Project Summary: TWC: TTP Option: Small: Collaborative: Detecting and Character- izing Internet Traffic Interception based on BGP Hijacking

Recent reports have highlighted incidents of massive Internet traffic interception executed by rerouting BGP paths across the globe (affecting banks, governments, entire network service providers, etc.). The potential impact of these attacks can range from massive eavesdropping to identity spoofing or selective content modification. In addition, executing such attacks does not require access or proximity to the affected links and networks, posing increasing risks to national security. Worse yet, the impact of traffic interception on the Internet is practically unknown, with even large-scale and long-lasting events apparently going unnoticed by the victims. As reported by Renesys Corporation in November of last year, there is evidence that traffic interception events are growing more frequent, but there are no validated methods to immediately detect them or evaluate their impact. The architectural innovation that mitigates this inherent protocol design flaw exploited by such attacks, is slow to take off, suggesting that this vulnerability will persist, leaving our critical communication infrastructure exposed. Because of their complex dynamics, and the number of different actors involved on a global scale, devising effective methodologies for the detection and characterization of traffic interception events requires empirical and timely data (e.g., acquired while the event is still ongoing). Such data must be a combination of passive BGP measurements and active measurements (such as traceroutes), since the mechanism triggering the attack operates on the inter-domain routing control plane, but the actual impact is only verifiable in the data plane. By leveraging our experience in measuring and investigating events affecting inter-domain communication and leveraging our measurement and data processing infrastructure, we propose to: (i) investigate, develop, and experimentally evaluate novel methodologies to automatically detect traffic interception events and to characterize their extent, frequency, and impact; (ii) extend our measurement infrastructure to detect in near-realtime and report episodes of traffic interception based on BGP hijacking; (iii) document such events, providing datasets to researchers as well as informing operators, emergency-response teams, law-enforcement agencies, and policy makers. In characterizing their impact, we will quantify increased latency along observed paths, the magnitude of the incident in terms of number of ASes and prefixes intercepted, and the social/political implications of interceptions that take traffic across national borders. We will augment our active measurement framework with algorithmic simulations of BGP routing policies, and qualitative analysis of the organizations involved, to better understand the both technical and political effects of hijacks. The intellectual merit of our proposal lies in our proposed approach to developing scientific methods that can detect and characterize the impact of traffic interception attacks, as well as technology and infrastructure that can demonstrate the value of the developed methods. The results of this project will include efficient techniques for early detection of such events, providing a foundation for future development of reaction and mitigation strategies, and enabling more rigorous pursuit of cybersecurity research. Broader impacts. Our goal is to advance Internet infrastructure security by creating novel methodologies and instrumentation, as well as improving our understanding of phenomena such as traffic interception. We will inform operators as well as law-enforcement agencies and policy makers with timely empirical data. We will engage faculty, a postdoc, and a graduate student in our project activities, and potentially create collaborations with universities to provide experimental use of our tools and data, creating an immediate link between research and education. We will disseminate project results via conferences, web sites, archived video lectures and blogs.