Resources Research

Paper Accepted

Malicious BGP hijacks can be deceiving

February 20, 2014 || Dr. Johann Schlamp

Based on several alarms raised by a spam detection system on February 3, 2013, we became aware of an incident taking place in Bulgaria. We conducted a forensic case study for suspicious routing changes that coincided with a large volume of spam and web scam traffic. Despite the compelling evidence for an ongoing attack, we were able to infer that spammers legitimately rented IP space instead. With the same body of evidence, previous work might have falsely alerted to a hijacking event.

Previous studies reported a correlation between BGP hijacking attacks and spamming activities. At a first glance, the same appeared to be true for the Bulgarian case at hand. We consequently combined a variety of orthogonal data sources including spam traps, IP blacklists, traceroute measurements, and traffic flow data. By performing a cross-data sources analysis, we were able to reconstruct the routing history and network behavior of several network prefixes that were abused over a period of three months.

A strong temporal correlation between suspicious BGP announcements and illicit activities like spamming and phishing pointed us to a hijacking attack with malicious intent. Even though we have accumulated a series of converging evidence incriminating one of the actors to be involved in a hijacking attack, we eventually uncovered that the affected networks were instead rented for abuse. A forensic analysis carried out utilizing a graph database of Regional Internet Registry data sets revealed thorough documentation of all routing changes. In this respect, the alleged victim granted the spammer the right to use for corresponding networks. While clearly being abused for illegal activities, we conclude that no attack on these networks took place at the routing level. We consequently suggest that previously reported hijacking cases should again be put to test.

Through this case study, we showed that a correlation of malicious activities with suspicious routing events is insufficient to evidence harmful BGP hijacking attacks. This practical example illustrates that we can avoid drawing conclusions too quickly based on a limited set of evidence skewed towards one verdict or the other. This fact is of particular interest to avoid misattributing attacks launched from hijacked IP space, especially when responding with legal actions.

We will continuously advance our routing analytics suite to carefully consider all aspects of suspicious routing anomalies.

P.-A. Vervier, Q. Jacquemart, J. Schlamp, O. Thonnard, G. Carle, G. Urvoy-Keller, E. W. Biersack, and M. Dacier
Proceedings of the IEEE International Conference on Communications (ICC), pp. 884-889.
Sydney, Australia, June 10-14, 2014.
Publisher: IEEE
DOI: 10.1109/ICC.2014.6883431