Due to a ransomware attack, the wiki was reverted to a July 2022 version. . We apologize for the lack of a more recent valid backup.
...
Prefix hijacking is a common phenomenon in the Internet that often causes routing problems and economic losses [13]. ARTEMIS [1,10] is a tool that enables network administrators to detect in real-time and automatically mitigate prefix hijacking incidents against their own prefixes, employing self-monitoring on the AS level. ARTEMIS is based on the real-time monitoring of BGP data in the Internet and can completely mitigate a prefix hijacking within a few minutes (e.g., 2-5 -6 mins minutes in the initial experiments with the PEERING testbed [2]) after it has been launched. This fast response time enables legitimate ASes to quickly counter the hijack based on data they observe themselves at on the control plane.
The goal of this project is to implement the ARTEMIS system as a multi-module application running on top of ONOS [9], using the prior work and code-base of the SDN-IP project [3,8], as well as test the system over a real BGP testbed such as PEERING [2]. The final objective is to have an open-source implementation of ARTEMIS running on top of a popular production-grade Network Operating System. This implementation will then enable researchers and operators to test miscellaneous BGP prefix mitigation strategies over real-world testbeds and production networks, and extract results that are relevant to today’s ISP operations; such results would be otherwise not possible to produce.
...
ARTEMIS consists of three components: a detection, a mitigation, and a monitoring service as shown in Fig. 1.
The detection service runs continuously and combines control plane information from the AS itself, Periscope [7] (an LG API), the streaming services of RIPE RIS [4] and BGPstream (from RIPE RIS and RouteViews) [6], as well as BGPmon [5], which return in (near) real-time BGP routes/updates for a given list of prefixes and ASNs. By combining multiple sources, the delay of the detection phase is the minimum of the delays of these sources. The system can be parameterized (e.g., selecting LGs based on location or connectivity) to achieve tradeoffs trade-offs between monitoring overhead and detection efficiency/speed.
When a prefix hijacking is detected, ARTEMIS launches the mitigation service, which changes the configuration of BGP routers to announce the de-aggregated sub-prefixes of the hijacked prefix. Therefore, ARTEMIS assumes permissions for sending BGP advertisements for the owned prefixes from the BGP routers of the network. This can be effectively accomplished by running ARTEMIS as an application-level module (or set of modules), over a network controller that supports BGP, like ONOS [9]. Prefix de-aggregation is effective for hijacks of IP address prefixes larger than /24, but it might not work for /24 prefixes, as BGP advertisements of prefixes smaller than /24 are typically filtered by some ISPs.
Despite the fact that ARTEMIS was first tested in a non-SDN environment with the basic mitigation strategy of automatic prefix de-aggregation in mind, it can support several extensions related to its monitoring, detection and mitigation modules due to its modular design. These extensions, e.g., employing anycast MOAS (Multi-Origin Announcements) and/or remote peering in order to attract the hijacked traffic back to its legitimate owner during the mitigation phase, will also be researched as extra modules built over the ONOS platform.
In parallel to the mitigation, a monitoring service is running to provide real-time information about the mitigation process. This service uses again data from Periscope, RIPE RIS, BGPstream and BGPmon to monitor/visualize the mitigation.
...
The following code block shows an example of the JSON configuration format for Artemis which is used in the Demo Topology (details on the demo will be discussed later).
| Code Block | ||
|---|---|---|
| ||
"org.onosproject.artemis" : {
"artemis" : {
"prefixes" : [
{
"prefix" : "40.0.0.0/8",
"paths" : [
{
"origin" : 65004,
"neighbor" : [
{
"asn" : 65002,
"neighbor": [ 65001 ]
}
]
}
],
"moas" : [ ]
}
],
"frequency" : 3000,
"monitors" : {
"ripe" : [ ],
"exabgp": [ "192.168.1.2:5000" ]
}
}
} |
Explanation of Fields
...
prefixes:List consisting of prefixes with their asAS-path PATH information and legitimate MOASesMOAS ASes
prefix: a CIDR representation of the prefix to monitor
paths: a list of dictionaries that they contain an ASN of the origin of the prefix and a list of dictionaries for the neighbors.
neighbor: list of dictionaries that contain the neighbors each neighbor's ASN and a list of ASNs for the neighbor's neighbor.
