Malicious BGP hijacks

Appearances can be deceiving

Pierre Antoine Vervier, Quentin Jacquemart, Johann Schlamp, Olivier Thonnard, Georg Carle, Guillaume Urvoy-Keller, Ernst Biersack, Marc Dacier

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

BGP hijacking is a well known threat to the Internet routing infrastructure. There has been considerable interest in developing tools that detect prefix hijacking but such systems usually identify a large number of events, many of them being due to some benign BGP engineering practice or misconfiguration. Ramachandran et al. [1] and later Hu et al. [2] also correlated suspicious routing events with spam and claimed to have found evidence of spammers temporarily stealing prefixes to send spam. In an effort to study at large scale the existence and the prevalence of malicious BGP hijacks in the Internet we developed a system which (i) identifies hijacks using BGP, traceroute and IRR data and (ii) investigates traffic originating from the reported networks with spam and netflow data. In this paper we present a real case where suspicious BGP announcements coincided with spam and web scam traffic from corresponding networks. Through this case study we show that a correlation of suspicious routing events with malicious activities is insufficient to evidence harmful BGP hijacks. We thus question previously reported cases and conclude that identifying malicious BGP hijacks requires additional data sources as well as feedback from network owners in order to reach decisive conclusions.

Original languageEnglish
Title of host publication2014 IEEE International Conference on Communications, ICC 2014
PublisherIEEE Computer Society
Pages884-889
Number of pages6
ISBN (Print)9781479920037
DOIs
Publication statusPublished - 2014
Externally publishedYes
Event2014 1st IEEE International Conference on Communications, ICC 2014 - Sydney, NSW
Duration: 10 Jun 201414 Jun 2014

Other

Other2014 1st IEEE International Conference on Communications, ICC 2014
CitySydney, NSW
Period10/6/1414/6/14

Fingerprint

Internet
Feedback

ASJC Scopus subject areas

  • Computer Networks and Communications

Cite this

Vervier, P. A., Jacquemart, Q., Schlamp, J., Thonnard, O., Carle, G., Urvoy-Keller, G., ... Dacier, M. (2014). Malicious BGP hijacks: Appearances can be deceiving. In 2014 IEEE International Conference on Communications, ICC 2014 (pp. 884-889). [6883431] IEEE Computer Society. https://doi.org/10.1109/ICC.2014.6883431

Malicious BGP hijacks : Appearances can be deceiving. / Vervier, Pierre Antoine; Jacquemart, Quentin; Schlamp, Johann; Thonnard, Olivier; Carle, Georg; Urvoy-Keller, Guillaume; Biersack, Ernst; Dacier, Marc.

2014 IEEE International Conference on Communications, ICC 2014. IEEE Computer Society, 2014. p. 884-889 6883431.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Vervier, PA, Jacquemart, Q, Schlamp, J, Thonnard, O, Carle, G, Urvoy-Keller, G, Biersack, E & Dacier, M 2014, Malicious BGP hijacks: Appearances can be deceiving. in 2014 IEEE International Conference on Communications, ICC 2014., 6883431, IEEE Computer Society, pp. 884-889, 2014 1st IEEE International Conference on Communications, ICC 2014, Sydney, NSW, 10/6/14. https://doi.org/10.1109/ICC.2014.6883431
Vervier PA, Jacquemart Q, Schlamp J, Thonnard O, Carle G, Urvoy-Keller G et al. Malicious BGP hijacks: Appearances can be deceiving. In 2014 IEEE International Conference on Communications, ICC 2014. IEEE Computer Society. 2014. p. 884-889. 6883431 https://doi.org/10.1109/ICC.2014.6883431
Vervier, Pierre Antoine ; Jacquemart, Quentin ; Schlamp, Johann ; Thonnard, Olivier ; Carle, Georg ; Urvoy-Keller, Guillaume ; Biersack, Ernst ; Dacier, Marc. / Malicious BGP hijacks : Appearances can be deceiving. 2014 IEEE International Conference on Communications, ICC 2014. IEEE Computer Society, 2014. pp. 884-889
@inproceedings{df9fae8795584f09ba063d939119dfcd,
title = "Malicious BGP hijacks: Appearances can be deceiving",
abstract = "BGP hijacking is a well known threat to the Internet routing infrastructure. There has been considerable interest in developing tools that detect prefix hijacking but such systems usually identify a large number of events, many of them being due to some benign BGP engineering practice or misconfiguration. Ramachandran et al. [1] and later Hu et al. [2] also correlated suspicious routing events with spam and claimed to have found evidence of spammers temporarily stealing prefixes to send spam. In an effort to study at large scale the existence and the prevalence of malicious BGP hijacks in the Internet we developed a system which (i) identifies hijacks using BGP, traceroute and IRR data and (ii) investigates traffic originating from the reported networks with spam and netflow data. In this paper we present a real case where suspicious BGP announcements coincided with spam and web scam traffic from corresponding networks. Through this case study we show that a correlation of suspicious routing events with malicious activities is insufficient to evidence harmful BGP hijacks. We thus question previously reported cases and conclude that identifying malicious BGP hijacks requires additional data sources as well as feedback from network owners in order to reach decisive conclusions.",
author = "Vervier, {Pierre Antoine} and Quentin Jacquemart and Johann Schlamp and Olivier Thonnard and Georg Carle and Guillaume Urvoy-Keller and Ernst Biersack and Marc Dacier",
year = "2014",
doi = "10.1109/ICC.2014.6883431",
language = "English",
isbn = "9781479920037",
pages = "884--889",
booktitle = "2014 IEEE International Conference on Communications, ICC 2014",
publisher = "IEEE Computer Society",

