Detecting BGP Origin Hijacks

Abstract

Many processes rely on the availability of the Internet. The Border Gateway Protocol (BGP) is widely used for exchanging routing information between routers and is essential for the successful operation of the Internet. Because BGP has not been designed with security in mind, BGP anomalies such as origin hijacks, route leaks, and link failure often occur. This research proposes a detection system for detecting origin hijacks, which is one of themost common anomalies seen on the Internet. Our detection system uses a filter-based approach. Each filter attempts to validate announcements seen by our detection system. Announcements that could not be verified by any filter are seen as origin hijacks. Because of this approach, origin hijacks that would otherwise be missed by other solutions will be detected. We use multiple data sources such as RIR Statistics Exchange Format Listings (RSEF), routing registries, RPKI Route Origin Authorizations (ROAs) and CAIDA’s AS relationship dataset in order to validate announcements. Upon running our detection system on 29 days of BGP traffic, we were able to detect 902 origin hijacks. 83% of the detected origin hijacks had a lifespan of fewer than 2.5 hours which strongly suggests that these were undesired announcements.