CHARACTERIZING BGP COMMUNITY IRREGULARITIES TOWARD AN ANOMALY DETECTION ENGINE

Abstract

Prior work has demonstrated ways in which to attack the Border Gateway Protocol (BGP) system as well as vulnerabilities of the BGP and its configuration. Furthermore, BGP attacks, such as hijacking, are common in the wild, whether due to accidental misconfiguration or malintent. Recent work demonstrates the feasibility and potential for new BGP attacks based on the BGP community attribute (rerouting and blackholing). Very recently, there have been BGP attacks using BGP communities in the wild. The major issues with BGP communities (among others) are that there is no cryptographic protection, attribution is very difficult, and they are used both for signaling and triggering actions. These issues present opportunities for misconfiguration and, more concerningly, abuse. Not only have BGP communities been shown to potentially allow a third party to trigger remote blackholing, false BGP community announcements can be used to re-route traffic to include a hop controlled by an attacker. This re-routing allows an attacker to potentially examine traffic on its way to its intended destination. Despite this rich body of prior work, no one has analyzed the use and misuse of BGP communities over time.

In this thesis, we characterize BGP community use and behavior over the course of a year to investigate the possibility of building a BGP community anomaly detector.