View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 9, 2019

ML Model Helps to Identify 800 Cases of Border Gateway Protocol Hijacking

Malicious address blocks don't hang around...

By CBR Staff Writer

MIT researchers say they have identified “serial” border gateway protocol (BGP) hijackers using a machine learning model that successfully identified 800 suspicious networks, including some that had been hijacking traffic for years.

The team fed their algorithm several years’ worth of information containing network operating lists and historical internet gateway data. The result is a machine learning model capable, they say, of identifying malicious networks.

Using data from a global routing table they identified key characteristics that signal when a hacker is routing traffic through their own network in order to gather intelligence or steal credentials. One identifier is the existence of IP addresses from multiple countries. Normal networks rarely contain foreign IP addresses, but hackers are well known to be borderless and make use of different regions.

The machine learning model focuses on a key part of the internet’s software infrastructure, the Border Gateway Protocol (BGP).

Hackers routinely exploit this routing mechanism which establishes connections between different parts of the internet. A threat actor can take advantage of these gateways by tricking nearby networks into believing that the best path to send a packet to an address is through a network in their control.

The researchers found that when hackers are trying to run IP hijacking campaigns they tend to use multiple address blocks (network prefixes), identifying multiple IP address blocks to a similar source is sign that a hacker is behind their creation.

The duration that blocks stay online is a key indicator of suspicious activity as the average time a block is active on a legitimate network is two years, while malicious address blocks on average disappear after 50 days.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Cecilia Testart, a graduate student at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) and lead author of the research commented in blog that: “Network operators normally have to handle such incidents reactively and on a case-by-case basis, making it easy for cybercriminals to continue to thrive.

“This is a key first step in being able to shed light on serial hijackers’ behavior and proactively defend against their attacks.”

Border Gateway Protocol Hijacking

Credit:Adri Tormo via Unsplash

Border Gateway Protocol Hijacking

The machine learning model is in no way perfect and needs to be supervised as network operators and cyber security experts often use the  BGP to mitigate attacks.

For instance if a firm is the subject of distributed denial-of-service attack, one way to handle it is to trick the onslaught of incoming traffic into taking the wrong path to a website by manipulating the BGP. Unfortunately this action is nearly indistinguishable from the actions that a threat actor would take.

As a result the researchers found themselves stepping in to clarify and identify false positives which they say made up approximately 20 percent of suspicious identifications. The researchers’ hope that they can reduce the human supervision to a minimal and envisage that the model could soon be used in production environments.

David Plonka, a senior research scientist at Akamai Technologies independently commented on MIT’s work, saying: “One implication of this work is that network operators can take a step back and examine global Internet routing across years, rather than just myopically focusing on individual incidents. This project could nicely complement the existing best solutions to prevent such abuse that include filtering, antispoofing, coordination via contact databases, and sharing routing policies so that other networks can validate it.”

“It remains to be seen whether misbehaving networks will continue to be able to game their way to a good reputation. But this work is a great way to either validate or redirect the network operator community’s efforts to put an end to these present dangers.”

See Also: Amazon Cloud Services IP Addresses Hijacked

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU