Detection of BGP Hijacking Using TTL Analysis

Tamir Carmeli, M.Sc. Thesis Seminar
Monday, 11.12.2017, 13:30
Taub 601
Prof. R. Cohen

The Border Gateway Protocol (BGP) is a crucial part of the Internet infrastructure. However, it was developed in the 1980s with limited concern for security. In particular, its lack of authentication makes it vulnerable to the so-called prefix hijacking attack. In this attack, a malicious or compromised BGP router announces a route to an IP prefix it does not own. Consequently, packets destined to this prefix are actually forwarded to the attacker. A special case of this attack is when the attacker manages to forward the hijacked traffic to the intended destination. This special case is often referred to as an interception attack. Interception attacks have been publicly documented since 2013, when a Belarusian ISP successfully intercepted traffic whose original route should have never left North America. In this research we study the effect of prefix interception on the TTL (Time To Live) value of hijacked packets as observed at their real destinations, with the aim of detecting whether a sudden TTL increase observed in the packets is the outcome of prefix interception or of a legitimate link failure. We first analyze how interception attacks and link failures change the TTL from the perspective of the packet receiver, and then study additional effects of the prefix interception attack. Finally, we propose a detection method based on our findings and evaluate its performance over simulated instances of prefix interception attacks.

Back to the index of events