For example in the demo topology the protected AS has origin ASN of 65004 and a neighbor with ASN 65002 who also has a neighbor with ASN 65001 (65004 - 65002 - 65001).moas: *in-progress*
frequency: Milliseconds Polling interval in milliseconds for the detection mechanism to check the memory-stored BGP Update messages. In the demo configuration it checks every 3 seconds.
...
The picture that follows shows the topology that is setup from via the topo.py file inside the tutorial folder. The BGP Speakers are Quagga routers and the route collector is an ExaBGP router running a custom script to replicate the behavior of a ripe RIPE route collector.
AS65001
Intermediate AS that consists of a BGP Speaker (R1), a L2 switch, a host (H1) and an ExaBGP Route Collector (RC).R1: Announces 10.0.0.0/8 and is a neighbor with of AS65003 and AS65002. Also, it has the exaBGP RC as an iBGP neighbor to propagate the and propagates BGP Update messages to it.
ExaBGP RC: Connected RC connected to R1 but also to the ONOS Controller on the protected AS (in real world this connection is done through the underlaying network; the only limitation is that the IP endpoint of ONOS should have a non-hijacked IP address so that the monitor can reach ONOS during the hijack).
H1 / 10.0.0.100: Host which is going to be communicating with the host inside the protected AS. It is going to provide us a visualization of the data-plane behavior when the BGP Hijack occurs.
AS65002
Intermediate AS that consists of a BGP Speaker that announces 20.0.0.0/8 and its purpose is to add an additional hop to the AS-path PATH so that the protected AS is hijackable .
(due to the shortest path preferences in AS65001).AS65003
Hijacker AS65003
Hijackers AS that consists of a BGP Speaker (R3).R3:Announcing from this BGP Speaker the prefix of the protected AS (40.0.0.0/8) will cause a BGP hijack and all trafic generated from AS65001 will be redirected to the network of AS65003.
AS65004
Protected AS that is running ONOS. It consists of a BGP Speaker, an OVS switch, a Host and the ONOS instance.R4: Bgp Speaker announcing 40.0.0.0/8. It is connected with his neighbor through the OVS switch which is configured by the sdn-ip application to talk with the BGP speaker of AS65002.
OVS: Talks with ONOS on a management interface in 192.168.0.0/24 subnet.
ONOS: ONOS is connected with the BGP speaker to retrieve the BGP routing table. Also, it receives the BGP Update messages from the ExaBGP router and has a link with the OVS to send the flow rules and receive the packet ins.
- H4 / 40.0.0.100: Host that receives traffic with the help of the reactive-routing application from the host in AS65001.
Running the Demo
Install the ExaBGP Python library by doing these steps:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ cd ~ $ git clone https://github.com/Exa-Networks/exabgp $ cd exabgp; git checkout 3.4 $ echo 'export PATH=$PATH:~/exabgp/sbin' >> ~/.bashrc $ source ~/.bashrc |
...
Install the Quagga software routing suite through apt-get:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ sudo apt-get install quagga -y |
Download and install the mininet emulation platform:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ cd ~ $ git clone https://github.com/mininet/mininet $ cd mininet; git checkout 2.2.2 $ ./util/install.sh -fnv |
Install java 8 (needed by ONOS in the next steps):
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ sudo apt-get install software-properties-common -y $ sudo add-apt-repository ppa:webupd8team/java -y $ sudo apt-get update $ echo "oracle-java8-installer shared/accepted-oracle-license-v1-1 $ select true" | sudo debconf-set-selections && \ $ sudo apt-get install oracle-java8-installer oracle-java8-set-default -y |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ cd ~ $ git clone https://github.com/opennetworkinglab/onos.git $ echo '. ~/onos/tools/dev/bash_profile' >> ~/.bashrc $ source ~/.bashrc |
Install pip3, python Python packages and fix set the configuration used by ExaBGP:
...
