A forensic case study on as hijacking: the attacker's perspective

  • Authors:

  • Johann Schlamp;Georg Carle;Ernst W. Biersack

  • Affiliations:

  • TU München, Garching, Germany;TU München, Garching, Germany;Eurecom, Sophia Antipolis, France

  • Venue:
  • ACM SIGCOMM Computer Communication Review
  • Year:
  • 2013

Quantified Score

Hi-index 0.00

Visualization

Abstract

The Border Gateway Protocol (BGP) was designed without security in mind. Until today, this fact makes the Internet vulnerable to hijacking attacks that intercept or blackhole Internet traffic. So far, significant effort has been put into the detection of IP prefix hijacking, while AS hijacking has received little attention. AS hijacking is more sophisticated than IP prefix hijacking, and is aimed at a long-term benefit such as over a duration of months. In this paper, we study a malicious case of AS hijacking, carried out in order to send spam from the victim's network. We thoroughly investigate this AS hijacking incident using live data from both the control and the data plane. Our analysis yields insights into how an attacker proceeded in order to covertly hijack a whole autonomous system, how he misled an upstream provider, and how he used an unallocated address space. We further show that state of the art techniques to prevent hijacking are not fully capable of dealing with this kind of attack. We also derive guidelines on how to conduct future forensic studies of AS hijacking. Our findings show that there is a need for preventive measures that would allow to anticipate AS hijacking and we outline the design of an early warning system.