• 中国计算机学会会刊
  • 中国科技核心期刊
  • 中文核心期刊

计算机工程与科学 ›› 2020, Vol. 42 ›› Issue (07): 1184-1190.doi: 10.3969/j.issn.1007-130X.2020.07.006

• 计算机网络与信息安全 • 上一篇    下一篇

互联网大规模前缀劫持事件检测与分析的案例研究

隋东方, 唐勇, 刘宇靖, 王恩泽   

  1. (国防科技大学计算机学院,湖南 长沙 410073)
  • 收稿日期:2019-10-10 修回日期:2020-03-05 接受日期:2020-07-25 出版日期:2020-07-25 发布日期:2020-07-25
  • 基金资助:
    国家自然科学基金(61602503)

A case study on detection and analysis of  large-scale prefix hijacking incidents on the Internet

SUI Dong-fang, TANG Yong, LIU Yu-jing, WANG En-ze   

  1. (School of Computer,National University of Defense Technology,Changsha 410073,China)
  • Received:2019-10-10 Revised:2020-03-05 Accepted:2020-07-25 Online:2020-07-25 Published:2020-07-25

摘要: 由于BGP协议的脆弱性,BGP前缀劫持长期以来一直对互联网产生着严重的安全威胁。检测和分析大规模的前缀劫持事件是一件十分必要但又充满挑战的工作。以2019年发生的大规模的欧洲路由泄露导致路由劫持事件为案例,提出了一种基于公共BGP数据的有效的检测和分析方法。分析结果包括如下几条:(1)这次劫持的“攻击者”为AS21217,AS4134是劫持路由传播过程中的关键点;
(2)此次劫持事件导致了严重的多源AS冲突和AS-PATH路径膨胀问题;(3)此次事件的劫持类型包括劫持前缀并篡改AS路径,以及劫持子前缀并篡改AS路径2种类型;(4)检测到311个AS被感染,长度为4的感染链数量最多,且分属于3 895个AS的28 118个前缀IP段成为受害者,同时实现了一个可视化系统来展示劫持发生时的全球网络态势。这些研究结果一方面与Oracle等公司公布的结果相互印证,另一方面又对此次网络事件进行了更加详尽的补充和深入挖掘。

关键词: BGP前缀劫持, 互联网, 检测, MOAS

Abstract: Due to the vulnerability of BGP protocol, BGP prefix hijacking has long been a serious security threat to the Internet. Detection and analysis of large-scale prefix hijacking incidents is a very ne- cessary but challenging task. This paper takes the large-scale European route leakage incident leading to route hijacking in 2019 as a case, and develops an effective detection and analysis method based on public BGP data. The analysis results include the following: firstly, the "attacker" of this hijacking is AS21217, and AS4134 is the key point in the process of hijacking route transmission; secondly, the hijacking caused serious multi-source AS conflict and as-path PATH expansion; thirdly, the hijacking types of this event include hijacking prefix and tampering with AS path and hijacking subprefix and tampering with AS path; fourthly, 311 AS were detected to be infected, with the largest number of infected chains of length 4, and 28 118 prefix IP segments belonging to 3 895 AS became victims. At the same time, a visual system is implemented to show the global network situation when the hijacking occurred. On the one hand, these results are consistent with the results published by Oracle and other companies; on the other hand, more detailed experiments and supplements have been carried out in multiple directions.


Key words: BGP prefix hijacking, Internet, detecting, Multiple Origin AS