internet infrastructure
Seongcheol Hong, POSTECH
PhD Thesis Defense
35/30
Legitimate Case
advertise
1.2.0.0/16
AS 5
AS 4
Static link
AS 1
1.2.0.0/16
Seongcheol Hong, POSTECH
Prefix
Path
Prefix
Path
1.2.0.0/16 52 1
1.2.0.0/16
Path
1.2.0.0/16
21
AS 3
reachability test
AS 2
Prefix
Prefix
Path
1.2.0.0/16
1
PhD Thesis Defense
This update
Multiple
is valid
origin
AS?
Reached
the intended
network?
O
36/30
Common Legitimate Cases
 Xin Hu and Z. Morley Mao, “Accurate Real-time
Identification of IP Prefix Hijacking”
Seongcheol Hong, POSTECH
PhD Thesis Defense
37/30
DNS Server Collection Process
Start
BGP-RIB at
RouteViews
Get IP prefix and
AS path
information
More IP prefix?
No
End
Yes
Do reverse query about an IP address
in the IP prefix to local DNS server
Do reverse query about an IP address
in the IP prefix to global DNS server
No
Query result exists?
Query result exists?
Yes
Yes
No
Print ‘no DNS server
in the IP prefix’
No
Authority Section exists
in the result?
Yes
Do forward query about an IP address
in the Authority Section
Print ‘DNS server infomation
in the IP prefix’
Seongcheol Hong, POSTECH
Get domain name and IP address
about the DNS server
PhD Thesis Defense
38/30
Distinguishable Groups of Each fingerprints
* DNS protocol information
* DNS domain name information
* DNS server configuration
Seongcheol Hong, POSTECH
PhD Thesis Defense
39/30
DNS Server Fingerprint
* DNS server fingerprinting process
* Structure of DNS server fingerprint
Seongcheol Hong, POSTECH
PhD Thesis Defense
40/30
DNS Server Fingerprint Examples
Seongcheol Hong, POSTECH
PhD Thesis Defense
41/30
The Use of Sweep Line for Firewall Policy Inference
 Example of the sweep line algorithm on a 2dimensional space
Seongcheol Hong, POSTECH
PhD Thesis Defense
42/30
Inferring the Firewall Policy
Protocol
Destination IP
Destination Port
Option
TTL
ICMP
192.168.10.0/24
-
echo
router + 1
TCP
192.168.10.0/24
1:1023
SYN
router + 1
UDP
192.168.10.0/24
1:1023
-
router + 1
Protocol
ICMP
TCP
UDP
Seongcheol Hong, POSTECH
Response packet
Permission
echo reply
accept
-
deny
ICMP Time Exceeded
accept
ICMP Destination Unreachable
deny
-
deny
-
accept
ICMP Destination Unreachable
deny
PhD Thesis Defense
43/30
Inferring the Firewall Policy
Protocol
Destination IP
Destination Port
Option
TTL
ICMP
192.168.10.0/24
-
echo
255
TCP
192.168.10.0/24
1:1023
SYN
255
UDP
192.168.10.0/24
1:1023
-
255
Protocol
ICMP
TCP
UDP
Seongcheol Hong, POSTECH
Response packet
Permission
echo reply
accept
-
deny
SYN/ACK
accept
RST/ACK
accept
RST
accept
ICMP Destination Unreachable
deny
-
deny
-
accept
ICMP Destination Unreachable
deny
PhD Thesis Defense
44/30
Suspicious Update Frequency
 Suspicious update frequency
During 2 weeks monitoring from BGP-RIB
Anomalous update type
Total number
Average rate
(/ min)
NLRI
1234
0.12
AS path
12632
1.02
Seongcheol Hong, POSTECH
PhD Thesis Defense
45/30
Related documents
Persuasive Essay
Persuasive Essay
Abstract The term biodiversity means biological diversity at different
Abstract The term biodiversity means biological diversity at different
Analysis Assignment - Northern State University
Analysis Assignment - Northern State University
Student Handout
Student Handout
Document
Document
Swiss Finance Institute at the University of Lugano Doctoral program
Swiss Finance Institute at the University of Lugano Doctoral program
Electronic Structure Theory
Electronic Structure Theory
Tempus CD JEP 18086 – 2003 Assisting Democracy
Tempus CD JEP 18086 – 2003 Assisting Democracy
document 8493432
document 8493432
Speaker of Session 06 BIOENERGY My name is Mastaneh
Speaker of Session 06 BIOENERGY My name is Mastaneh