一种AS-IP宣告关系真实性评估方法研究

doi:10.3969/j.issn.1671-1122.2015.11.006

信息网络安全 ›› 2015, Vol. 15 ›› Issue (11): 33-39.doi: 10.3969/j.issn.1671-1122.2015.11.006

一种AS-IP宣告关系真实性评估方法研究

胡照明, 刘磊, 尚博文, 朱培栋

国防科学技术大学计算机学院,湖南长沙 410073

收稿日期:2015-06-06 出版日期:2015-11-25 发布日期:2015-11-20
作者简介:
作者简介：胡照明(1991-),男,黑龙江,硕士研究生,主要研究方向：网络安全;刘磊（1985-）,男,吉林,硕士研究生,主要研究方向：网络安全;尚博文（1992-）,男,山东,硕士研究生,主要研究方向：网络安全;朱培栋（1971-）,男,山东,博士生导师,教授,博士,主要研究方向：新型网络体系结构、网络安全、网络科学。
基金资助:
国家自然科学基金[61170285]

Research on the Evaluation Method of AS-IP Declaring Relationship Authenticity

Zhao-ming HU, Lei LIU, Bo-wen SHANG, Pei-dong ZHU

School of Computer, National University of Defense Technology, Changsha Hunan 410073, China

Received:2015-06-06 Online:2015-11-25 Published:2015-11-20

摘要/Abstract

摘要：

在BGP网络中,如果一个自治系统（AS）宣告了并不属于它的IP地址前缀,则发生了IP地址前缀劫持。造成IP地址前缀劫持很难发现的原因主要有以下两个方面：1）对于受到前缀劫持影响的AS,当且仅当被劫持的IP地址前缀传递到它所在的AS域才能发现前缀劫持;2）对于网络中的其他AS,由于边界网关协议（BGP）缺乏安全机制验证IP地址前缀的宣告者是否确实拥有此地址,从而导致这些AS即使接收到劫持路由,也无法判断是否确实发生了前缀劫持。针对以上问题,文章提出了一种AS-IP宣告关系真实性评估方法,通过生成历史路由表的宣告关系矩阵,基于空间一致性和时间稳定性来计算AS-IP宣告关系的稳定度,以判断宣告关系的真实性,并生成AS-IP匹配关系知识库。文章对RouteViews及国内运营商的路由数据进行了分析检测,实验结果表明,文章方法不但能够有效判断宣告关系真实性,生成AS-IP匹配关系知识库,而且可以有效发现前缀劫持。

关键词: 域间路由, 宣告关系, 稳定度, 前缀劫持

Abstract:

In BGP network, if an autonomous system (AS) declares an IP address prefix that not belongs to it, and then the network prefix hijack occurs. There are two reasons make prefix hijack difficult to detect: 1) Prefix hijacking will be find by the hijacked AS when and only when the IP address prefix that was hijacked was transmitted to its domain. 2) Because BGP lacks security mechanism to verify the IP address declarer have this IP address, other ASes cannot confirm the prefix hijacking even if they have got the hijacked routes. This paper presents an AS-IP declaring relationship authenticity evaluation method based on spatial consistency and temporal stability, which builds a matrix of declaring relationship according to the history routing tables, calculates a stability degree of this matrix to judge the authenticity of the declaring relationship, and generates an AS-IP matching relation knowledge base. This paper analyses and detects the routing data of RouteViews and domestic operators, and the experiments show that this method can judge the authenticity of the declaring relationship, generate a AS-IP matching relation knowledge base, and detect the prefix hijacking effectively.

Key words: inter-domain routing, declaring relationship, stability, prefix hijacking

中图分类号:

TP309

胡照明, 刘磊, 尚博文, 朱培栋. 一种AS-IP宣告关系真实性评估方法研究[J]. 信息网络安全, 2015, 15(11): 33-39.

Zhao-ming HU, Lei LIU, Bo-wen SHANG, Pei-dong ZHU. Research on the Evaluation Method of AS-IP Declaring Relationship Authenticity[J]. Netinfo Security, 2015, 15(11): 33-39.

