Analysing BGP Origin Hijacks

Abstract

In the past years, society has become increasingly more reliant on the Internet. Consequently, the security of the Internet became of critical importance. This thesis focusses on the security of one of the Internet's main protocols. This protocol, called the Border Gateway Protocol (BGP), is used to exchange information that allows Internet traffic to reach its intended destination. BGP is vulnerable to misconfigurations and attacks that can cause a range of problems. This thesis focusses on one of them: BGP origin hijacks. In this thesis, a year of possible origin hijacks is analysed. These possible origin hijacks were detected by BGPStream between 20 May 2018 and 31 May 2019. Analysing these hijacks gives insight into the causes and characteristics of origin hijacks. This can help to find the most pressing issues and may provide guidance in securing BGP. Various data sources are used to collect and compute features that give more information on each hijack. These features are used to find relations between hijacks and to label them using labels that indicate a cause or a certain aspect of the hijack. These relations and labels are used to analyse groups of similar hijacks. This approach is very effective. Using the context of a group of hijacks gives much more insight than looking at hijacks individually. It shows that many of the possible hijacks are likely not a hijack at all and that hijacks that look like origin hijacks are often the result of another type of attack called a path hijack. In addition, this thesis provides a way to detect several types of misconfigurations and points out weaknesses in the detection system used by BGPStream. It also gives an overview of the characteristics of hijacks and how often specific behaviour occurs.