www.ijecs.in
International Journal Of Engineering And Computer Science ISSN:2319-7242
Volume 4 Issue 2 February 2015, Page No. 10392-10395
Survey on Improving System Security using BGP and
IP Prefix Hijacking
Trishula A.Hajare, D.A.Chaudhari
ME Computer Student, DYPCOE Akurdi, SavitriBai Phule Pune University, India
hajaretrishula@gmail.com
Assistant Professor in Computer Department, DYPCOE Akurdi, SavitriBai Phule Pune University, India
dipalee.rane@gmail.com
Abstract - Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and
reachability information between autonomous systems (AS).The protocol is often classified as a path vector protocol but is
sometimes also classed as a distance vector routing protocol. The Border Gateway Protocol does not involve traditional Interior
Gateway Protocol (IGP) metrics, but makes routing decisions based on path, network policies and/or rule-sets configured by a
network administrator. The Border Gateway Protocol plays a key role in the overall operation of the Internet and is involved in
making core routing decisions. The Border Gateway Protocol is the successor to the Exterior Gateway Protocol (EGP) and is
currently the most widely used exterior gateway protocol by Internet service provider (ISP) due to the fact that BGP allows for
fully decentralised routing.
Keywords: Alert service, Autonomous systems, Border gateway protocol, Reputation.
I.
Introduction
Dynamic routing protocols are typically used in larger
networks to ease the administrative and operational
overhead of using only static routes. Typically, a network
uses a combination of both a dynamic routing protocol and
static routes. In most networks, a single dynamic routing
Protocol is used however, there are cases where different
parts of the network can use different routing protocols.
Although many networks will use only a single routing
protocol or use only static routes, it is important for a
network professional to understand the concepts and
operations of all the different routing protocols. A network
professional must be able to make an informed decision
regarding when to use a dynamic routing protocol and which
routing protocol is the best choice for a particular
environment. Dynamic routing protocols have evolved over
several years to meet the demands ofchanging network
requirements. Although many organizations have migrated
to more recent routing protocols such as Enhanced Interior
Gateway Routing Protocol (EIGRP) and Open Shortest Path
First (OSPF), many of the earlier routing protocols, such as
Routing Information Protocol (RIP), are still in use
today.Dynamic routing protocols have been used in
networks since the early 1980s. The first version of RIP was
released in 1982, but some of the basic algorithms within the
protocol were used on the ARPANET as early as 1969. As
networks have evolved and become more complex, new
routing protocols have emerged. Figure shows a timeline of
IP routing protocols, with a chart that helps classify the
various protocols. This chart will be referred to several times
throughout this book. One of the earliest routing protocols
was RIP. [3]
RIP has evolved into a newer version RIPv2. However, the
newer version of RIP still does not scale to larger network
implementations. To address the needs of larger networks,
two advanced routing protocols were developed OSPF and
Intermediate +System–to–Intermediate System (IS-IS).
Cisco developed Interior Gateway Routing Protocol (IGRP)
and Enhanced IGRP (EIGRP). EIGRP also scales well in
larger network implementations. Additionally, there was the
need to interconnect different internetworks and provide
routing among them. Border Gateway Protocol (BGP) is
now used between Internet service providers (ISP) as well as
between ISPs and their larger private clients to exchange
routing information.[2]
Figure showed how routing protocols can be classified
according to various characteristics. It gives an overview of
the most common IP routing protocols. Routing protocols
can be classified into different groups according to their
characteristics:
Trishula A.Hajare, IJECS Volume 4 Issue 2 February, 2015 Page No.10392-10395
Page 10392









IGP or EGP
Distance vector or link-state
Classful or classless
The most commonly used routing protocols are
as follows:
RIP: A distance vector interior routing protocol
IGRP: The distance vector interior routing protocol
developed by Cisco
OSPF: A link-state interior routing protocol
IS-IS: A link-state interior routing protocol
EIGRP: The advanced distance vector interior
routing protocol developed by Cisco
BGP: A path vector exterior routing protocol
IGP and EGP: An autonomous system (AS) otherwise
known as a routing domain—is a collection of routers under
a common administration. Typical examples are a
company’s internal network and an ISP’s network. Because
the Internet is based on the autonomous system concept, two
types of routing protocols are required: interior and exterior
routing protocols. These protocols are as follows.
