An accurate distributed scheme for detection of prefix interception

一种准确检测 BGP 前缀窃听攻击的分布式方案


Previous research in interdomain routing security has often focused on prefix hijacking. However, several prefix interception events have happened lately, which poses a new security challenge to the interdomain routing system. Compared to prefix hijacking, prefix interception is much harder to detect, as it avoids black hole by forwarding the hijacked traffic back to the victim. In this paper, we present a novel method to detect prefix interception. Our approach exploits a key observation about prefix interception: during a prefix interception event, the attacker detours the intercepted traffic through its network, which turns it into a new important “transit point” for access to the victim. By collecting data plane information to detect the emerging “transit point” and using control plane information to verify it, our scheme can identify prefix interception in real time. The results of Internet experiments and Internet-scale simulations show that our method is accurate with low false alarm rate (0.28%) and false negative rate (2.26%).



  1. (1)

    对基于 BGP 路由劫持的前缀窃听进行综合分类, 并建立 BGP 前缀窃听攻击模型。

  2. (2)

    分析 BGP 前缀窃听事件, 提取 BGP 前缀窃听的重要攻击特征。

  3. (3)

    研究前缀窃听过程中 AS 入度和出度的变化,提出基于帕累托分布的检测异常 Upstart-AS 的分布式算法。

  4. (4)


  5. (5)

    通过 Internet 实验和大规模仿真验证了检测算法的准确性。

This is a preview of subscription content, access via your institution.


  1. 1

    Karrenberg D. Youtube Hijacking: a Ripe Ncc Ris Case Study. RIPE NCC Technical Report. 2008

    Google Scholar 

  2. 2

    Hiran R, Carlsson N, Gill P. Characterizing large-scale routing anomalies: a case study of the China telecom incident. In: Proceedings of the 14th International Conference on Passive and Active Measurement, Hong Kong, 2013. 229–238

    Google Scholar 

  3. 3

    Cowie J. The New Threat: Targeted Internet Traffic Misdirection. Dyn Research Technical Report. 2013

    Google Scholar 

  4. 4

    Madory D. Uk Traffic Diverted Through Ukraine. Dyn Research Technical Report. 2015

    Google Scholar 

  5. 5

    Kent S, Lynn C, Seo K. Secure border gateway protocol (s-bgp). IEEE J Sel Area Commun, 2000; 18: 582–592

    Article  Google Scholar 

  6. 6

    NgZ J. Extensions to BGP to support secure origin BGP (soBGP). IETF Draft draft-ng-sobgp-bgp-extensions-02. 2004

    Google Scholar 

  7. 7

    van Oorschot P C, Wan T, Kranakis E. On interdomain routing security and pretty secure bgp (psbgp). ACM Trans Inf Syst Secur, 2007, 10: 11

    Article  Google Scholar 

  8. 8

    Lepinski M, Kent S. An Infrastructure to Support Secure Internet Routing. IETF RFC 6480. 2012

    Google Scholar 

  9. 9

    Xiang Y, Shi X, Wu J, et al. Sign what you really care about-secure bgp as-paths efficiently. Comput Netw, 2013; 57: 2250–2265

    Article  Google Scholar 

  10. 10

    Lychev R, Goldberg S, Schapira M. BGP security in partial deployment: is the juice worth the squeeze? ACM SIGCOMM Comput Commun Rev, 2013; 43: 171–182

    Article  Google Scholar 

  11. 11

    McPherson D, Osterweil E, Amante S, et al. Route-Leaks & MITM attacks against BGPSEC. IETF Draft draft-ietfgrow- simple-leak-attack-bgpsec-no-help-04. 2014

    Google Scholar 

  12. 12

    Li Q, Hu Y C, Zhang X. Even rockets cannot make pigs fly sustainably: can BGP be secured with BGPsec? In: Proceedings of the NDSS Workshop on Security of Emerging Networking Technologies, San Diego, 2014

    Google Scholar 

  13. 13

    Hu X, Mao Z M. Accurate real-time identification of IP prefix hijacking. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, Oakland, 2007. 3–17

    Google Scholar 

  14. 14

    Zhao X, Pei D, Wang L, et al. Detection of invalid routing announcement in the Internet. In: Proceedings of the International Conference on Dependable Systems and Networks, Bethesda, 2002. 59–68

    Google Scholar 

  15. 15

    Zhang Z, Zhang Y, Hu Y C, et al. Ispy: detecting ip prefix hijacking on my own. ACM SIGCOMM Comput Commun Rev, 2008; 38: 327–338

