The digital realm is witnessing an alarming surge in IP address hijacking, a sophisticated cyber-attack tactic employed for nefarious purposes ranging from disseminating spam and malware to executing cryptocurrency heists. Shockingly, statistics reveal that routing incidents, including IP hijacks, compromised over 10% of global routing domains in 2017 alone. Tech giants like Amazon and Google haven't been spared, while intelligence reports suggest that state-affiliated entities, including a Chinese telecommunications firm, allegedly exploited this method to intercept and scrutinize western internet traffic.
Conventional approaches to detecting IP hijacks typically focus on addressing specific incidents as they unfold. However, imagine the revolutionary potential of predicting these attacks before they occur by identifying and tracking the perpetrators themselves. This paradigm shift forms the foundation of an innovative machine-learning system pioneered by researchers at MIT and the University of California at San Diego (UCSD).
By meticulously analyzing patterns and characteristics of what they term "serial hijackers," the research team trained their AI powered cyber threat detection system to identify approximately 800 suspicious networks. Remarkably, their investigation revealed that some of these networks had been systematically hijacking IP addresses for several years, operating undetected in the digital shadows.
"Network operators traditionally respond to these incidents reactively, handling them on a case-by-case basis, which inadvertently creates an environment where cybercriminals can flourish," explains lead author Cecilia Testart, a graduate student at MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL). "Our research represents a crucial first step in illuminating the behavioral patterns of serial hijackers and developing proactive defense mechanisms against their attacks."
This groundbreaking research emerged from a collaboration between CSAIL and the Center for Applied Internet Data Analysis at UCSD's Supercomputer Center. The paper was authored by Testart and David Clark, an MIT senior research scientist, alongside MIT postdoc Philipp Richter, data scientist Alistair King, and UCSD research scientist Alberto Dainotti.
The Vulnerability in Network Architecture
IP hijackers exploit a fundamental vulnerability in the Border Gateway Protocol (BGP), the routing mechanism that serves as the internet's nervous system, enabling different networks to communicate. Through BGP, networks exchange routing information, ensuring that data packets navigate their way to the correct destinations.
In a BGP hijack scenario, a malicious actor deceives neighboring networks into believing that the optimal path to reach a specific IP address is through their infrastructure. Alarmingly, this deception is relatively easy to accomplish, as BGP lacks inherent security mechanisms to verify the authenticity of routing information.
"It's analogous to a game of Telephone, where you know your immediate neighbor but remain unaware of participants five or ten nodes away," Testart explains.
The vulnerability has persisted for decades. During the U.S. Senate's inaugural cybersecurity hearing in 1998, hackers demonstrated their ability to potentially disable the entire internet through IP hijacking in under 30 minutes. More than twenty years later, the absence of robust security implementations in BGP remains a critical concern.
To enhance the precision of identifying serial attacks, the research team first extracted data from several years of network operator mailing lists, supplemented by historical BGP data collected at five-minute intervals from the global routing table. This comprehensive dataset enabled them to identify distinctive characteristics of malicious actors, which they then used to train a machine learning IP hijacking prevention model to automatically recognize such behaviors.
The system flagged networks exhibiting several key characteristics, particularly concerning the nature of the IP address blocks they utilized:
Distinguishing Genuine Threats from False Alarms
Testart acknowledges that one significant challenge in developing the system was differentiating between actual IP hijacks and events that merely resemble them but result from human error or legitimate network management activities. For instance, network operators might legitimately employ BGP route modifications to defend against distributed denial-of-service attacks inundating their infrastructure with traffic. While this defensive maneuver appears virtually identical to an actual hijack, it serves a legitimate purpose.
Due to this complexity, the research team frequently had to manually intervene to identify false positives, which constituted approximately 20% of the cases flagged by their classifier. Looking ahead, the researchers are optimistic that future iterations will require minimal human supervision and could eventually be deployed in operational environments.
"The authors' findings demonstrate that past behaviors are not being leveraged to restrict malicious activities and prevent subsequent attacks," observes David Plonka, a senior research scientist at Akamai Technologies who was not involved in the research. "One implication of this work is that network operators can adopt a broader perspective, examining global internet routing across years rather than myopically focusing on individual incidents."
As society becomes increasingly dependent on the internet for critical transactions, Testart anticipates that the potential damage from IP hijacking will escalate. However, she remains hopeful that implementing new security measures could mitigate this threat. Notably, major backbone networks like AT&T have recently announced the adoption of resource public key infrastructure (RPKI), a mechanism that employs cryptographic certificates to ensure networks announce only their legitimate IP addresses.
"This project could effectively complement existing best practices for preventing such abuse, including filtering, antispoofing, coordination via contact databases, and sharing routing policies for validation by other networks," Plonka suggests. "It remains to be seen whether misbehaving networks will continue to manipulate their way to maintaining a good reputation. Nevertheless, this work represents an excellent approach to either validate or redirect the network operator community's efforts to eliminate these present dangers."
The project received support from various sources, including the MIT Internet Policy Research Initiative, the William and Flora Hewlett Foundation, the National Science Foundation, the Department of Homeland Security, and the Air Force Research Laboratory.