Interior gateway protocols (IGP):Used for intraautonomous system routing that is routing inside an
autonomous system.
Exterior gateway protocols (EGP): Used for interautonomous system routing that is routing between
autonomous systems.[1]
Figure shows a simplified view of the difference between
IGPs and EGPs.IGPs are used for routing within a routing
domain, those networks within the control of a single
organization. An autonomous system is commonly
composed of many individual networks belonging to
companies, schools, and other institutions. An IGP is used to
route within the autonomous system and also used to route
within the individual networks themselves. For example,
The Corporation for Education Network Initiatives in
California (CENIC) operates an autonomous system
composed of California schools, colleges, and universities.
CENIC uses an IGP to route within its autonomous system
to interconnect all of these institutions. Each of the
educational institutions also uses an IGP of its own choosing
to route within its own individual network. The IGP used by
each entity provides best path determination within its own
routing domains, just as the IGP used by CENIC provides
best-path routes within the autonomous system itself. IGPs
for IP include RIP, IGRP, EIGRP, OSPF, and IS-IS. Routing
protocols (and more specifically, the algorithm used by that
routing protocol) use a metric to determine the best path to a
network. The metric used by the routing protocol RIP is hop
count, which is the number of routers that a packet must
traverse in reaching another network. OSPF uses bandwidth
to determine the shortest path.EGPs, on the other hand, are
designed for use between different autonomous systems that
are under the control of different administrations. BGP is the
only currently viable EGP and is the routing protocol used
by the Internet. BGP is a path vector protocol that can use
many different attributes to measure routes. At the ISP level,
there are often more important issues than just choosing the
fastest path. BGP is typically used between ISPs and
sometimes between a company and an ISP. BGP is not part
of this course or CCNA; it is covered in CCNP.
II.
IP Prefix Hijacking
We present novel and practical techniques to accurately
detect IP prefix hijacking attacks in real time to facilitate
mitigation. Attacks may hijack victim's address space to
disrupt network services or perpetrate malicious activities
such as spamming and DoS attacks without disclosing
identity. We propose novel ways to significantly improve
the detection accuracy by combining analysis of passively
collected BGP routing updates with data plane fingerprints
ofSuspicious prefixes. [10]The key insight is to use data
plane information in the form of edge network fingerprinting
to disambiguate suspect IP hijacking incidences based on
routing anomaly detection. Conflicts in data plane
fingerprints provide much more definitive evidence of
successful IP prefix hijacking. Utilizing multiple real-time
BGP feeds, wedemonstrate the ability of our system to
distinguish betweenlegitimate routing changes and actual
attacks. Strong correlationwith addresses that originate spam
emails from a spam honeypot confirms the accuracy of our
techniques.[3]
Analogous to identity theft, IP address hijacking, alsoknown
as fraudulent origin attack, is to steal IP addresses belonging
to other networks. It is an attack on the routing
Infrastructure or Internet's control plane. To accomplish this,
attackers announce hijacked address prefixes from networks
they control, so that they can use the stolen addresses to
send and receive traffic. To simplify, we use the term IP
hijacking to mean hijacking of IP address prefixes.
