BGP prefix hijacking is a persistent threat against Internet organisations, attributed to a lack of authorisation and authentication mechanisms in the inter-domain routing system. ARTEMIS (Automatic and Real-Time dEtection and MItigation System) is a defence system against BGP prefix hijacking, which is based on comprehensive, accurate and fast detection operated by the AS itself, and enables flexible and fast mitigation of hijacking events.
In 2017 alone, thousands of routing incidents caused costly outages and interception of information, while the exact extent of the problem is unknown. Despite numerous research efforts over the last 20 years, on protecting networks from BGP hijacking (detection, reactive mitigation, proactive defenses), the majority of the proposed solutions have not found their way to industry, with the exception of RPKI; though its deployment is still very limited. As such, networks are still vulnerable to hijacking events, which frequently require hours (or even days) to be resolved.
In this article, we present ARTEMIS, a system that can be used by operators to protect their own network from BGP prefix hijacking events. Using real experiments, we’ve shown that ARTEMIS can detect prefix hijacking events within seconds and neutralise them within a minute; orders of magnitude faster than with current practices.
ARTEMIS Overview
ARTEMIS is used by an Autonomous System (AS) to protect its own prefixes, and is operated in-house, as software running on a VM/container in the Network Operations Center (NOC). The operator only needs to configure ARTEMIS, providing information about the announced prefixes of the network as well as its neighbours (configuration file; its generation can be automated using information from IRRs, RPKI DBs, and local routers).
The system is composed of three main modules/services:
- Monitoring, receiving information from public monitors (for example, RIPE RIS and RouteViews) and local routers.
- Detection, identifying hijacking events by comparing the monitoring information with the configuration file (‘ground truth’).
- Mitigation, reacting automatically or manually to a detected hijacking event via custom in-house (or optionally outsourced) mechanisms.
An overview of ARTEMIS is provided in Figure 1.
Figure 1: Overview of the ARTEMIS system
ARTEMIS can detect both simple hijacks (for example, involving a fake origin or upstream AS of the protected network), and advanced hijacks (for example, sub-prefix, man-in-the-middle, or path manipulation attacks).
Figure 2 depicts an example of how ARTEMIS operates in the latter case (path manipulation using a fake link).
Figure 2: ARTEMIS operation example: Path manipulation via fake link + sub-prefix
For a comprehensive analysis on the attacks covered by ARTEMIS, as well as its comparison with other related approaches, we refer the reader to our paper.
Monitoring
ARTEMIS continuously monitors the Internet control plane by leveraging pervasive publicly available BGP monitoring services, such as RIPE RIS and RouteViews (and their recently acquired real-time streaming capabilities).
Specifically, it receives real-time BGP updates from:
- RIPE RIS monitors, using a socket.io interface
- RouteViews and RIPE RIS monitors, using the BGPStream API; and
- Local BGP routers via exaBGP and iBGP
In our work, we show that the existing public monitoring infrastructure can enable live detection of all impactful hijacking events. In fact, while a hijacker can employ several means to achieve a stealthy — that is, invisible to BGP monitors — hijack, this can be achieved only at the cost of limited impact (less than 1-2% of AS-level pollution).
Transitioning more monitors to live streaming will further increase global visibility and reduce detection times.
Detection
Detection operates by cross-checking the BGP updates received by the monitoring module/service, against the local configuration files (for example, origin/neighbour ASNs and announced prefixes) and a knowledge base (containing, for example, observed AS-level links and related metadata) created automatically by ARTEMIS and stored locally.
The ARTEMIS detection approach is:
- Comprehensive - detecting all possible attack types that are visible on the control plane.
- Accurate - generating zero False Positives (FP) / Negatives (FN) for basic hijack types (for example, fake origin/upstream announcements, or sub-prefix hijacks of any type), and a very low -tunable- FP-FN trade-off for others (for example, path manipulation attacks).
- Fast - specifically based on real-world experiments using the PEERING testbed, we’ve shown that the stages of real-time monitoring and detection take only a few seconds, which is a demarcation point from existing detection systems (see Figure 3).
Figure 3: ARTEMIS detection delay (boxplots; y-axis) in real-world experiments on PEERING testbed; letters (x-axis) denote different PoPs used as victim and hijacker (source)
Mitigation
Capitalising on reliable detection information, ARTEMIS enables automated mitigation of a hijacking event.
Mitigation can be triggered immediately upon detection; manual mitigation (for example, pending approval by the operator) is also possible if desired. Moreover, mitigation can be flexible, for example, configurable per prefix, hijack type, observed impact, and so on.
Currently, ARTEMIS offers two primary mitigation methods.
- The first one is based on a ‘do-it-yourself’ approach, where the network reacts by prefix de-aggregation in order to attract traffic back to its own routers. This technique is effective for all unfiltered prefixes, less specific than /24.
