摘要
在BGP网络中,如果一个自治系统(AS)宣告了并不属于它的IP地址前缀,则发生了IP地址前缀劫持。造成IP地址前缀劫持很难发现的原因主要有以下两个方面:1)对于受到前缀劫持影响的AS,当且仅当被劫持的IP地址前缀传递到它所在的AS域才能发现前缀劫持;2)对于网络中的其他AS,由于边界网关协议(BGP)缺乏安全机制验证IP地址前缀的宣告者是否确实拥有此地址,从而导致这些AS即使接收到劫持路由,也无法判断是否确实发生了前缀劫持。针对以上问题,文章提出了一种AS-IP宣告关系真实性评估方法,通过生成历史路由表的宣告关系矩阵,基于空间一致性和时间稳定性来计算AS-IP宣告关系的稳定度,以判断宣告关系的真实性,并生成AS-IP匹配关系知识库。文章对Route Views及国内运营商的路由数据进行了分析检测,实验结果表明,文章方法不但能够有效判断宣告关系真实性,生成AS-IP匹配关系知识库,而且可以有效发现前缀劫持。
In BGP network, if an autonomous system (AS) declares an IP address prefix that not belongs to it, and then the network prefix hijack occurs. There are two reasons make prefix hijack dififcult to detect: 1) Preifx hijacking will be ifnd by the hijacked AS when and only when the IP address prefix that was hijacked was transmitted to its domain. 2) Because BGP lacks security mechanism to verify the IP address declarer have this IP address, other ASes cannot conifrm the preifx hijacking even if they have got the hijacked routes. This paper presents an AS-IP declaring relationship authenticity evaluation method based on spatial consistency and temporal stability, which builds a matrix of declaring relationship according to the history routing tables, calculates a stability degree of this matrix to judge the authenticity of the declaring relationship, and generates an AS-IP matching relation knowledge base. This paper analyses and detects the routing data of RouteViews and domestic operators, and the experiments show that this method can judge the authenticity of the declaring relationship, generate a AS-IP matching relation knowledge base, and detect the prefix hijacking effectively.
出处
《信息网络安全》
2015年第11期33-39,共7页
Netinfo Security
基金
国家自然科学基金[61170285]
关键词
域间路由
宣告关系
稳定度
前缀劫持
inter-domain routing
declaring relationship
stability
preifx hijacking