Note: You should disable networking in order to avoid interfaces swapping IP addresses!
Pass the network configuration with onos-netcfg and login to the onos CLI:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ onos-netcfg localhost ~/onos/tools/tutorials/artemis/configs/network-cfg.json $ onos localhost |
Run artemis inside the ONOS CLI (requires reactive-routing as a prerequisite application):
| Code Block | ||||
|---|---|---|---|---|
| ||||
onos> app activate org.onosproject.reactive-routing onos> app activate org.onosproject.artemis |
Check if bgp-routes are completed complete (should include 10.0.0.0/8, 20.0.0.0/8, 30.0.0.0/8 and 40.0.0.0/8; if not you should restart the topology. It takes some time (~1-2min)):
...
Now that the topology is running; , through the mininet CLI you can connect to the hosts to check connectivity and also to the BGP speakers to modify the BGP control plane. To hijack the prefix of our protected AS:
1. Connect to the BGP speaker named R3:
| Code Block | ||||
|---|---|---|---|---|
| ||||
mininet> xterm R3 (opens a new window on R3 node) R3> telnet localhost bgpd |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
R3> sdnip (this is the password) R3> enable R3# configuration terminal R3(conf)# router bgp 65003 R3(conf-bgp)# network 40.0.0.0/8 |
Now the hijacker with will attract all the traffic from AS65001 but in (destined to 40.0.0.0/8); in parallel the ExaBGP speaker will send the BGP update of the hijack (among other updates) to the ONOS instance (running artemis) which is going to detect the hijack.
Inside the logs you will see that the attack is actually detected and the deaggregation de-aggregation mechanism has successfully defended mitigated the attack . After the BGP converges the traffic of AS65001 (by announcing 40.0.0.0/9 and 40.128.0.0/9 from the BGP speaker of the protected AS).
After BGP converges and the control and data planes are consistent, the traffic of AS65001, destined to 40.0.0.0/8, returns to our protected AS.
...
| Widget Connector | ||
|---|---|---|
|
References
[1] G. Chaviaras, P. Gigis, P. Sermpezis, and X. Dimitropoulos, “ARTEMIS: Real-Time Detection and Automatic Mitigation for BGP Prefix Hijacking (demo)”, in ACM SIGCOMM, 2016 (url: http://www.inspire.edu.gr/wp-content/pdfs/PavlosSIGCOMM2016.pdf)
[2] “About PEERING - The BGP Tetsbed”, https://peering.usc.edu/
[3] “SDN-IP”, https://wiki.onosproject.org/display/ONOS/SDN-IP
[4] “RIPE RIS - Streaming Service”, https://labs.ripe.net/Members/colin_petrie/updates-to-the-ripe-ncc-routing-information-service
[5] “BGPmon”, http://www.bgpmon.io
[6] “BGPstream”, https://bgpstream.caida.org/
[7] V. Giotsas, A. Dhamdhere, and K. Claffy, “Periscope: Unifying looking glass querying”, in Proc. PAM, 2016
[8] Lin, Pingping, et al., "Seamless interworking of SDN and IP", in ACM SIGCOMM Computer Communication Review. Vol. 43. No. 4. ACM, 2013.
[9] Berde, Pankaj, et al. "ONOS: towards an open, distributed SDN OS", Proceedings of the third workshop on Hot topics in software defined networking, ACM, 2014.
[10] “ARTEMIS demo”, http://inspire.edu.gr/artemis
[11] “Mininet: An Instant Virtual Network on your Laptop (or other PC)“, http://mininet.org/
[12] “GNS3: The software that empowers network professionals”, https://www.gns3.com/
[13] “Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins”, https://www.wired.com/2014/08/isp-bitcoin-theft/
[14] “Internet Security Privacy and Intelligence Research Group”, http://www.inspire.edu.gr/