Accurate Real-time Identification of IP Prefix Hijacking

  • Authors:
  • Xin Hu;Z. Morley Mao

  • Affiliations:
  • University of Michigan;University of Michigan

  • Venue:
  • SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
  • Year:
  • 2007

Quantified Score

Hi-index 0.00



We present novel and practical techniques to accurately detect IP prefix hijacking attacks in real time to facilitate mitigation. Attacks may hijack victim's address space to disrupt network services or perpetrate malicious activities such as spamming and DoS attacks without disclosing identity. We propose novel ways to significantly improve the detection accuracy by combining analysis of passively collected BGP routing updates with data plane ingerprints of suspicious prefixes. The key insight is to use data plane information in the form of edge network ingerprinting to disambiguate suspect IP hijacking incidences based on routing anomaly detection. Conflicts in data plane ingerprints provide much more definitive evidence of successful IP pre- fix hijacking. Utilizing multiple real-time BGP feeds, we demonstrate the ability of our system to distinguish between legitimate routing changes and actual attacks. Strong correlation with addresses that originate spam emails from a spam honeypot confirms the accuracy of our techniques.