A forensic case study on as hijacking: the attacker's perspective

Johann Schlamp, Georg Carle, Ernst W. Biersack
Appears in: 
CCR April 2013

The Border Gateway Protocol (BGP) was designed without security in mind. Until today, this fact makes the Internet vulnerable to hijacking attacks that intercept or blackhole Internet traffic. So far, significant effort has been put into the detection of IP prefix hijacking, while AS hijacking has received little attention. AS hijacking is more sophisticated than IP prefix hijacking, and is aimed at a long-term benefit such as over a duration of months. In this paper, we study a malicious case of AS hijacking, carried out in order to send spam from the victim's network. We thoroughly investigate this AS hijacking incident using live data from both the control and the data plane. Our analysis yields insights into how an attacker proceeded in order to covertly hijack a whole autonomous system, how he misled an upstream provider, and how he used an unallocated address space. We further show that state of the art techniques to prevent hijacking are not fully capable of dealing with this kind of attack. We also derive guidelines on how to conduct future forensic studies of AS hijacking. Our findings show that there is a need for preventive measures that would allow to anticipate AS hijacking and we outline the design of an early warning system.

Public Review By: 
Fabian E. Bustamante

The Internet is a large, loose federation of autonomous systems (AS) connected, at the routing level, by the Border Gateway Protocol (BGP). Known vulnerabilities in the current BGP have motivated several studies on attack detection and counter-measures, as well as a few secure BGP alternatives. This paper contributes to the existing work a nicely detailed study of a particular, long-term AS hijacking event outlining the method of attack and how the attacker exploited the hijacked AS.

An AS hijacking attack, a subset of the class of last-hop attacks, is defined as one in which the attacker claims ownership of a whole AS and its prefixes despite origin validation. With some gritty detective work, the authors pieced together several data sources (including NANOG emails, RouteViews data, a RIPE database dump from a mirror site, the Spamhaus register and netflow data from the Munich’s scientific network) to reveal the timeline, possible methodology and motivation for an attack carried out over several months in early 2011. In an attempt to generalize from the study of a particular event, the authors discussed some of the lessons learned and outlined the highlevel design of an early warning system for this type of attack. 

While reviewers generally questioned the value of the authors' lessons and the system sketch, there was a clear consensus that a detailed analysis of a particular attack is always interesting and sometimes