Malicious address blocks don’t hang around…
MIT researchers say they have identified “serial” border gateway protocol (BGP) hijackers using a machine learning model that successfully identified 800 suspicious networks, including some that had been hijacking traffic for years.
The team fed their algorithm several years’ worth of information containing network operating lists and historical internet gateway data. The result is a machine learning model capable, they say, of identifying malicious networks.
Using data from a global routing table they identified key characteristics that signal when a hacker is routing traffic through their own network in order to gather intelligence or steal credentials. One identifier is the existence of IP addresses from multiple countries. Normal networks rarely contain foreign IP addresses, but hackers are well known to be borderless and make use of different regions.
The machine learning model focuses on a key part of the internet’s software infrastructure, the Border Gateway Protocol (BGP).
Hackers routinely exploit this routing mechanism which establishes connections between different parts of the internet. A threat actor can take advantage of these gateways by tricking nearby networks into believing that the best path to send a packet to an address is through a network in their control.
The researchers found that when hackers are trying to run IP hijacking campaigns they tend to use multiple address blocks (network prefixes), identifying multiple IP address blocks to a similar source is sign that a hacker is behind their creation.
The duration that blocks stay online is a key indicator of suspicious activity as the average time a block is active on a legitimate network is two years, while malicious address blocks on average disappear after 50 days.
Cecilia Testart, a graduate student at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) and lead author of the research commented in blog that: “Network operators normally have to handle such incidents reactively and on a case-by-case basis, making it easy for cybercriminals to continue to thrive.
“This is a key first step in being able to shed light on serial hijackers’ behavior and proactively defend against their attacks.”
Border Gateway Protocol Hijacking
The machine learning model is in no way perfect and needs to be supervised as network operators and cyber security experts often use the BGP to mitigate attacks.
For instance if a firm is the subject of distributed denial-of-service attack, one way to handle it is to trick the onslaught of incoming traffic into taking the wrong path to a website by manipulating the BGP. Unfortunately this action is nearly indistinguishable from the actions that a threat actor would take.
As a result the researchers found themselves stepping in to clarify and identify false positives which they say made up approximately 20 percent of suspicious identifications. The researchers’ hope that they can reduce the human supervision to a minimal and envisage that the model could soon be used in production environments.
David Plonka, a senior research scientist at Akamai Technologies independently commented on MIT’s work, saying: “One implication of this work is that network operators can take a step back and examine global Internet routing across years, rather than just myopically focusing on individual incidents. This project could nicely complement the existing best solutions to prevent such abuse that include filtering, antispoofing, coordination via contact databases, and sharing routing policies so that other networks can validate it.”
“It remains to be seen whether misbehaving networks will continue to be able to game their way to a good reputation. But this work is a great way to either validate or redirect the network operator community’s efforts to put an end to these present dangers.”