TY - GEN
T1 - Malicious BGP hijacks: Appearances can be deceiving
AU - Vervier, Pierre Antoine
AU - Jacquemart, Quentin
AU - Schlamp, Johann
AU - Thonnard, Olivier
AU - Carle, Georg
AU - Urvoy-Keller, Guillaume
AU - Biersack, Ernst
AU - Dacier, Marc
N1 - Generated from Scopus record by KAUST IRTS on 2022-09-12
PY - 2014/1/1
Y1 - 2014/1/1
N2 - BGP hijacking is a well known threat to the Internet routing infrastructure. There has been considerable interest in developing tools that detect prefix hijacking but such systems usually identify a large number of events, many of them being due to some benign BGP engineering practice or misconfiguration. Ramachandran et al. [1] and later Hu et al. [2] also correlated suspicious routing events with spam and claimed to have found evidence of spammers temporarily stealing prefixes to send spam. In an effort to study at large scale the existence and the prevalence of malicious BGP hijacks in the Internet we developed a system which (i) identifies hijacks using BGP, traceroute and IRR data and (ii) investigates traffic originating from the reported networks with spam and netflow data. In this paper we present a real case where suspicious BGP announcements coincided with spam and web scam traffic from corresponding networks. Through this case study we show that a correlation of suspicious routing events with malicious activities is insufficient to evidence harmful BGP hijacks. We thus question previously reported cases and conclude that identifying malicious BGP hijacks requires additional data sources as well as feedback from network owners in order to reach decisive conclusions. © 2014 IEEE.
AB - BGP hijacking is a well known threat to the Internet routing infrastructure. There has been considerable interest in developing tools that detect prefix hijacking but such systems usually identify a large number of events, many of them being due to some benign BGP engineering practice or misconfiguration. Ramachandran et al. [1] and later Hu et al. [2] also correlated suspicious routing events with spam and claimed to have found evidence of spammers temporarily stealing prefixes to send spam. In an effort to study at large scale the existence and the prevalence of malicious BGP hijacks in the Internet we developed a system which (i) identifies hijacks using BGP, traceroute and IRR data and (ii) investigates traffic originating from the reported networks with spam and netflow data. In this paper we present a real case where suspicious BGP announcements coincided with spam and web scam traffic from corresponding networks. Through this case study we show that a correlation of suspicious routing events with malicious activities is insufficient to evidence harmful BGP hijacks. We thus question previously reported cases and conclude that identifying malicious BGP hijacks requires additional data sources as well as feedback from network owners in order to reach decisive conclusions. © 2014 IEEE.
UR - http://ieeexplore.ieee.org/document/6883431/
UR - http://www.scopus.com/inward/record.url?scp=84906996386&partnerID=8YFLogxK
U2 - 10.1109/ICC.2014.6883431
DO - 10.1109/ICC.2014.6883431
M3 - Conference contribution
SN - 9781479920037
SP - 884
EP - 889
BT - 2014 IEEE International Conference on Communications, ICC 2014
PB - IEEE Computer [email protected]
ER -