![Page 1: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/1.jpg)
Bigfoot: A Geo-based Visualization Methodology for Detecting BGP Threats
Meenakshi Syamkumar*, Ramakrishnan Durairajan*, Paul Barford*+
*University of Wisconsin-Madison +comScore, Inc.
![Page 2: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/2.jpg)
Motivation• Enormous volume and diversity of BGP updates present challenges in
network operations and detecting unwanted behavior• Graphical visualization is a well known method for assessing complex
datasets
• Prior visualization methods for BGP focus on AS topologies identified through AS path structure
• Bigfoot’s goals: • Can consistent visualizations be created to represent geographic footprint of
network prefixes?• Can such visualizations be used in detecting security threats like prefix hijacks,
man-in-the-middle attacks?
2
![Page 3: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/3.jpg)
Primer on BGP• BGP enables transmission of reachability information between Autonomous
Systems (AS)
3
AS 23.0.0.0/24
AS 34.0.0.0/24
AS 11.0.0.0/242.0.0.0/16
BGP updatesBGP updates
TIME: 10/01/16 00:01:00 TYPE: BGP4MP/MESSAGE/Update FROM: 3.0.0.101 AS2 TO: 4.0.0.102 AS3 ORIGIN: IGP ASPATH: 2 1 NEXT_HOP: 3.0.0.101 ANNOUNCE 1.0.0.0/242.0.0.0/16
TIME: 10/01/16 00:00:00 TYPE: BGP4MP/MESSAGE/Update FROM: 2.0.0.100 AS1 TO: 3.0.0.101 AS2 ORIGIN: IGP ASPATH: 1 NEXT_HOP: 2.0.0.100 ANNOUNCE 1.0.0.0/242.0.0.0/16
![Page 4: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/4.jpg)
Network footprint visualization
4
Network prefix
Geolocate a percentage (p) of
IP addresses
Enclose the projected points
in a 2-D polygons
Project the geopositions onto a map
• Geolocation has always been associated with individual IP addresses• Can we obtain meaningful visualizations by considering geo-footprint of the
entire network prefix?
![Page 5: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/5.jpg)
Naïve network footprint visualizations
Footprint of Fairpoint Communications (AS 32645, 216.227.0.0/16) 5
Unsorted Latitude-sorted
Longitude-sorted
![Page 6: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/6.jpg)
Bigfoot methodology
6
Network prefix
Geolocate a percentage (p) of
IP addresses
Generate consistent 2-D polygons using convex hull estimation or alpha
shape creation
Project the visualizations on ArcGIS based Bigfoot
Visualizer
Outlier elimination based on inter-
vincenty distances
Generate shape files (.shp, .shx, .dfb, .cpg)
![Page 7: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/7.jpg)
Bigfoot visualizations
Footprints of AS2828 and AS7014XO Communications
Footprint of AS15305Syringa Networks 7
![Page 8: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/8.jpg)
BGP security threats
8
BGP is susceptible to misconfigurations and malicious attacks like:
• Multiple Origin AS (MOAS) conflict [Zhao et al., ACM SIGCOMM Workshop on Internet Measurement, 2001]
• Man-in-the-middle attack [Ornaghi et al., Blackhat Conference, 2003]• Routing leak [Mahajan et al., ACM SIGCOMM Computer Communication Review,
2002]• De-Aggregation attacks [Nordström et al., ACM SIGCOMM Computer
Communication Review, 2004]• Contradictory advertisements [Nordström et al., ACM SIGCOMM Computer
Communication Review, 2004]
• Origin and export misconfigurations [Mahajan et al., ACM SIGCOMM Computer Communication Review, 2002]
![Page 9: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/9.jpg)
BGP MOAS conflict
9
AS 2
AS 3AS 1
(Victim AS)1.0.0.0/16
ANNOUNCE 1.0.0.0/16 AS2 AS1ANNOUNCE 1.0.0.0/16 AS1
AS 5
AS 4 (Attacker)
ANNOUNCE 1.0.0.0/16 AS3 AS4
ANNOUNCE 1.0.0.0/16 AS4
![Page 10: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/10.jpg)
BGP man-in-the-middle attacks
10
AS 2
AS 3AS 1
(Victim AS)1.0.0.0/16
ANNOUNCE 1.0.0.0/16 AS2 AS1ANNOUNCE 1.0.0.0/16 AS1
AS 5(Attacker)
AS 4
ANNOUNCE 1.0.0.0/24 AS5 AS3 AS2 AS1ANNOUNCE 1.0.1.0/24 AS5 AS3 AS2 AS1
ANNOUNCE 1.0.0.0/16 AS1
ANNOUNCE 1.0.0.0/16 AS3 AS2 AS1
AS 6
ANNOUNCE 1.0.0.0/24 AS4 AS5 AS3 AS2 AS1ANNOUNCE 1.0.1.0/24 AS4 AS5 AS3 AS2 AS1
![Page 11: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/11.jpg)
Bigfoot anomaly detector
• Select a “timeOfInterest” for anomaly detection in BGP update stream.• Establish baseline for “normal” behavior:
• Select updates from previous “k” days
• Aggregate announced subnets based on “ASPATH”• Generate the Bigfoot visualizations for the networks
• For every update in the “timeOfInterest” determine anomaly based on thresholding
• Thresholding is done by performing:• Comparison operations on the polygons - equals and/or contains comparisons
• Comparison of number of polygons, area of polygons
• Comparison of the geographic coverage of the polygons
11
![Page 12: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/12.jpg)
Bigfoot anomaly detectorFor every update in the “timeOfInterest” determine anomaly based on thresholding:
• Compare “ASPATH” with baseline information and if the “ASPATH” is previously observed path:
• Generate the polygons for the networks in current update• Perform comparison operations with threshold as “perfect mismatch”• On mismatch, “Prefix2AS” dataset is looked up to filter network expansion related changes• Rest of the networks are classified as victims of attacks
• If the “ASPATH” is previously unobserved path:• Identify the closest matching “ASPATH”• Perform comparison operations with threshold as “perfect match”• Matched polygons correspond to networks that are victims of hijack
12
![Page 13: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/13.jpg)
Bigfoot evaluation
BGP archive datasets evaluated:
• February 2013 to July 2013 (D1)
• January 2015 to June 2015 (D2)
Candidate anomalous events detected:
• In D1: 73 events
• In D2: 66 events
13
![Page 14: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/14.jpg)
Applications of Bigfoot: BGP routing leak attack
China Telecom (AS4134) leaked several routes from Vimpelcom (AS3216)
14
Normal routes from Vimpelcom (AS3216)
![Page 15: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/15.jpg)
Applications of Bigfoot: BGP redirection attack
Belarusian ISP GlobalOneBel (AS28849) hijacked traffic from multiple networks15
Normal operations of victim networks
![Page 16: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/16.jpg)
Applications of Bigfoot: BGP man-in-the-middle attack
Icelandic provider Opin Kerfi’s ISP Síminn (AS 6677) hijacked traffic from multiple networks
16
Normal operations of victim networks
![Page 17: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/17.jpg)
Classification using meta-informationThree classes based on the types of anomalies:
• C1A: the hijacking AS inserts itself or replaces one or more of the ASes in the AS path
• C1B: the prefixes announced in the update forms an entirely new AS path• C1C: the prefixes announced in the update belongs to a different address
registry
C1A C1B C1C
D1 D2 D1 D2 D1 D2
25 23 44 41 9 7
17
![Page 18: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/18.jpg)
Classification using geographyThree classes based on the extent of geographic impact:
• C2A: anomalies distributed across different continents• C2B: anomalies spread across different countries, but within the same
continent• C2C: regional anomalies where the prefixes get geolocated to different
regions in the same country.
C2A C2B C2C
D1 D2 D1 D2 D1 D2
36 26 31 37 6 3
18
![Page 19: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/19.jpg)
Conclusions• Convex hulls and alpha shapes enable creation of consistent visualizations
for network footprint• Bigfoot’s visualizations enable identification of key operational events in large
volume BGP datasets• Future work:
• Expand Bigfoot’s applicability to broader security scenarios and operational misconfigurations
• Analyzing the potential of network footprint visualization in network planning and risk assessment
• Reach out to network operators to validate the events which lack ground truth information
• Analysing the variation of percentage of IP addresses geolocated for the visualizations
19
![Page 20: New Bigfoot: A Geo -based Visualization Methodology for Detecting …pages.cs.wisc.edu/~ms/files/VizSec-2016_slides.pdf · 2018. 6. 21. · Bigfoot methodology 6 Network prefix Geolocate](https://reader033.vdocuments.mx/reader033/viewer/2022060600/6054873a16aa0431f4398d81/html5/thumbnails/20.jpg)
Bigfoot is available as part of Internet Atlas (http://internetatlas.org/)
Questions?
20