Trishula A.Hajare, IJECS Volume 4 Issue 2 February, 2015 Page No.10392-10395
Page 10393
Attackers may hijack IP address space for two purposes: 1)
To conduct malicious activities such as spamming and DoS
attacks without worrying about disclosing their identity
through the source IPs. [2] Note that although source IPs can
be easily spoofed due to lack of ubiquitous deployment of
ingress filtering, establishing a TCP connection still requires
Using a routable IP address. 2) Intentionally disrupt the
communication or reachability of legitimate hosts numbered
with the stolen addresses. Effectively a more stealthy type of
DoS attack. Both types of hijacking can significantly disrupt
the stability and security of the Internet. Moreover, stolen
IPs were also found to be sold or leased to networks in need
of IP address spaces. Note that the symptom of IP hijacking
from victim's perspective is similar to other outages, making
it nontrivial to diagnose. Besides malicious intent, IP
hijacking can also result from unintentional network
misconfigurations. The most notable example is the incident
involving AS7007 which accidentally advertised to its
upstream provider a short path to numerous prefixes
belonging to other networks. Its provider did not filter out
these bogus announcements causing a large black hole for
many destinations.[1]
IP hijacking is also known as BGP (Border Gateway
Protocol) hijacking, because to receive traffic destined to
hijacked IP addresses, the attacker has to make those IP
addresses known to other parts of the Internet by
announcing them through BGP which is the
interdomainrouting protocol on the Internet today. A BGP
route consists of a prefix and the AS path used to reach that
prefix.IP hijacking occurs if an AS advertises a prefix that it
is notauthorized to use either on purpose or by accident.
Becausethe current BGP protocol implements little
authenticationand often assumes a significant level of trust
between peeringASes, IP hijacking can easily succeed.
Furthermore,because a BGP router cannot know routing
policies of itsneighbours, nor can it accurately evaluate the
validity of arouting announcement, this leads to significant
difficultiesin preventing malicious or misconfigured routing
informationfrom propagating through the entire Internet.[6]
An obvious way to prevent IP hijacking is to ensure proper
configurations of route filters at the links betweennetwork
providers and their customers to preclude customers from
announcing routes for prefixes they do not own. However,
this is both difficult and insufficient: 1)Providers do not
always know which address blocks theircustomers are
assigned to, due to the prevalence of multihoming.This
allows customers to obtain address prefixes from multiple
providers. 2) Similar to ingress filtering, aslong as there is
one provider that does not properly enforceroute filtering, IP
hijacking becomes possible.3) Compromised routers in the
core Internet can bypass such filters, as route filtering is
impossible along peering edges due to lack of information
on addresses allocated to customers belonging to one's peer,
usually one's competitor.[10]
III.
Visual Analytics for BGP Monitoring
and Prefix Hijacking Identification
The control plane of the Internet relies entirely on BGP as
the interdomain routing protocol to maintain and exchange
routing information between large network providers and
their customers. However, an intrinsic vulnerability of the
protocol is its inability to validate the integrity and
correctness of routing information exchanged between peer
routers. As a result, it is relatively easy for people with
malicious intent to steal legitimate IP blocks through an
attack known as prefix hijacking, which essentially consists
of injecting bogus routing information into the system to
redirect or subvert network traffic. In this article, we give a
short survey of visualization methods that have been
developed for BGP monitoring, in particular for the
identification of prefix hijacks. Our goal is to illustrate how
network visualization has the potential to assist an analyst in
detecting abnormal routing patterns in massive amounts of
BGP data.[9]
The Internet is partitioned into tens of thousands of
independently administered routing domains called
autonomous systems (ASs), belonging to different
organizations. The Border Gateway Protocol (BGP) is the de
facto interdomain routing protocol that maintains and
exchanges routing information between ASs. BGP was
designed based on the implicit trust between all participants.
The protocol by itself does not provide any built-in
mechanism to authenticate or validate the routes propagated
through the system. Therefore, any AS can
potentiallyannounce bogus routes into the system, which can
eventually trigger large-scale Internet anomalies, such as the
YouTube Hijack incident. This intrinsic weakness of the
protocol can lead to prefix hijacking incidents, which consist
of redirecting.
Internet traffic by tampering with the control plane itself.
This article gives a brief survey of visualization tools that
were specifically designed for BGP monitoring and prefix
hijack detection. Then we present the ongoing work done in
VIS-SENSE, a European research project that aims at
developing visual analytics tools to improve the efficiency
of BGPmonitoring and prefix hijacking detection. To this
end, the analysis is focused on the Link Telecom hijack that
took place between April and August 2011, and comprises
one of the very few validated cases of prefix hijacking.[5]
IV.
