Poster: Investigating Autonomous Systems Recurrently Causing Unexplained (Sub)MOAS Events

Poster: Investigating Autonomous Systems Recurrently Causing Unexplained (Sub)MOAS Events

연구 분야: Artificial Intelligence

학회: IMC '24: Proceedings of the 2024 ACM on Internet Measurement Conference

The Border Gateway Protocol (BGP) is the de facto routing protocol of the Internet. In BGP, networks (Autonomous Systems, ASes) advertise to neighboring ASes the IP address blocks (IP prefixes) they host and the ones hosted by other ASes towards which they have a path. Two ASes can announce themselves as the host (origin) of the same IP prefix (Multiple Origin AS prefix, MOAS). Alternatively, one AS can advertise itself as the host of an IP prefix, and another can advertise itself as the host of a subset of that same prefix (SubMOAS prefix). If MOAS and SubMOAS can be legitimate, they can also result in misdirected Internet traffic (BGP hijacking), whether the cause is intentional or not. Thus, network operators need a mechanism to differentiate between unauthorized and legitimate route announcements. The Global Routing Intelligence Platform (GRIP) is state-of-the-art regarding MOAS and SubMOAS detection. GRIP automatically detects SubMOAS and MOAS, then performs initial filtering to tag obvious benign events and reduce the number of cases to investigate. Between January 1, 2020, and January 1, 2023, GRIP detected 4.5M MOAS and SubMOAS, and classified 4.36M as benign, leaving 134k events without explanation. We call them unexplained events. Likely, there are still many benign cases in those 134K events, and only a few should generate an alert. This work aims to uncover AS behaviors that could cause benign MOAS or SubMOAS events but are not currently considered in BGP hijacking detection systems. Upon examining these GRIP events between January 1, 2020, and January 1, 2023, we find that they are primarily caused by a small number of ASes. Therefore, we manually investigate these ASes repeatedly causing MOAS and SubMOAS, leveraging the data collected by GRIP. For example, this data includes the BGP AS path attribute and RPKI status. In addition, we also use RIPE Stat API (routing history and ASN neighbor history), as well as WHOIS data (mainly aut-num/ASNumber and inet-num/NetRange objects).