IP prefix hijacking detection using idle scan

  • Authors:
  • Seong-Cheol Hong;Hong-Taek Ju;James W. Hong

  • Affiliations:
  • Dept. of Computer Science and Engineering, POSTECH, Korea;Dept. of Computer Engineering, Keimyung University, Korea;Dept. of Computer Science and Engineering, POSTECH, Korea

  • Venue:
  • APNOMS'09 Proceedings of the 12th Asia-Pacific network operations and management conference on Management enabling the future internet for changing business and new computing services
  • Year:
  • 2009

Quantified Score

Hi-index 0.00



The Internet is comprised of a lot of interconnected networks communicating reachability information using BGP. Due to the design based on trust between networks, IP prefix hijacking can occurs, which is caused by wrong routing information. This results in a serious security threat in the Internet routing system. In this paper, we present an effective and practical approach for detecting IP prefix hijacking without major change to the current routing infrastructure. To detect IP prefix hijacking event, we are monitoring routing update messages that show wrong announcement of IP prefix origin. When a suspicious BGP update that causes MOAS conflict is received, the detection system starts idle scan for IP ID probing so that distinguish IP prefix hijacking event from legitimate routing update.