HEAP: Reliable Assessment of BGP Hijacking Attacks

TL;DR

This paper introduces HEAP, a comprehensive tool that improves the detection and validation of BGP hijacking attacks by integrating multiple data sources and analysis techniques to reduce false alarms and accurately assess attack impact.

Contribution

The paper presents HEAP, a novel system that enhances BGP hijacking detection by combining formal modeling, data analysis, and validation methods to improve accuracy and reliability.

Findings

HEAP effectively reduces false positives in hijacking detection.

Routing anomalies are mostly harmless according to analysis.

HEAP can validate and cross-check hijacking alarms.

Abstract

The detection of BGP prefix hijacking attacks has been the focus of research for more than a decade. However, state-of-the-art techniques fall short of detecting more elaborate types of attack. To study such attacks, we devise a novel formalization of Internet routing, and apply this model to routing anomalies in order to establish a comprehensive attacker model. We use this model to precisely classify attacks and to evaluate their impact and detectability. We analyze the eligibility of attack tactics that suit an attacker's goals and demonstrate that related work mostly focuses on less impactful kinds of attacks. We further propose, implement and test the Hijacking Event Analysis Program (HEAP), a new approach to investigate hijacking alarms. Our approachis designed to seamlessly integrate with previous work in order to reduce the high rates of false alarms inherent to these techniques. We leverage several unique data sources that can reliably disprove malicious intent. First, we make use of an Internet Routing Registry to derive business or organisational relationships between the parties involved in an event. Second, we use a topology-based reasoning algorithm to rule out events caused by legitimate operational practice. Finally, we use Internet-wide network scans to identify SSL/TLS-enabled hosts, which helps to identify non-malicious events by comparing public keys prior to and during an event. In our evaluation, we prove the effectiveness of our approach, and show that day-to-day routing anomalies are harmless for the most part. More importantly, we use HEAP to assess the validity of publicly reported alarms. We invite researchers to interface with HEAP in order to cross-check and narrow down their hijacking alerts.