BGP Anomalies Detection Based on Internet Numbers Allocation

The Internet is composed of tens of thousands of network domains or Autonomous Systems (ASes), and Border Gateway Protocol (BGP) is the current de facto inter-domain routing protocol used by network domains to exchange reach ability of network prefixes. Despite of its vital importance to the correct operation of the global Internet, it is vulnerable to a number of security attacks including prefix hijacking and sub-prefix hijacking. One of the major security problems with BGP is the lack of mechanisms to authenticate or validate a route announced by a neighbor. Over the years, many large-scale BGP security events have been reported, where large blocks of the Internet prefixes became unreachable because of invalid advertisement of routes. Although many of the reported events were caused by unintentional misconfiguration, they nevertheless demonstrated the potential security problem of BGP. In this thesis we develop and study a new scheme to detect abnormal BGP updates including prefix and sub-prefix hijacking. This scheme correlates the network prefix and AS number allocation information that is publicly available to determine if a received route is safe. One critical advantage of the scheme is that it can be incrementally deployed by individual ASes which wish to identify and isolate the invalid routes. In this thesis we verify the effectiveness of the proposed scheme using the network prefix and AS number allocation information maintained by the main Regional Internet Registries (RIR) and the Internet Assigned Number Authority (IANA). Our performance studies show that the proposed scheme, though simple, can be quite effective in detecting prefix and sub-prefix hijacking attacks, despite of the incompleteness of the databases. Additionally, we suggest that in combination with our system, better policies for updating and maintaining allocation information should be followed.