    Article  Google Scholar 

  16. 16

    Xiang Y, Wang Z, Yin X, et al. Argus: an accurate and agile system to detecting IP prefix hijacking. In: Proceedings of the 19th IEEE International Conference on Network Protocols, Vancouver, 2011. 43–48

    Google Scholar 

  17. 17

    Ballani H, Francis P, Zhang X. A study of prefix hijacking and interception in the Internet. ACM SIGCOMM Comput Commun Rev, 2007; 37: 265–276

    Article  Google Scholar 

  18. 18

    Gao L. On inferring autonomous system relationships in the Internet. IEEE/ACM Trans Netw (ToN), 2001; 9: 733–745

    Article  Google Scholar 

  19. 19

    Gill P, Schapira M, Goldberg S. A survey of interdomain routing policies. ACM SIGCOMM Comput Commun Rev, 2013; 44: 28–34

    Article  Google Scholar 

  20. 20

    Zhang Y, Pourzandi M. Studying impacts of prefix interception attack by exploring bgp as-path prepending. In: Proceedings of the IEEE 32nd International Conference on Distributed Computing Systems (ICDCS), Macau, 2012. 667–677

    Google Scholar 

  21. 21

    Zhao X, Pei D, Wang L, et al. An analysis of BGP multiple origin AS (MOAS) conflicts. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, San Francisco, 2001. 31–35

    Google Scholar 

  22. 22

    Pilosov A, Kapela T. Stealing the Internet: an Internet-Scale Man in the Middle Attack. Defcon Technical Report. 2008

    Google Scholar 

  23. 23

    Madhyastha H V, Isdal T, Piatek M, et al. iPlane: an information plane for distributed services. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, Seattle, 2006. 367–380

    Google Scholar 

  24. 24

    Faloutsos M, Faloutsos P, Faloutsos C. On power-law relationships of the internet topology. ACM SIGCOMM Comput Commun Rev, 1999; 29: 251–262

    Article  MATH  Google Scholar 

  25. 25

    Siganos G, Faloutsos M, Faloutsos P, et al. Power laws and the AS-level internet topology. IEEE/ACM Trans Netw (TON), 2003; 11: 514–524

    Article  Google Scholar 

  26. 26

    Luckie M, Huffaker B, Dhamdhere A, et al. AS relationships, customer cones, and validation. In: Proceedings of the 2013 Conference on Internet Measurement, Barcelona, 2013. 243–256

    Google Scholar 

  27. 27

    Xia J, Gao L. On the evaluation of AS relationship inferences [Internet reachability/traffic flow applications]. In: Proceedings of the Global Telecommunications Conference, Dallas, 2004. 1373–1377

    Google Scholar 

  28. 28

    Augustin B, Cuvellier X, Orgogozo B, et al. Avoiding traceroute anomalies with paris traceroute. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, Rio de Janeriro, 2006. 153–158

    Google Scholar 

  29. 29

    Quoitin B. Uhlig S. Modeling the routing of an autonomous system with C-BGP. IEEE Netw, 2005; 19: 12–19

    Google Scholar 

  30. 30

    Wählisch M, Maennel O, Schmidt T C. Towards detecting BGP route hijacking using the RPKI. ACM SIGCOMM Comput Commun Rev, 2012; 42: 103–104

    Article  Google Scholar 

  31. 31

    Zheng C, Ji L, Pei D, et al. A light-weight distributed scheme for detecting IP prefix hijacks in real-time. ACM SIGCOMM Comput Commun Rev, 2007; 37: 277–288

    Article  Google Scholar 

  32. 32

    Lad M, Massey D, Pei D, et al. Phas: a prefix hijack alert system. In: Proceedings of the 15th Conference on USENIX Security Symposium, Berkeley, 2006. 153–166

    Google Scholar 

  33. 33

    Karlin J, Forrest S, Rexford J. Pretty good BGP: improving BGP by cautiously adopting routes. In: Proceedings of the 14th IEEE International Conference on Network Protocols, Santa Barbara, 2006. 290–299

    Google Scholar 

Download references

Author information



Corresponding author

Correspondence to Haixin Duan.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Li, S., Duan, H., Wang, Z. et al. An accurate distributed scheme for detection of prefix interception. Sci. China Inf. Sci. 59, 052105 (2016).

Download citation


  • routing
  • BGP
  • hijacking
  • interception
  • detection


  • 路由
  • BGP
  • 劫持
  • 窃听
  • 检测