Reflections from a MANRS Research Ambassador at APRICOT 2024
I am Thomas Holterbach, a postdoctoral researcher from the University of Strasbourg.
In February, I was honored to receive APNOG funding to attend APRICOT 2024 and present the research contributions that my colleagues and I produced while I was a MANRS Research Ambassador last year. In this blog post, I will cover my experience attending and presenting at APRICOT.
I went to APRICOT to present DFOH (https://dfoh.uclouvain.be/), a system that detects forged-origin hijacks, a particular type of routing attack that hackers use to divert users’ traffic to their network. However, having attended a few NANOG and RIPE meetings in the past, I knew that these operational conferences are also a great opportunity to chat with network operators, understand the practical problems that they face, and think about how my research can help them to make their network more performant and secure.
Funnily enough, it is actually when I attended NANOG in 2020 that I realized that BGP hijacks, and more particularly forged-origin hijacks, are an important problem and that there is a lack of tools that can accurately detect them globally. This is why I decided to work on this research problem when I started my post-doc in 2021, and be part of the MANRS initiative quickly after. Three years later, I am presenting my outcome at APRICOT, and the circle is complete.
At APRICOT, I was surprised by the diversity of the audience. One day, I chatted with a French fellow operating a small ISP in Nouvelle-Caledonie, a French Island in the Southwest Pacific Ocean, who explained to me the challenges in operating an ISP in an isolated island.
Another day, I watched presentations from people that come from countries underrepresented in the typical research conferences that I am more used to attending. I was happy to see that new technologies (such as network automation tools) were successfully used in these countries.
My presentation was on Wednesday, the second day of the conference, during APOPS-2. As always, it is a bit stressful to present in front of so many people, especially when a few of them are Internet “legends” that designed BGP decades ago. However, I usually practice many, many times before presenting, so I knew that the presentation was going to be okay, although we can always make it better. In a nutshell, our main scientific contribution is an algorithm that can detect fake AS links in AS paths in a probabilistic fashion (using artificial intelligence) as opposed to cryptographically based solutions such as BGPSec or ASPA. Detecting fake AS links is useful as they are a strong sign of a forged-origin hijack. The advantage of DFOH against the cryptographically based counterparts is that it is easy to deploy. The disadvantage is that there are false positives and false negatives.
After the presentation, one network operator came and talked to me about DFOH.
He was surprised to see that DFOH detected suspicious BGP announcements (possible forged-origin hijacks) for one of its prefixes. He could confirm to me that these announcements were indeed suspicious and useful for him. But he also told me that some suspicious cases were classified as legitimate by DFOH. Overall, the feedback received from operators was extremely valuable, and we will use it to improve the system. Among others, we plan to leverage data-plane information in our inference algorithms, and collect BGP data from more vantage points to improve our visibility over Internet routing and ensure that no BGP hijacks remain off the radar (by the way, if you are curious about that, you can check our recent HotNets’23 paper)!
Leave a Comment