Bulletproof hosting Autonomous Systems (ASes)—malicious ASes fully dedicated to supporting cybercrime—provide freedom and resources for a cyber-criminal to operate. Their services include hosting a wide range of illegal content, botnet C&C servers, and other malicious resources. Thousands of new ASes are registered every year, many of which are often used exclusively to facilitate cybercrime. A natural approach to squelching bulletproof hosting ASes is to develop a reputation system that can identify them for takedown by law enforcement and as input to other attack detection systems (e.g., spam filters, botnet detection systems). Unfortunately, current AS reputation systems rely primarily on data-plane monitoring of malicious activity from IP addresses (and thus can only detect malicious ASes after attacks are underway), and are not able to distinguish between malicious and legitimate but abused ASes.
As a complement to these systems, in this paper, we explore a fundamentally different approach to establishing AS reputation. We present a system, ASwatch, that identifies malicious ASes using exclusively the control-plane (i.e., routing) behavior of ASes. Its design is based on the intuition that, in an attempt to evade possible detection and remediation efforts, malicious ASes exhibit “agile” control plane behavior (e.g., shortlived routes). We evaluate ASwatch on known malicious ASes; our results show that ASwatch detects up to 93% of malicious ASes with a 5% false positive rate, which is reasonable to effectively complement existing defense systems.
Maria Konte is a Research Scientist at Damballa Labs. Her work is on network security with a focus on cyber-criminal infrastructures and network level threat attribution. She is a Ph.D. student at the School of Computer Science at Georgia Tech - graduating in Fall 2015. The central part of her Ph.D. thesis work, an AS reputation system to expose bulletproof hosting ASes, is published in ACM SIGCOMM 2015, and also presented at NANOG62 Research Track. She received the PAM 2009 Best Paper Award, for her work on the infrastructure of fast flux service networks. Prior to joining the Ph.D. program, she received the M.S. degree in Computer Science at Georgia Tech. She also holds an M.S. degree in Systems Engineering from Boston University, and a Diploma in Eng. from the Industrial Engineering and Management Dept. at Technical University of Crete. Prior to joining Damballa, she interned at Verisign Labs working with Allison Mankin.