Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

An accurate distributed scheme for detection of prefix interception

一种准确检测 BGP 前缀窃听攻击的分布式方案


Previous research in interdomain routing security has often focused on prefix hijacking. However, several prefix interception events have happened lately, which poses a new security challenge to the interdomain routing system. Compared to prefix hijacking, prefix interception is much harder to detect, as it avoids black hole by forwarding the hijacked traffic back to the victim. In this paper, we present a novel method to detect prefix interception. Our approach exploits a key observation about prefix interception: during a prefix interception event, the attacker detours the intercepted traffic through its network, which turns it into a new important “transit point” for access to the victim. By collecting data plane information to detect the emerging “transit point” and using control plane information to verify it, our scheme can identify prefix interception in real time. The results of Internet experiments and Internet-scale simulations show that our method is accurate with low false alarm rate (0.28%) and false negative rate (2.26%).



  1. (1)

    对基于 BGP 路由劫持的前缀窃听进行综合分类, 并建立 BGP 前缀窃听攻击模型。

  2. (2)

    分析 BGP 前缀窃听事件, 提取 BGP 前缀窃听的重要攻击特征。

  3. (3)

    研究前缀窃听过程中 AS 入度和出度的变化,提出基于帕累托分布的检测异常 Upstart-AS 的分布式算法。

  4. (4)


  5. (5)

    通过 Internet 实验和大规模仿真验证了检测算法的准确性。

This is a preview of subscription content, log in to check access.


  1. 1

    Karrenberg D. Youtube Hijacking: a Ripe Ncc Ris Case Study. RIPE NCC Technical Report. 2008

  2. 2

    Hiran R, Carlsson N, Gill P. Characterizing large-scale routing anomalies: a case study of the China telecom incident. In: Proceedings of the 14th International Conference on Passive and Active Measurement, Hong Kong, 2013. 229–238

  3. 3

    Cowie J. The New Threat: Targeted Internet Traffic Misdirection. Dyn Research Technical Report. 2013

  4. 4

    Madory D. Uk Traffic Diverted Through Ukraine. Dyn Research Technical Report. 2015

  5. 5

    Kent S, Lynn C, Seo K. Secure border gateway protocol (s-bgp). IEEE J Sel Area Commun, 2000; 18: 582–592

  6. 6

    NgZ J. Extensions to BGP to support secure origin BGP (soBGP). IETF Draft draft-ng-sobgp-bgp-extensions-02. 2004

  7. 7

    van Oorschot P C, Wan T, Kranakis E. On interdomain routing security and pretty secure bgp (psbgp). ACM Trans Inf Syst Secur, 2007, 10: 11

  8. 8

    Lepinski M, Kent S. An Infrastructure to Support Secure Internet Routing. IETF RFC 6480. 2012

  9. 9

    Xiang Y, Shi X, Wu J, et al. Sign what you really care about-secure bgp as-paths efficiently. Comput Netw, 2013; 57: 2250–2265

  10. 10

    Lychev R, Goldberg S, Schapira M. BGP security in partial deployment: is the juice worth the squeeze? ACM SIGCOMM Comput Commun Rev, 2013; 43: 171–182

  11. 11

    McPherson D, Osterweil E, Amante S, et al. Route-Leaks & MITM attacks against BGPSEC. IETF Draft draft-ietfgrow- simple-leak-attack-bgpsec-no-help-04. 2014

  12. 12

    Li Q, Hu Y C, Zhang X. Even rockets cannot make pigs fly sustainably: can BGP be secured with BGPsec? In: Proceedings of the NDSS Workshop on Security of Emerging Networking Technologies, San Diego, 2014

  13. 13

    Hu X, Mao Z M. Accurate real-time identification of IP prefix hijacking. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, Oakland, 2007. 3–17

  14. 14

    Zhao X, Pei D, Wang L, et al. Detection of invalid routing announcement in the Internet. In: Proceedings of the International Conference on Dependable Systems and Networks, Bethesda, 2002. 59–68

