TWC: TTP Option: Small: Collaborative: Detecting and Characterizing Internet Traffic Interception Based on BGP Hijacking
Recent reports have highlighted incidents of massive Internet traffic interception executed by re-routing Border Gateway Protocol (BGP) paths across the globe (affecting banks, governments, entire network service providers, etc.). The potential impact of these attacks can range from massive eavesdropping to identity-spoofing or selective content modification. In addition, executing such attacks does not require access or proximity to the affected links and networks, posing increasing risks to national security. Worse yet, the impact of traffic interception on the Internet is practically unknown, with even large-scale and long-lasting events apparently going unnoticed by the victims.
Because of the complex dynamics and number of different actors involved on a global scale, devising effective methodologies for the detection and characterization of traffic interception events requires empirical and timely data (e.g., acquired while the event is still ongoing). Such data must be a combination of passive BGP measurements and active measurements (such as Traceroute), since the mechanism triggering the attack operates on the inter-domain routing control plane, but the actual impact is only verifiable in the data plane.
By leveraging our measurement and data processing infrastructure, this project aims to: (i) investigate, develop, and experimentally evaluate novel methodologies to automatically detect traffic interception events and to characterize their extent, frequency, and impact; (ii) extend the research team’s measurement infrastructure to detect in near-real-time and report episodes of traffic interception based on BGP hijacking; and (iii) document such events, providing datasets to researchers and summary statistics and reports to operators, emergency response teams, law enforcement agencies, and policy makers.