TY - GEN
T1 - Concurrent prefix hijacks
T2 - 2012 ACM Internet Measurement Conference, IMC 2012
AU - Khare, Varun
AU - Ju, Qing
AU - Zhang, Beichuan
PY - 2012
Y1 - 2012
N2 - A concurrent prefix hijack happens when an unauthorized network originates IP prefixes of multiple other networks. Its extreme case is leaking the entire routing table, i.e., hijacking all the prefixes in the table. This is a well-known problem and there exists a preventive measure in practice to safeguard against it. However, we investigated and uncovered many concurrent prefix hijacks that didn't involve a full-table leak. We report these events and their impact on Internet routing. y correlating suspicious routing announcements and comparing it with a network's past routing announcements, we develop a method to detect a network's abnormal behavior of offending multiple other networks simultaneously. Applying the detection algorithm to BGP routing updates from 2003 through 2010, we identify five to twenty concurrent prefix hijacks every year, most of which are previously unknown to the research and operation communities at large. They typically hijack prefixes owned by a few tens of networks, last from a few minutes to a few hours, and pollute routes at most vantage points.
AB - A concurrent prefix hijack happens when an unauthorized network originates IP prefixes of multiple other networks. Its extreme case is leaking the entire routing table, i.e., hijacking all the prefixes in the table. This is a well-known problem and there exists a preventive measure in practice to safeguard against it. However, we investigated and uncovered many concurrent prefix hijacks that didn't involve a full-table leak. We report these events and their impact on Internet routing. y correlating suspicious routing announcements and comparing it with a network's past routing announcements, we develop a method to detect a network's abnormal behavior of offending multiple other networks simultaneously. Applying the detection algorithm to BGP routing updates from 2003 through 2010, we identify five to twenty concurrent prefix hijacks every year, most of which are previously unknown to the research and operation communities at large. They typically hijack prefixes owned by a few tens of networks, last from a few minutes to a few hours, and pollute routes at most vantage points.
KW - bgp security
KW - prefix hijacking
UR - http://www.scopus.com/inward/record.url?scp=84870928156&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84870928156&partnerID=8YFLogxK
U2 - 10.1145/2398776.2398780
DO - 10.1145/2398776.2398780
M3 - Conference contribution
AN - SCOPUS:84870928156
SN - 9781450317054
T3 - Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC
SP - 29
EP - 35
BT - IMC 2012 - Proceedings of the ACM Internet Measurement Conference
Y2 - 14 November 2012 through 16 November 2012
ER -