}

TY - GEN

T1 - Malicious BGP hijacks

T2 - Appearances can be deceiving

AU - Vervier, Pierre Antoine

AU - Jacquemart, Quentin

AU - Schlamp, Johann

AU - Thonnard, Olivier

AU - Carle, Georg

AU - Urvoy-Keller, Guillaume

AU - Biersack, Ernst

AU - Dacier, Marc

PY - 2014

Y1 - 2014

N2 - BGP hijacking is a well known threat to the Internet routing infrastructure. There has been considerable interest in developing tools that detect prefix hijacking but such systems usually identify a large number of events, many of them being due to some benign BGP engineering practice or misconfiguration. Ramachandran et al. [1] and later Hu et al. [2] also correlated suspicious routing events with spam and claimed to have found evidence of spammers temporarily stealing prefixes to send spam. In an effort to study at large scale the existence and the prevalence of malicious BGP hijacks in the Internet we developed a system which (i) identifies hijacks using BGP, traceroute and IRR data and (ii) investigates traffic originating from the reported networks with spam and netflow data. In this paper we present a real case where suspicious BGP announcements coincided with spam and web scam traffic from corresponding networks. Through this case study we show that a correlation of suspicious routing events with malicious activities is insufficient to evidence harmful BGP hijacks. We thus question previously reported cases and conclude that identifying malicious BGP hijacks requires additional data sources as well as feedback from network owners in order to reach decisive conclusions.

AB - BGP hijacking is a well known threat to the Internet routing infrastructure. There has been considerable interest in developing tools that detect prefix hijacking but such systems usually identify a large number of events, many of them being due to some benign BGP engineering practice or misconfiguration. Ramachandran et al. [1] and later Hu et al. [2] also correlated suspicious routing events with spam and claimed to have found evidence of spammers temporarily stealing prefixes to send spam. In an effort to study at large scale the existence and the prevalence of malicious BGP hijacks in the Internet we developed a system which (i) identifies hijacks using BGP, traceroute and IRR data and (ii) investigates traffic originating from the reported networks with spam and netflow data. In this paper we present a real case where suspicious BGP announcements coincided with spam and web scam traffic from corresponding networks. Through this case study we show that a correlation of suspicious routing events with malicious activities is insufficient to evidence harmful BGP hijacks. We thus question previously reported cases and conclude that identifying malicious BGP hijacks requires additional data sources as well as feedback from network owners in order to reach decisive conclusions.

UR - http://www.scopus.com/inward/record.url?scp=84906996386&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84906996386&partnerID=8YFLogxK

U2 - 10.1109/ICC.2014.6883431

DO - 10.1109/ICC.2014.6883431

M3 - Conference contribution

SN - 9781479920037

SP - 884

EP - 889

BT - 2014 IEEE International Conference on Communications, ICC 2014

PB - IEEE Computer Society

ER -