- For attacks on /24 prefixes, ARTEMIS can enable a mitigation solution similar to the DDoS protection as-a-service offered today. In particular, the affected AS can request from other (collaborating) networks to announce the hijacked prefix from their own premises (Multiple Origin AS), and then tunnel the traffic they attract back to the victim (for example, via the victim’s upstream providers).
Αs we show in Figure 4 based on our PEERING experiments, the monitoring-detection-mitigation cycles for a hijack require at maximum 1 minute. Therefore, departing from the current approaches of manual intervention, bringing the focus to the network itself, drastically reduces reaction times of defensive countermeasures.
Figure 4: Real-world experiments on PEERING testbed; detection and mitigation cycles (source).
State of the Art
Network operators currently deal with BGP prefix hijacking using two main defense types: proactive, such as RPKI, and reactive, such as third-party detection services raising alerts that operators then need to manually verify and resolve (for example, via prefix de-aggregation or contacting other networks for filtering).
On the one hand, technologies such as RPKI and BGPsec are fully effective only when globally deployed (and still may not prevent all potential attacks); in practice, operators are reluctant to deploy them (currently less than 10% of prefixes are covered by ROAs) due to associated technical and financial costs/risks, and the cyclic dependency between limited adoption and deployment (see Figure 5).
Figure 5: Reasons for not using RPKI (source)
On the other hand, current, third-party services suffer from multiple issues, such as:
- Limited comprehensiveness, since they detect only simple attacks.
- Limited accuracy, both in terms of FP and FN.
- Delayed resolution of hijacks.
- Compromises with respect to privacy and the need to share private information (such as the routing policies of the network).
Therefore, under this regime, prefix hijacks still affect networks for critical periods of time, up to multiple days (see Figure 6), with dire consequences in terms of costs and reputation for the victim networks.
ARTEMIS reduces these times from hours/days to a few minutes, aiming to become a practical and useful tool for the network community.
Figure 6: How much time an operational network was affected by a hijack (source)
What’s next?
ARTEMIS is currently under development; recent updates were presented during the RIPE 76 Routing WG. Operators are welcome to answer our related questionnaire, while we encourage everyone to visit our website, where you can also find our contact information, read the ARTEMIS paper, and check out the results of the related survey and our demo.
Moreover, we would welcome advice on integrating ARTEMIS in operational environments for testing purposes (for example, real-world configurations and setups), as well as feedback for further improvement or inclusion of new services.
Acknowledgements
ARTEMIS is a joint research effort led by INSPIRE group and CAIDA. The software development stage has received funding by the RIPE NCC Community Projects Fund 2017.
This work was also supported by the European Research Council (grant agreement no. 338402), the National Science Foundation (grant CNS-1423659), and the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD) (via contract number HHSP233201600012C).
Comments 11
Comments are disabled on articles published more than a year ago. If you'd like to inform us of any issues, please reach out to us via the contact form here.
Wouter •
Great work! My feeling is that BGP Hijacking appears to happen more and more often lately, although it's hard to measure. One comment however in relation to this statement: "In our work, we show that the existing public monitoring infrastructure can enable live detection of all impactful hijacking events. In fact, while a hijacker can employ several means to achieve a stealthy — that is, invisible to BGP monitors — hijack, this can be achieved only at the cost of limited impact (less than 1-2% of AS-level pollution)." While it would be nice if this was the case, consider this scenario where the AS-level pollution is low and the impact high: Leak IP-space that belongs to an authoritative DNS provider of choice to the provider of a large public DNS resolver. Currently there exist quite a few large "managed" authoritative DNS providers, and also quite a few large public DNS resolvers. Hijacking can happen quite easily if the public DNS resolver peers at an IX where the authoritative provider does not. It would also not be hard to select an IX where BGPMON and the like have no visibility.
Hide replies
Vasileios Kotronis •
We thank you Wouter for the comment. Such targeted attacks are a concern; still the impact on the AS-level Internet in terms of IP routing remains limited even in this case, while this hijack compromises an application-layer mechanism (DNS). However, we acknowledge that this can be done, and one of our intentions is to push for getting more monitors out there to eradicate the possibility of a missed attack. Note that in this case, the authoritative DNS provider has an incentive of having enough monitors out there, especially "close" to the well-known public DNS resolvers, including in potential IXes where they peer (e.g., using the route server). Also, it has an incentive to use ARTEMIS to monitor its own -precious- prefixes which if hijacked, could lead to the situation you are describing. We are further looking into data-plane-based solutions to cover the cases where the control-plane may fail to see such a targeted (limited on the AS-level but with high impact in practice) attack.
