域间路由中间人攻击的实时检测系统

删除或更新信息，请邮件至freekaoyan#163.com(#换成@)

清华大学辅仁网/2017-07-07

域间路由中间人攻击的实时检测系统

黎松¹, 段海新², 李星^1,2

1. 清华大学电子工程系, 北京 100084;
2. 清华大学网络科学与网络空间研究院, 北京 100084

Real-time system for detecting inter-domain routing man-in-the-middle attacks

LI Song¹, DUAN Haixin², LI xing^1,2

1. Department of Electronic Engineering, Tsinghua University, Beijing 100084, China;
2. Institute of Network Science and Cyberspace, Tsinghua University, Beijing 100084, China

摘要:

输出: BibTeX | EndNote (RIS)

摘要针对域间路由中间人攻击这一域间路由安全面临的新威胁,建立攻击模型并分析其在路由控制平面和数据平面所产生的异常特征,进而提出一种域间路由中间人攻击的实时检测系统。该系统首先通过控制平面异常监控发现可疑的异常路由,之后进行数据平面转发路径探测以鉴别该异常是否为域间路由中间人攻击。实际网络部署的测试结果表明:该系统是轻量级的,并能实时有效地检测出可能的域间路由中间人攻击。

关键词 ：域间路由,前缀劫持,中间人攻击,检测

Abstract：Man-in-the-middle attacks have become a new serious threat to inter-domain routing. This paper presents a real-time system for detecting inter-domain routing man-in-the-middle attacks based on an analysis of a threat model and key features in the control plane and the data plane. The detection system first monitors the anomalous route in the control plane and then probes the data plane to identify the inter-domain routing man-in-the-middle attack. Internet tests show that the detection system is light-weight and effectively detects probable man-in-the-middle attacks in inter-domain routing in real time.

Key words：inter-domain routing prefix hijacking man-in-the-middle attack detection

收稿日期: 2015-08-31 出版日期: 2015-12-01

ZTFLH:

TP393.4

通讯作者:段海新,教授,E-mail:duanhx@tsinghua.edu.cnE-mail: duanhx@tsinghua.edu.cn

引用本文:

黎松, 段海新, 李星. 域间路由中间人攻击的实时检测系统[J]. 清华大学学报（自然科学版）, 2015, 55(11): 1229-1234.
LI Song, DUAN Haixin, LI xing. Real-time system for detecting inter-domain routing man-in-the-middle attacks. Journal of Tsinghua University(Science and Technology), 2015, 55(11): 1229-1234.

链接本文:

http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2015.21.017或 http://jst.tsinghuajournals.com/CN/Y2015/V55/I11/1229

图表:

图１　域间路由中间人攻击模型

图２　多宿主产生的合法MOAS与延长距离为１的域间路由中间人攻击

图３　域间路由中间人攻击实时检测系统框架

图４　域间路由中间人攻击检测算法

图５　每天的MITM 报警数和报警前缀数

图６　延长距离大于１的MITM 报警实例

参考文献:

