Concurrent prefix hijacks: Occurrence and impacts

Varun Khare, Qing Ju, Beichuan Zhang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

13 Citations (Scopus)

Abstract

A concurrent prefix hijack happens when an unauthorized network originates IP prefixes of multiple other networks. Its extreme case is leaking the entire routing table, i.e., hijacking all the prefixes in the table. This is a well-known problem and there exists a preventive measure in practice to safeguard against it. However, we investigated and uncovered many concurrent prefix hijacks that didn't involve a full-table leak. We report these events and their impact on Internet routing. y correlating suspicious routing announcements and comparing it with a network's past routing announcements, we develop a method to detect a network's abnormal behavior of offending multiple other networks simultaneously. Applying the detection algorithm to BGP routing updates from 2003 through 2010, we identify five to twenty concurrent prefix hijacks every year, most of which are previously unknown to the research and operation communities at large. They typically hijack prefixes owned by a few tens of networks, last from a few minutes to a few hours, and pollute routes at most vantage points.

Original languageEnglish (US)
Title of host publicationProceedings of the ACM SIGCOMM Internet Measurement Conference, IMC
Pages29-35
Number of pages7
DOIs
StatePublished - 2012
Event2012 ACM Internet Measurement Conference, IMC 2012 - Boston, MA, United States
Duration: Nov 14 2012Nov 16 2012

Other

Other2012 ACM Internet Measurement Conference, IMC 2012
CountryUnited States
CityBoston, MA
Period11/14/1211/16/12

Fingerprint

Network routing
Internet

Keywords

  • bgp security
  • prefix hijacking

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Khare, V., Ju, Q., & Zhang, B. (2012). Concurrent prefix hijacks: Occurrence and impacts. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC (pp. 29-35) https://doi.org/10.1145/2398776.2398780

Concurrent prefix hijacks : Occurrence and impacts. / Khare, Varun; Ju, Qing; Zhang, Beichuan.

Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC. 2012. p. 29-35.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Khare, V, Ju, Q & Zhang, B 2012, Concurrent prefix hijacks: Occurrence and impacts. in Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC. pp. 29-35, 2012 ACM Internet Measurement Conference, IMC 2012, Boston, MA, United States, 11/14/12. https://doi.org/10.1145/2398776.2398780
Khare V, Ju Q, Zhang B. Concurrent prefix hijacks: Occurrence and impacts. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC. 2012. p. 29-35 https://doi.org/10.1145/2398776.2398780
Khare, Varun ; Ju, Qing ; Zhang, Beichuan. / Concurrent prefix hijacks : Occurrence and impacts. Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC. 2012. pp. 29-35
@inproceedings{47689a08beea4317b919aef366cc845c,
title = "Concurrent prefix hijacks: Occurrence and impacts",
abstract = "A concurrent prefix hijack happens when an unauthorized network originates IP prefixes of multiple other networks. Its extreme case is leaking the entire routing table, i.e., hijacking all the prefixes in the table. This is a well-known problem and there exists a preventive measure in practice to safeguard against it. However, we investigated and uncovered many concurrent prefix hijacks that didn't involve a full-table leak. We report these events and their impact on Internet routing. y correlating suspicious routing announcements and comparing it with a network's past routing announcements, we develop a method to detect a network's abnormal behavior of offending multiple other networks simultaneously. Applying the detection algorithm to BGP routing updates from 2003 through 2010, we identify five to twenty concurrent prefix hijacks every year, most of which are previously unknown to the research and operation communities at large. They typically hijack prefixes owned by a few tens of networks, last from a few minutes to a few hours, and pollute routes at most vantage points.",
keywords = "bgp security, prefix hijacking",
author = "Varun Khare and Qing Ju and Beichuan Zhang",
year = "2012",
doi = "10.1145/2398776.2398780",
language = "English (US)",
isbn = "9781450317054",
pages = "29--35",
booktitle = "Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC",

}

TY - GEN

T1 - Concurrent prefix hijacks

T2 - Occurrence and impacts

AU - Khare, Varun

AU - Ju, Qing

AU - Zhang, Beichuan

PY - 2012

Y1 - 2012

N2 - A concurrent prefix hijack happens when an unauthorized network originates IP prefixes of multiple other networks. Its extreme case is leaking the entire routing table, i.e., hijacking all the prefixes in the table. This is a well-known problem and there exists a preventive measure in practice to safeguard against it. However, we investigated and uncovered many concurrent prefix hijacks that didn't involve a full-table leak. We report these events and their impact on Internet routing. y correlating suspicious routing announcements and comparing it with a network's past routing announcements, we develop a method to detect a network's abnormal behavior of offending multiple other networks simultaneously. Applying the detection algorithm to BGP routing updates from 2003 through 2010, we identify five to twenty concurrent prefix hijacks every year, most of which are previously unknown to the research and operation communities at large. They typically hijack prefixes owned by a few tens of networks, last from a few minutes to a few hours, and pollute routes at most vantage points.

AB - A concurrent prefix hijack happens when an unauthorized network originates IP prefixes of multiple other networks. Its extreme case is leaking the entire routing table, i.e., hijacking all the prefixes in the table. This is a well-known problem and there exists a preventive measure in practice to safeguard against it. However, we investigated and uncovered many concurrent prefix hijacks that didn't involve a full-table leak. We report these events and their impact on Internet routing. y correlating suspicious routing announcements and comparing it with a network's past routing announcements, we develop a method to detect a network's abnormal behavior of offending multiple other networks simultaneously. Applying the detection algorithm to BGP routing updates from 2003 through 2010, we identify five to twenty concurrent prefix hijacks every year, most of which are previously unknown to the research and operation communities at large. They typically hijack prefixes owned by a few tens of networks, last from a few minutes to a few hours, and pollute routes at most vantage points.

KW - bgp security

KW - prefix hijacking

UR - http://www.scopus.com/inward/record.url?scp=84870928156&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84870928156&partnerID=8YFLogxK

U2 - 10.1145/2398776.2398780

DO - 10.1145/2398776.2398780

M3 - Conference contribution

AN - SCOPUS:84870928156

SN - 9781450317054

SP - 29

EP - 35

BT - Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

ER -