Concurrent prefix hijacks: occurrence and impacts

  • Authors:
  • Varun Khare;Qing Ju;Beichuan Zhang

  • Affiliations:
  • University of Arizona, Tucson, USA;University of Arizona, Tucson, USA;University of Arizona, Tucson, USA

  • Venue:
  • Proceedings of the 2012 ACM conference on Internet measurement conference
  • Year:
  • 2012

Quantified Score

Hi-index 0.00

Visualization

Abstract

A concurrent prefix hijack happens when an unauthorized network originates IP prefixes of multiple other networks. Its extreme case is leaking the entire routing table, i.e., hijacking all the prefixes in the table. This is a well-known problem and there exists a preventive measure in practice to safeguard against it. However, we investigated and uncovered many concurrent prefix hijacks that didn't involve a full-table leak. We report these events and their impact on Internet routing. y correlating suspicious routing announcements and comparing it with a network's past routing announcements, we develop a method to detect a network's abnormal behavior of offending multiple other networks simultaneously. Applying the detection algorithm to BGP routing updates from 2003 through 2010, we identify five to twenty concurrent prefix hijacks every year, most of which are previously unknown to the research and operation communities at large. They typically hijack prefixes owned by a few tens of networks, last from a few minutes to a few hours, and pollute routes at most vantage points.