ARTEMIS: Real-Time Detection and Automatic Mitigation for BGP Prefix Hijacking
Gavriil Chaviaras, Petros Gigis, Pavlos Sermpezis, Xenofontas Dimitropoulos
aa r X i v : . [ c s . N I] F e b ARTEMIS: Real-Time Detection and AutomaticMitigation for BGP Prefix Hijacking
Gavriil Chaviaras, Petros Gigis, Pavlos Sermpezis, and Xenofontas Dimitropoulos
FORTH / University of Crete, Greece {gchaviaras, gkigkis, sermpezis, fontas}@ics.forth.gr
ABSTRACT
Prefix hijacking is a common phenomenon in the Internetthat often causes routing problems and economic losses. Inthis demo, we propose ARTEMIS, a tool that enables net-work administrators to detect and mitigate prefix hijackingincidents, against their own prefixes. ARTEMIS is basedon the real-time monitoring of BGP data in the Internet,and software-defined networking (SDN) principles, and cancompletely mitigate a prefix hijacking within a few minutes(e.g., 5-6mins in our experiments) after it has been launched.
CCS Concepts • Networks → Network management; Network monitor-ing; • Security and privacy → Network security;
1. INTRODUCTION
The Internet is composed of thousands of AutonomousSystems (ASes), whose inter-domain traffic is routed withthe Border Gateway Protocol (BGP). Due to the distributednature and lack of authorization in BGP, an AS can adver-tise illegitimate paths or prefixes owned by other ASes, i.e.,hijacking their prefixes. Prefix hijacking can cause seriousrouting problems and economic losses. For instance, YouTube’sprefixes were hijacked in 2008 disrupting its services formore than hours [1], whereas China Telecom hijacked prefixes (about of the BGP table) in 2010 causing rout-ing problems in the whole Internet for several minutes [2].Prefix hijacking (due to an attack or misconfiguration) isa common phenomenon in the Internet, and since its pre-vention is not always possible, mechanisms for its detec-tion and mitigation are needed. To this end, several method-ologies for detecting prefix hijackings have been proposed,e.g., [3, 4]. However, most previous works focus on alertsystems that are not controlled by the AS itself [3, 4], but SIGCOMM ’16, August 22–26, 2016, Florianopolis, Brazil
ACM ISBN 978-1-4503-4193-6/16/08.DOI: http://dx.doi.org/10.1145/2934872.2959078 offer BGP prefix hijacking detection as a service to ASes.In addition, previous research focuses primarily on accu-rately detecting BGP hijacks, rather than timely detecting and mitigating them. The whole detection/mitigation cy-cle presently has significant delay: (i) aggregated BGP datafrom RouteViews [5] or RIPE RIS [6], which are commonly-used for detection, become available approximately every hours (BGP full RIBs) or mins (BGP updates); (ii) a net-work administrator that receives a notification from a third-party alert system needs to manually process it to verify ifthe notification corresponds to a hijacking or is a false alarm;and (iii) for mitigation, administrators often need to man-ually reconfigure routers or contact administrators of otherASes to filter announcements. YouTube, for example, re-acted about 80min after the hijacking of its prefixes. Theseproblems render existing mechanisms inefficient especiallyfor a large percentage of hijacking events that last only for ashort time (cf., more than of hijacks last < mins [3]).In this work, our goal is to enable network administratorsto timely detect and mitigate prefix hijacking incidents, e.g.,in 5-6 mins, against their own prefixes. To accelerate de-tection, our approach exploits real-time BGP data from: (i)Looking Glass (LG) servers; and (ii) BGP collectors withlive data streaming capabilities, which are provided by theRIPE RIS [6, 7] and BGPmon [8] projects. LGs provide aview directly from operational BGP routers, without inter-mediate collectors, while (the recent) RIPE RIS streamingservice [7] and BGPmon [8] provide real-time feeds of thecollected BGP data. Furthermore, we automatically miti-gate hijackings of prefixes owned by an AS by announcingde-aggregated BGP prefixes. We combine these in a toolwe call ARTEMIS ( Automatic and Real-Time dEtection andMItigation System ), which can detect a prefix hijack in nearreal-time, and mitigate it without any manual intervention.We evaluated ARTEMIS in real settings, by deploying itto detect and mitigate prefix hijackings performed againstour own prefixes from an actual AS in the Internet. We foundthat we can detect hijacks in < min, start the mitigation ina few seconds, and completely solve the problem in around mins. To our best knowledge, this is the first time that wecan detect and mitigate hijacks within a few minutes.
