LOCK: Locating Countermeasure-Capable Prefix Hijackers
MetadataShow full item record
Prefix hijacking is known as one of the security threats on today’s Internet. A number of measurement based solutions have been proposed to detect prefix hijacking events. In this paper we take these solutions one step further by addressing the problem of locating the attacker in each of the detected hijacking event. Being able to locate an attacker is critical for deciding at the earliest time the proper mitigation mechanisms to invoke to limit the impact of the attack and successfully stopping the attack. In this paper, we propose a robust scheme named LOCK, LOcating Countermeasure-capable hijacKers, for locating the prefix hijacker ASes based on distributed data-plane Internet measurements. LOCK locates each attacker AS by actively monitoring paths to the victim prefix from a small number of carefully selected monitors distributed on the Internet. More importantly, LOCK is robust against various countermeasures that the hijackers may employ. This is achieved by taking advantage of two observations: that the hijacker cannot manipulate the data-plane path before a packet reaches the hijacker, and that the data-plane paths to victim prefix “converge” around the hijacker AS. We have deployed LOCK on a number of PlanetLab nodes and conducted several large scale measurements and experiments to evaluate the performance of LOCK against three sets of hijacking attacks: synthetic attacks, reconstructed previously known attacks, and controlled attacks on the Internet. Our evaluation results show that LOCK is able to pinpoint the prefix hijacker AS with an accuracy of over 90%.