ASwatch Flashcards
a system that identifies malicious ASes using exclusively the control-plane (i.e., routing)
behavior of ASes.
ASwatch
a malicious autonomous system (AS) owned by an Internet service provider that willingly hosts and protects illicit activities.
Such service providers are usually referred to as bulletproof hosting , due to their reluctance to address repeated abuse complaints regarding their customers and the illegal services they run.
Unfortunately, existing AS reputation systems have a
number of limitations
(1) They cannot distinguish between malicious and legitimate but abused ASes. Legitimate ASes often unwillingly host malicious network activities (e.g., C&C
servers, phishing sites) simply because the machines that they host are abused.
(2) Because of the inability to distinguish between malicious and legitimate but abused ASes, it is not clear how to use the existing AS rankings to defend
against malicious ASes.
(3) Existing AS reputation systems require direct observation of malicious activity from many different vantage points and for an extended period of time,
thus delaying detection.
Unlike existing data-plane based reputation
systems, ASwatch explicitly aims to identify malicious
ASes, rather than assigning low reputation to legitimate ASes that have unfortunately been abused.
True
A malicious AS may advertise and use small blocks of its IP address space,
so that as soon as one small block of IP addresses is blocked or blacklisted, a new block can be advertised and used to support malicious activities.
if it is managed and operated by cyber-criminals, and if its main purpose is to support illicit network activities (e.g., phishing,malware distribution, botnets).
Malicious AS
if its main purpose is to provide legitimate Internet services. In some cases, a legitimate AS’s IP address
space may be abused by cyber-criminals to host malicious activities (e.g., sending spam, hosting a botnet command-and control server). Such abuse is distinct from those cases where cyber-criminals operate and manage the AS.
Legitimate AS
ASwatch learns the control-plane behavior of malicious and legitimate ASes
Training phase
ASwatch monitors globally visible BGP routing activity and AS relationships, to determine which ASes exhibit control plane behavior typical of malicious ASes.
True
Things that ASWatch…watches
1) Rewiring activity
2) Link Stability
3) AS presence and overall activity
4) Upstream connectivity
5) Attachment to popular providers
6) IP Space Fragmentation and Churn
7) Prefix reachability
8) Topology and policy changes
ASwatch can assign a reputation score to new ASes (i.e., ASes for which no ground truth is yet available). ASwatch computes a reputation score for each new AS observed in the BGP messages from Route views.
Operational Phase
Which is better? BGP Ranking or ASWatch?
We found that ASwatch detected 72% of our set of malicious ASes over a three year period, and BGP Ranking detected about 34%.
ASwatch is based on the intuition that malicious ASes exhibit “agile” control plane behavior (e.g., short-lived routes, aggressive rewiring).
True