Conclusion
The routing infrastructure of the Internet relies entirely on
BGP as the interdomain routing protocol to maintain and
exchange routing information between network providers.
Because of the vulnerable design of BGP, attackers can
easily misuse the routing system through prefix hijacking in
order to conduct malicious activities, such as spamming and
DoS attacks, without worrying about disclosing their
identity through their real source IPs. Efficient network
monitoring tools are thus of utmost importance. However,
network administrators are challenged today by the sheer
volumes of data to analyse, especially when it comes to
BGP data collection and monitoring. In this respect, a short
survey is given on network visualization methods for BGP,
in order to show how visual analysis tools can support an
analyst in finding, understanding, and confirming BGP
hijacks and other anomalies in routing data, complementing
fully automated analytical methods.
References
Trishula A.Hajare, IJECS Volume 4 Issue 2 February, 2015 Page No.10392-10395
Page 10394
[1] B. R. Smith and J. J. Garcia-Luna-Aceves, “Securing the
border gateway routing protocol,” in Proc. Global Internet
’96, 1996, pp. 81–85.
[2] S. Cheung, “An efficient message authentication scheme
for link state routing,” in Proc. 13th Annual Computer
Security Applications Conference, 1997, pp. 90–98.
[3] Martin O. Nicholes, Student Member, IEEE, and
Biswanath Mukherjee, Fellow, IEEE A Survey of Security
Techniques for the Border Gateway Protocol (BGP)IEEE
Communications Surveys &Tutorials,Vol.11,No.1,First
Quarter 2009
[4] J. Qiu, L. Gao, S. Ranjan, and A. Nucci, “Detecting
bogus BGP route information: Going beyond prefix
hijacking,” in Proc. IEEE SecureComm, 2007.
[5] G. Goodell, W. Aiello, T. Griffin, J. Ioannidis, P.
McDaniel, and A. Rubin, “Working around BGP: An
incremental approach to improving security and accuracy of
interdomain routing,” in Proc. NDSS, 2003.
[6] Jian Chang, Krishna K. Venkatasu- bramanian, Member,
IEEE, Andrew G. West, Sampath Kannan, Insup Lee,
Fellow, IEEE, Boon Thau Loo, and Oleg Sokolsky,
Member, IEEE “AS-CRED: Reputation and Alert Service
for
Interdomain Routing” IEEE Systems Journal, Vol.7, No.3,
September 2013
[7] S. Kent, C. Lynn, and K. Seo, “Secure border gateway
protocol (SBGP),” IEEE J. Selected Areas Commun., vol.
18, no. 4, pp. 582–592, Apr. 2000.
[8] M. Zhao, S. Smith, and D. Nicol, “The performance
impact of BGP security,” IEEE Network, vol. 19, no. 6, pp.
42–48, Nov.–Dec. 2005.
[9] J. Karlin, S. Forrest, and J. Rexford, “Autonomous
security for autonomous systems,” Comput. Netw., vol. 52,
no. 15, pp. 2908–2923,
2008.
[10] M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L.
Zhang, “PHAS: A prefix hijack alert system,” in Proc. 15th
Conf. USENIX Security Symp., vol. 15. 2006, article 11.
Author Profile
Trishula A. Hajare received the B.E. degree in
Information Technology from Annasaheb Dange College of
Engineering and Technology Ashta,Sangali in 2011. During 20122013, she did lecturership in D.Y.Patil College of Engineering
Akurdi,Pune. Now she is pursuing Master degree in Computer
Engineering from D.Y.Patil College of Engineering Akurdi,Pune.
Dipalee A. Chaudhari received the BE degree
in Computer Science and Engineering from University
of Pune in 2000 and ME in Computer Engineering
from University of Pune in 2010 and has 8 years
of teaching experience.
Trishula A.Hajare, IJECS Volume 4 Issue 2 February, 2015 Page No.10392-10395
Page 10395