[1] 黎松, 诸葛建伟, 李星. BGP安全研究[J]. 软件学报, 2013, 24(1):121-138.Li S, Zhuge J W, Li X. Study on BGP security[J]. Ruanjian Xuebao/Journal of Software, 2013, 24(1):121-138.(in Chinese)
[2] Hiran R, Carlsson N, Gill P. Characterizing large-scale routing anomalies:A case study of the China Telecom incident[J]. Lecture Notes in Computer Science, 2013:229-238.
[3] Dyn Research. The new threat:Targeted internet traffic misdirection[EB/OL].(2013-11-19). http://research.dyn.com/2013/11/mitm-internet-hijacking.
[4] Dyn Research. Uk traffic diverted through Ukraine[EB/OL].(2015-3-13). http://research.dyn.com/2015/03/uk-traffic-diverted-ukraine.
[5] Hu X, Mao Z M. Accurate real-time identification of IP prefix hijacking[C]//Security and Privacy, 2007. Oakland, California, USA:IEEE, 2007:3-17.
[6] Zhang Z, Zhang Y, Hu Y C, et al. iSPY:Detecting IP prefix hijacking on my own[J]. IEEE/ACM Transactions on Networking(TON), 2010, 18(6):1815-1828.
[7] Xiang Y, Wang Z, Yin X, et al. Argus:An accurate and agile system to detecting IP prefix hijacking[C]//Proc 19th IEEE International Conf Network Protocols. Vancouver, BC, Canada:IEEE, 2011:43-48.
[8] Ballani H, Francis P, Zhang X. A study of prefix hijacking and interception in the internet[J]. ACM Sigcomm Computer Communication Review, 2007, 37(4):265-276.
[9] Zhang Y, Pourzandi M. Studying impacts of prefix interception attack by exploring BGP AS-PATH prepending[C]//Proc 32nd IEEE International Conf Distributed Computing Systems. Macau, China:IEEE, 2012:667-677.
[10] Zheng C, Ji L, Pei D, et al. A light-weight distributed scheme for detecting ip prefix hijacks in real-time[J]. ACM Sigcomm Computer Communication Review, 2007, 37(4):277-288.
[11] Zhao X, Pei D, Wang L, et al. An analysis of BGP multiple origin AS(MOAS) conflicts[C]//Proc 1st ACM SIGCOMM Workshop on Internet Measurement. San Francisco, California, USA:ACM, 2001:31-35.
[12] Colorado State University. Welcome to BGPmon[DB/OL].[2015-08-18] http://www.bgpmon.io.
[13] University of Oregon's Advanced Network Technology Center. University of oregon route views project[DB/OL].[2015-08-18] http://www.routeviews.org.
[14] Jared Mauch. Open DNS Resolver Project[DB/OL].[2015-08-18] http://openresolverproject.org.
[15] Madhyastha H V, Isdal T, Piatek M, et al. iPlane:An information plane for distributed services[C]//Proc 7th symposium on Operating systems design and implementation. Seattle, WA, USA:USENIX Association, 2006:367-380.
[16] China Education and Research Network Center. CERNET-中国教育和科研计算机网[EB/OL].[2015-08-18] http://www.edu.cn/cernet_fu_wu/.
[17] Gao L. On inferring autonomous system relationships in the Internet[J]. IEEE/ACM Transactions on Networking(ToN), 2001, 9(6):733-745.
[18] Center for Applied Internet Data Analysis. The caida ucsd as-relationships[DB/OL].[2015-08-01] http://data.caida.org/datasets/as-relationships/serial-1.

[1]	杨向东, 芮晓飞, 谢颖. 基于高效Hough变换的圆柱特征检测方法[J]. 清华大学学报（自然科学版）, 2015, 55(8): 921-926.
[2]	王智睿, 张旭东, 许稼. 基于Radon变换的SAR地面运动目标径向速度估计[J]. 清华大学学报（自然科学版）, 2015, 55(8): 860-865.
[3]	杨帆, 杨健, 殷君君, 宋建社. 基于极化SAR分解模型的油膜检测[J]. 清华大学学报（自然科学版）, 2015, 55(8): 854-859.
[4]	刘春, 殷君君, 杨健. 基于岸线特征点合并的极化SAR图像小型港口检测[J]. 清华大学学报（自然科学版）, 2015, 55(8): 849-853.
[5]	宋胜利, 杨健. 基于鲁棒主成分分析的SAR舰船检测[J]. 清华大学学报（自然科学版）, 2015, 55(8): 844-848.
[6]	张彧, 吴钊, 宋健. 基于速率增强JTIDS波形的干扰检测与擦除方法[J]. 清华大学学报（自然科学版）, 2015, 55(8): 821-825.
[7]	原可义, 韩赞东, 钟约先, 陈以方. 金属蠕变的实时超声检测实验研究[J]. 清华大学学报（自然科学版）, 2015, 55(7): 739-743.
[8]	涂山山, 陶怀舟, 黄永峰. 基于半监督学习的即时语音通信隐藏检测[J]. 清华大学学报（自然科学版）, 2015, 55(11): 1246-1252.
[9]	江锋, 庄子威, 张振中, 尉继英. 用于HEPA滤料效率检测的蒸发冷凝技术[J]. 清华大学学报（自然科学版）, 2014, 54(5): 629-632.
[10]	邓可欣. 基于超边图匹配的视网膜眼底图像配准算法[J]. 清华大学学报（自然科学版）, 2014, 54(5): 568-574.
[11]	谢旭东,袁兆君,郭伟,张毅. 基于噪点检测与邻域权值内插的彩色人脸图像去噪[J]. 清华大学学报（自然科学版）, 2014, 54(4): 536-539.
[12]	游彪,杨健,叶春茂,宋建设. 改进的功率极化交叉熵舰船检测方法[J]. 清华大学学报（自然科学版）, 2014, 54(4): 453-457.
[13]	孟凡, 董永贵. 基于方波脉冲激励的电导率测量方法[J]. 清华大学学报（自然科学版）, 2014, 54(2): 207-211.
[14]	董国伟, 郭涛, 张普含, 贾依真. 基于路径分析和迭代蜕变测试的Bug检测[J]. 清华大学学报（自然科学版）, 2014, 54(1): 60-67.