图/表 5

参考文献 26

[1]	Rekhter Y, Li T, Hares S.A Border Gateway Protocol 4(BGP-4)[S]. RFC 4271, 1995.
[2]	刘欣, 王小强, 朱培栋,等. 互联网域间路由系统安全态势评估[J]. 计算机研究与发展, 2009, 46(10):1669-1677.
[3]	齐峰,马春光,周永进,等. 一种基于网络编码的机会社会网络路由算法[J]. 信息网络安全,2015,(2):51-56.
[4]	王小强, 朱培栋, 卢锡城. 防范路由劫持的协同监测方法[J]. 软件学报, 2014, 25(3): 642-661.
[5]	Kent S, Lynn C, Seo K.Secure Border Gateway Protocol (S-BGP)[J]. IEEE journal on selected areas in communications, 2000, 18(4):103-116.
[6]	Oti S B, Hayfron-Acquah J B. Practical Security Approaches against Border Gateway Protocol (BGP) Session Hijacking Attacks between Autonomous Systems[J]. Journal of Computer & Communications, 2014, (2):10-21.
[7]	Kranakis E, Wan T, Oorschot P C.On Interdomain Routing Security and Pretty Secure BGP (psBGP)[J]. ACM Trans. Information and System Security (TISSEC), 2007, 10(3):1-41.
[8]	Karlin J, Forrest S, Rexford J.Pretty good BGP: Improving BGP by Cautiously Adopting Routes[C]//Proc. of the IEEE ICNP, 2006. 283-292.
[9]	Subramanian L, Roth V, Stoica I, et al.Listen and Whisper: Security Mechanisms for BGP[C]//Proc. of the NSDI, 2004.
[10]	赵玉东,徐恪,朱亮. 一种路由设备服务可信属性定义方法与可信路由协议设计[J]. 信息网络安全,2015,(1):24-31.
[11]	Mayer D. University of Oregon Route Views Project [EB/OL]. .
[12]	RIPE NCC. RIPE RIS Project [EB/OL]. .
[13]	BGP. Telstra CIDR Report [EB/OL]. .
[14]	Cymru Team. The Team Cymru Bogon Route Server Project[EB/OL]. .
[15]	Renesys. Routing Intelligence [EB/OL]. .
[16]	Lad M, Massey D, Pet D.PHAS: A prefix hijack alert system[C]//Proc. of the 15th USENIX Security Symposium, USENIX-SS’06. Vancouver, BC, Canada, 2006:108-119.
[17]	BGP Mon. BGP Mon part of OpenDNS [EB/OL]. .
[18]	唐敏,施新刚,喻星,等.路由监控分析系统的设计和实现[J].计算机科学,2008,(1): 56-59.
[19]	Shi X, Xiang Y, Wang Z, et al.Detecting prefix hijackings in the internet with argus[C]//Proceedings of the 2012 ACM conference on Internet measurement conference. ACM, 2012: 15-28.
[20]	Deng W, Zhu P, Lu X.ROUSSEAU: A monitoring system for inter-domain routing security[C]//Communication Networks and Services Research Conference, 2008. CNSR 2008. 6th Ann ual. IEEE, 2008: 255-262.
[21]	Fixedorbit. Fixedorbit [EB/OL]. .
[22]	CAIDA. CAIDA [EB/OL]. .
[23]	燕强, 王小强, 蔡开裕,等. 基于稳定度的可信AS-IP宣告关系构建方法[J]. 计算机与现代化, 2011, (11):93-96.
[24]	苏彬庭,方禾,许力. 基于Q-Learning的无线传感器网络生命周期平衡路由[J]. 信息网络安全,2015,(4):74-77.
[25]	王小强. 互联网域间路由系统动态行为研究与机制设计[D].长沙:国防科学技术大学,2014.
[26]	Hu X, Mao Z M, Hu X.Accurate Real-time Identification of IP Prefix Hijacking[C]// Proceedings of the 2007 IEEE Symposium on Security and Privacy. IEEE Computer Society, 2007:3-17.

一种AS-IP宣告关系真实性评估方法研究

Research on the Evaluation Method of AS-IP Declaring Relationship Authenticity

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 5

参考文献 26

相关文章 1

编辑推荐

Metrics

本文评价