MOAI: Multiple Origin ASes Identification for IP Prefix Hijacking and Mis-Origination
Abstract
BGP has several security problems.
We focus on IP prefix hijacking that is a threat posed by multiple-origin AS advertisements whose final destinations are multiple organizations.
These threats have occurred since the beginning of Internet operation, then many solutions have been studied and proposed, but no improvements have been made.
With the diversification of services such as DDoS mitigation and IP address leasing using BGP, the number of multiple-origin AS advertisement is increasing.
In conventional technology, deterioration of both performance and false detection rate is assumed.
Therefore, we studied a method that can identify whether a multiple-origin AS advertisement is IP prefix hijacking or mis-origination, and implemented MOAI (Multiple Origin ASes Identification).
MOAI not only detects the multiple-origin AS advertisements from IP prefix updates, but also filters whether the multiple-origin AS advertisements are benign or malignant from several perspectives.
The remaining multiple-origin AS advertisements are then scored for the possibility of malicious advertisements.
As an evaluation, MOAI analysis was performed using using route advertisement information for one year.
The results show that it is feasible with fully operational performance.
New findings include an increase in the number of the multiple-origin AS advertisements over the past 10 years, the benign nature of many the multiple- origin AS advertisements, the expansion of the multiple-origin AS advertisements in response to several usage.
