Customer-side detection of Internet-scale traffic redirection

Abstract

Recent reports of Internet-scale traffic redirection based on BGP route hijacking, for perpetration of man-in-the-middle (at distance) attacks, have put major institutions and network service providers in alert. However, corporate customers have to content with a helpless bystander and victim roles due to the lack of tools to detect and counter-act Internet-scale traffic redirection. An world-wide redirection of target traffic will compromise unencrypted communications and allow the deployment of various attacks on encrypted communications. This paper proposes a world-wide distributed probing methodology to detect traffic routing variations. Upon detection, a corporate customer cannot act in terms of Internet-scale routing but can warn its network service providers and request consequent actions. Nevertheless, upon warning, the corporate customer can locally deploy extreme security policies, like terminating sensible deferrable communications (database/information synchronization, audio/video calls) and increasing the required encryption level for public services. The proposed solution is easily deployed and has a very low implementation cost. The proof-of-concept presented in this paper uses worldwide deployed probes to detected specific traffic redirection. The results obtained reveal that the proposed methodology, due to this world-wide spreading of the probes and joint analysis of measurements, is able: (i) to detect Internet-scale traffic redirection attacks, and (ii) ignore localized licit inner-AS rerouting.