Researchers at MIT and MIT’s CSAIL AI research lab have detailed a new approach to address serial abusers of the Border Gateway Protocol (BGP), which attackers use to trick other networks into misdirecting internet traffic for snooping, phishing, or and denial of service attacks.
The machine learning approach is detailed in a paper titled “Profiling BGP Serial Hijackers: Capturing Persistent Misbehavior in the Global Routing Table” that the researchers will present at a conference in Amsterdam later this month.
ISPs can intentionally or inadvertently hijack BGP routing by wrongly announcing another network’s IP address blocks, causing other ISPs and internet infrastructure providers to incorrectly reroute traffic, which in the past has led to vast amounts traffic from Amazon, Google, and Microsoft erroneously ending up in places like Iran, China and Russia.
The MIT researchers ran a longitudinal survey of so-called "serial BGP hijackers" by looking at past instances of known and persistent bad behavior linked to Autonomous System (AS) numbers, which is how ISPs are identified in BGP route tables.
While many hijacking events are accidental and caused by misconfigurations, the researchers have explored a novel machine learning approach to identify ISPs that conduct BGP hijacking frequently over multiple years.
The goal is to “automatically identify Autonomous Systems (ASes) that exhibit characteristics similar to serial hijackers” in the hope that a detection system will network engineers can predict incorrect announcements and react more swiftly to hijacking events.
Often BGP hijacking attacks remain live for several hours, leaving attackers a sufficient window to carry out an attack. For example, Cloudflare and AWS last year were unable to rectify a phishing attack on a cryptocurrency wallet for two hours last year after someone used BGP hijacking to redirect the wallet's users to a phishing site.
As the MIT researchers point out, network engineers at this stage largely rely on mailing lists like the North American Network Operators Group (NANOG) mailing list to “peer pressure” other networks to ignore the wrongly announced IP addresses.
“Current hijack detection systems typically rely on assumptions of prefix ownership and track origin changes in the global routing table. If an event is detected, the victim network can react and attempt to get in contact with the perpetrator or its upstream networks to solve the problem,” the MIT researchers explain.
“However, many times this contact is not fruitful or not even possible. At that point, victims of hijacks are only left with the option of publicly disclosing the event in network operator mailing lists in the hope that peer pressure and manual interventions by other networks, such as filtering announcements or refusing to provide transit, will remediate the situation.”
The US National Institute for Standards and Technology (NIST) is pushing for a public key cryptographic system that would allow large networks and ISPs to control which networks can announce a direct connection to their address block. NIST is also working on BGP validation so that routers can filter out unauthorized BGP route announcements.
Once these are implemented widely, these security measures could mitigate BGP hijacking, but until then the MIT researchers are working on improving detection and response times.
“We take on a new perspective on illicit BGP activity: instead of looking at individual BGP hijacking events, we study the long-term prefix advertisement dynamics in the global routing table in space and time,” they write.
They analyzed BGP announcement dynamics of serial hijacker ASes over five years in a bid to identify characteristics that separate them from good ASes.
One of the serial hijackers they used in the study was AS197426, a Portuguese ISP called BitCanal, that was called a BGP “hijack factory” because of multiple hijacking activity over the years.
As per Oracle-owned Dyn, BitCanal was “effectively cutoff from the global internet” last July, but only after multiple transit providers cut the company off as BitCanal moved from provider to provider. By analyzing the behavior of ASes like BitCanal, the researchers believe network operators can automate detection and not follow incorrect announcements from ISPs such as BitCanal that have a poor reputation.
To identify the “ground truth” for what a serial hijacker is, the researchers processed five years of email threads on the NANOG mailing list and extracted 23 AS numbers that network operators repeatedly identified as conducting hijacking events. They also took snapshots of the global routing table computed every five minutes over the five year period.
“This work shows that, through analysis of readily available public BGP data—without leveraging blacklists or other indicators—it is possible to identify dominant patterns of serial hijackers,” they write.
“Our preliminary results suggest that these patterns can be leveraged in automated applications, potentially revealing undetected behavior or generating a novel category of reputation scores.”
Industry believes the MIT research has the potential to judge ISPs based on behavior over years rather than only looking at single incidents.
“The authors' results show that past behaviors are clearly not being used to limit bad behaviors and prevent subsequent attacks,” said David Plonka, a senior research scientist at Akamai who was not involved in the work.
“One implication of this work is that network operators can take a step back and examine global Internet routing across years, rather than just myopically focusing on individual incidents.”