Stéphane Bortzmeyer •
The link "real-time streaming capabilities" goes to a 404. I suspect the correct target is https://labs.ripe.net/Members/colin_petrie/updates-to-the-ripe-ncc-routing-information-service
Hide replies
Mirjam Kühne •
Thanks for spotting this, Stéphane. The link is fixed now.
Klaus D •
Is Artemis (the code) availabe as download? I would be intetested to set it up to monitor our prefixes.
Hide replies
Vasileios Kotronis •
Thank you for your comment. We plan to make the code we have available by Christmas, accompanied with detailed instructions on how to setup. We will share the GitHub link soon.
Petros Gigis •
Hi Klaus, We released the first version of the tool at the following git repository. https://github.com/FORTH-ICS-INSPIRE/artemis
Martin Thygesen •
The impact is far higher than 1% BGPStream alone detected 13935 incidents There are 64409 ASN numbers activated on the Internet as at May 2019 Probability of attack is # of ASN / # of incidence ~ 13935/64409 ~ 21% chance you will be impacted by an attack BGP Hijacks are happening all the time and most operators are not aware of it. Operators are willing to Pay for DDoS and Security Filtering but not for routing validation that is impacting their traffic before it gets to this infrastructure? ARTEMIS does not actually neutralize an attack and being an open source toolset has little continued assurance of business SLA. Whilst price may be an issue, how is that ranked against business continuity? The importance placed by the research paper for this ranked issues none of which an open source tool can provide a) Effectiveness of Mitigation (awareness is not mitigation) b) Fast Mitigation (RIPE/Routeviews/BGPSteam are all 5-15 minutes out of date, detection needs to be < 3 minutes) c) Ease of Operating / Troubleshooting... <> open source, who's going to take your support ticket for bug? d) Low Cost.. I guess it depends on the Value, a US service provider lost $60Mil USD as a result of a Route Leak.. is cost an issue now? e) Ease of Installation... <> opensource this is a starting point only ... etc etc. The real question is how does ARTEMIS address the whole ASN network vs a single prefix
Hide replies
Vasileios Kotronis •
Dear Martin, thank you for your comment. I did not get what you mean by the 1% impact, could you please elaborate? ARTEMIS allows for real-time detection of an attack, enabling automatic mitigation. In the current open-source code we have a wrapper for operators to plug-in their own scripts (e.g., Ansible, etc.) to configure routers in case of such attacks. ARTEMIS itself can be configured to mitigate, and we are working heavily on providing more wrappers and interfaces to be able to talk to multiple router types (currently only the wrapper/trigger is available in the open-source version). Regarding the issues you mention: a) Effectiveness of Mitigation --> Please check section 6 of our ToN paper (https://arxiv.org/pdf/1801.01085.pdf) b) Fast Mitigation --> RIPE RIS offers real-time streaming. As well as the public beta BMP feed of BGPStream, and the exaBGP interface to local routers is also real-time. c) Ease of Operating / Troubleshooting --> We are considering commercialization options in this context. More information soon! Till then, we are doing our best to address bugs on GitHub, using the "issue" primitive (you can check the list of resolved issues and added features). d) Low Cost --> Apparently yes, see Fig. 3b and 3k of https://arxiv.org/pdf/1801.02918.pdf It seems that despite the high impact of these attacks, the problem persists and available tools and mechanisms are not able to fully counter this. By the way, I think that in your comment the cost of the tool itself is confused with the cost of an actual attack, which of course can be very high. e) Ease of Installation --> I agree, and as described above we are looking at commercialization options around open-source. However, we will in any case try to maintain and deliver a high-quality open-source software to assist the community detect such incidents in real-time. For more feedback/questions please contact the dev team using the information of https://github.com/FORTH-ICS-INSPIRE/artemis , we would be happy to answer them. For example, regarding the ASN vs single prefix question, we are working on automating parts of the configuration process of ARTEMIS, making it easier for the operator to set up ARTEMIS for large networks.
Abid Ghufran •
Effectiveness of recovering from attack on an allocated prefix, for example of a /24, is dependent on others collaborating as well (mitigation method 2 above). Does not this defy the concept of having a self contained and self reliant mitigation strategy? If the upstream providers do not permit advertising more specific prefixes and also do not collaborate, what would be the option then to thwart an attack?
Hide replies
Vasileios Kotronis •
This is a correct observation. We have identified two possible mitigation options: prefix deaggregation, where feasible (e.g., complying to filtering rules), and BGP advertisement outsourcing, using a similar model as the one used by DDoS mitigation services (as described in our ToN paper). Focusing on self-contained-only strategies, that do not employ third parties (therefore excluding outsourcing), we would welcome more ideas besides deaggregation. I think that filtering issues could be bypassed using special communities agreed between the victim and e.g., its upstream provider(s), so that the defense mechanism can work for the duration of the incident. Would you have more feedback on such mechanisms? Thanks again for the very useful remark!