  15. 15

    Zhang Z, Zhang Y, Hu Y C, et al. Ispy: detecting ip prefix hijacking on my own. ACM SIGCOMM Comput Commun Rev, 2008; 38: 327–338

  16. 16

    Xiang Y, Wang Z, Yin X, et al. Argus: an accurate and agile system to detecting IP prefix hijacking. In: Proceedings of the 19th IEEE International Conference on Network Protocols, Vancouver, 2011. 43–48

  17. 17

    Ballani H, Francis P, Zhang X. A study of prefix hijacking and interception in the Internet. ACM SIGCOMM Comput Commun Rev, 2007; 37: 265–276

  18. 18

    Gao L. On inferring autonomous system relationships in the Internet. IEEE/ACM Trans Netw (ToN), 2001; 9: 733–745

  19. 19

    Gill P, Schapira M, Goldberg S. A survey of interdomain routing policies. ACM SIGCOMM Comput Commun Rev, 2013; 44: 28–34

  20. 20

    Zhang Y, Pourzandi M. Studying impacts of prefix interception attack by exploring bgp as-path prepending. In: Proceedings of the IEEE 32nd International Conference on Distributed Computing Systems (ICDCS), Macau, 2012. 667–677

  21. 21

    Zhao X, Pei D, Wang L, et al. An analysis of BGP multiple origin AS (MOAS) conflicts. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, San Francisco, 2001. 31–35

  22. 22

    Pilosov A, Kapela T. Stealing the Internet: an Internet-Scale Man in the Middle Attack. Defcon Technical Report. 2008

  23. 23

    Madhyastha H V, Isdal T, Piatek M, et al. iPlane: an information plane for distributed services. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, Seattle, 2006. 367–380

  24. 24

    Faloutsos M, Faloutsos P, Faloutsos C. On power-law relationships of the internet topology. ACM SIGCOMM Comput Commun Rev, 1999; 29: 251–262

  25. 25

    Siganos G, Faloutsos M, Faloutsos P, et al. Power laws and the AS-level internet topology. IEEE/ACM Trans Netw (TON), 2003; 11: 514–524

  26. 26

    Luckie M, Huffaker B, Dhamdhere A, et al. AS relationships, customer cones, and validation. In: Proceedings of the 2013 Conference on Internet Measurement, Barcelona, 2013. 243–256

  27. 27

    Xia J, Gao L. On the evaluation of AS relationship inferences [Internet reachability/traffic flow applications]. In: Proceedings of the Global Telecommunications Conference, Dallas, 2004. 1373–1377

  28. 28

    Augustin B, Cuvellier X, Orgogozo B, et al. Avoiding traceroute anomalies with paris traceroute. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, Rio de Janeriro, 2006. 153–158

  29. 29

    Quoitin B. Uhlig S. Modeling the routing of an autonomous system with C-BGP. IEEE Netw, 2005; 19: 12–19

  30. 30

    Wählisch M, Maennel O, Schmidt T C. Towards detecting BGP route hijacking using the RPKI. ACM SIGCOMM Comput Commun Rev, 2012; 42: 103–104

  31. 31

    Zheng C, Ji L, Pei D, et al. A light-weight distributed scheme for detecting IP prefix hijacks in real-time. ACM SIGCOMM Comput Commun Rev, 2007; 37: 277–288

  32. 32

    Lad M, Massey D, Pei D, et al. Phas: a prefix hijack alert system. In: Proceedings of the 15th Conference on USENIX Security Symposium, Berkeley, 2006. 153–166

  33. 33

    Karlin J, Forrest S, Rexford J. Pretty good BGP: improving BGP by cautiously adopting routes. In: Proceedings of the 14th IEEE International Conference on Network Protocols, Santa Barbara, 2006. 290–299

Download references

Author information

Correspondence to Haixin Duan.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Li, S., Duan, H., Wang, Z. et al. An accurate distributed scheme for detection of prefix interception. Sci. China Inf. Sci. 59, 052105 (2016).

Download citation


  • routing
  • BGP
  • hijacking
  • interception
  • detection


  • 路由
  • BGP
  • 劫持
  • 窃听
  • 检测