Using Machine Learning to Detect IP Hijacking
This is interesting research:
In a BGP hijack, a malicious actor convinces nearby networks that the best path to reach a specific IP address is through their network. That’s unfortunately not very hard to do, since BGP itself doesn’t have any security procedures for validating that a message is actually coming from the place it says it’s coming from.
[…]
To better pinpoint serial attacks, the group first pulled data from several years’ worth of network operator mailing lists, as well as historical BGP data taken every five minutes from the global routing table. From that, they observed particular qualities of malicious actors and then trained a machine-learning model to automatically identify such behaviors.
The system flagged networks that had several key characteristics, particularly with respect to the nature of the specific blocks of IP addresses they use:
- Volatile changes in activity: Hijackers’ address blocks seem to disappear much faster than those of legitimate networks. The average duration of a flagged network’s prefix was under 50 days, compared to almost two years for legitimate networks.
- Multiple address blocks: Serial hijackers tend to advertise many more blocks of IP addresses, also known as “network prefixes.”
- IP addresses in multiple countries: Most networks don’t have foreign IP addresses. In contrast, for the networks that serial hijackers advertised that they had, they were much more likely to be registered in different countries and continents.
Note that this is much more likely to detect criminal attacks than nation-state activities. But it’s still good work.
Academic paper.
Subscribe to comments on this entry
Clive Robinson • October 17, 2019 10:13 AM
However it does not answer the important question of,
Who is sending out the bad information?
That is it is not enough to detect a crime, you need to find the guilty persons or atleast their trail.
Which a more technical solution to BGP would atleast resolve to a given point such as a PubKey certificate, chain etc.
But currently there can be various reasons to make BGB attacks.
1, To get at traffic that would not normally be available for surveillance.
2, To push traffic onto a network to in effect DoS it.
Both of these can be done for opposit reasons.
Take the case where a SigInt agency wants to look at traffic. In the case of foreign traffic they would have to “pull” the traffic to them. But if it’s dommestic traffic that legaly they are not alowed to gather, a “push” to make it foreign traffic gets the traffic under their eyes.
Which makes attribution atleast more difficult than it could be. So we can leave punishment discussions out. But even with technical solutions in place due to the fact that we have reason to believe PubKey certs can be misappropriated etc[1] it still makes attribution difficult.
However a technical solution does alow “bad actor certs” to be automatically down gradded on the various metrics, untill “human eyes” have looked things over. Thus making future attacks rather harder to do. Which whilst not solving the problem does reduce it to more managable levels.
[1] Think back to Stuxnet and one or two other attacks.