2. ARTEMIS OVERVIEW
ARTEMIS consists of three components: a detection , aigure 1: ARTEMIS overview. mitigation , and a monitoring service as shown in Fig. 1.The detection service runs continuously and combines con-trol plane information from Periscope [9] (an LG API), thestreaming service of RIPE RIS [7], and BGPmon [8], whichreturn in near real-time BGP routes/updates for a given listof prefixes and ASNs. By combining multiple sources, thedelay of the detection phase is the min of the delays of thesesources. The system can be parametrized (e.g., selectingLGs based on location or connectivity) to achieve trade-offsbetween monitoring overhead and detection efficiency/speed.When a prefix hijacking is detected, ARTEMIS launchesthe mitigation service, which changes the configuration ofBGP routers to announce the de-aggregated sub-prefixes ofthe hijacked prefix. Therefore, ARTEMIS assumes permis-sions for sending BGP advertisements for the owned prefixesfrom the BGP routers of the network. This can be effectivelyaccomplished by running ARTEMIS, as an application-levelmodule, over a network controller that supports BGP, likeONOS [10] or OpenDayLight [11]. Prefix de-aggregationis effective for hijacks of IP address prefixes larger than /24,but it might not work for /24 prefixes, as BGP advertisementsof prefixes smaller than /24 are filtered by some ISPs.In parallel to the mitigation, a monitoring service is run-ning to provide real-time information about the mitigationprocess. This service uses again data from Periscope, RIPERIS, and BGPmon to monitor/visualize the mitigation.
3. EXPERIMENTS WITH A REAL AS
To evaluate ARTEMIS, we conduct prefix hijackings againstour own prefixes in the Internet. We use the PEERINGtestbed [12], which owns actual AS numbers (ASNs) andIP prefixes, and is connected to the Internet at multiple sites(university networks and IXPs). Through PEERING, we runa virtual AS, which announces a prefix and uses ARTEMISto detect and mitigate hijackings for this prefix. We thenannounce the same prefix from another virtual AS of PEER-ING, emulating effectively a prefix hijacking attack. We as-sociate different sites with the two ASes, and denote themas
ASN-1 and
ASN-2 . Each experiment consists of the fol-lowing phases. (Phase-1) Setup.
We announce an IP prefix, say 10.0.0.0/23,from the legitimate owner of the prefix (
ASN-1 ), and waituntil the announcement becomes visible to all the LGs in ourarsenal, i.e., for BGP convergence. (Phase-2) Hijacking and Detection.
Then, from a differ-ent site of PEERING,
ASN-2 hijacks the prefix 10.0.0.0/23,announcing it with
ASN-2 as the origin AS number. Thenew announcement disseminates in the Internet as well, and the ASes that are "closer", change their preferred path forthe prefix to
ASN-2 . We measure the time until ARTEMISdetects the prefix hijacking by observing an announcementwith an illegitimate origin AS in the data it processes fromPeriscope, RIPE RIS, and BGPmon. (Phase-3) Mitigation.
Immediately after the detection,ARTEMIS triggers prefix de-aggregation to mitigate the at-tack: it splits the hijacked prefix 10.0.0.0/23 into two morespecific sub-prefixes, i.e., 10.0.0.0/24 and 10.0.1.0/24, andannounces them. The announcements for the /24 sub-prefixesdisseminate in the Internet, and the routes change back to
ASN-1 , since the more specific /24 prefixes are preferredover the initial /23 prefix. We measure the time from the mo-ment prefix de-aggregation is triggered until all the vantagepoints in our data have switched to the legitimate
ASN-1 .Our preliminary results over a few dozen experiments showthat ARTEMIS needs (on average) secs to detect the hi-jacking, secs to announce the de-aggregated /24 prefixes(through the controller), and, after that, the mitigation iscompleted within mins. In total, the hijacking is completelymitigated around mins after it has been launched (which issmaller than the duration of > of the hijacking casesobserved in [3]). The detection is faster because it needs atleast one observation of the bogus route, while the mitigationis completed when every router has the legitimate route.
4. DEMO
The goal of the demo is to show that it possible to detectand mitigate BGP prefix hijackings in near real-time on theactual Internet. We will use ARTEMIS over the PEERINGtestbed to perform hijacking experiments, like in Section 3.Using the monitoring service of ARTEMIS, we will visual-ize in real-time how the hijacking incident propagates in theInternet, turning affected networks into the illegitimate AS.This, as well as the effect of the mitigation, will be demon-strated with a geographical visualization of vantage pointsaround the globe that select the (il-)legitimate origin-AS.
Acknowledgements.
This work has been funded by the Eu-ropean Research Council Grant Agreement no. 338402.
5. REFERENCES
Proc. ACM IMC , 2012.[4] M. Lad, et al., “Phas: A prefix hijack alert system.,” in
Usenix Security