Client Side Localization of BGP Hijack Attacks with a Quasi-realistic Internet Graph

  • Paulo SalvadorEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 990)


Internet routing relies completely on the Border Gateway Protocol (BGP) which is inherently insecure and allow the deployment of route hijacking attacks. The client side detection of such type of attacks can be achieved by detecting Round Trip Time (RTT) deviations from multiple points on the Internet to the target network. However, the localization of the autonomous systems where the attack originates can only be performed with an underlying realistic and precise model of the Internet interconnections. A usable and useful realistic Internet interconnections model does not exist. The existing interconnection models are to simplistic to be applicable in real scenarios and/or incorporate to much uncorrelated information that cannot be used due to its complexity.

This work presents a client side methodology to locate the source of BGP hijack attacks based on a quasi-realist graph that models the Internet as an all. The construction of such graph builds upon all known Internet exchange points (IX) and landing points of all known submarine cables. The lack of information about interconnections between Internet exchangers (IX) nodes and landing points is extrapolated from simple rules that take in consideration Earth geographic characteristics. This approach results in a graph that includes all major corner stones of the Internet while maintaining a simple structure. This underlying quasi-realist graph model of the Internet will allow the search for IX nodes where a false route could be injected to create a similar RTT anomaly observed during an attack.

With very simplistic assumptions as similar node, link loads and symmetric routing by the shortest path, and calibration using a relatively small set of world-scale measurements, the proof-of-concept results show that the model allows to locate the source of routing hijack attacks within a reasonable degree of efficiency.


BGP Route hijack Routing attack Attacker location Internet graph model Quasi-realistic Real IX Submarine cables 



This work was supported by the Fundação para Ciência e Tecnologia (FCT) through PTDC/EEI-TEL/5708/2014 and UID/EEA/50008/2013.


  1. 1.
    Pilosov, A., Kapela, T.: Stealing the internet - an internet-scale man in the middle attack. In: DEFCON 2016, August 2008Google Scholar
  2. 2.
    Cowie, J.: The New Threat: Targeted Internet Traffic Misdirection. Dyn Blog, November 2013.
  3. 3.
    Madory, D.: On-going BGP Hijack Targets Palestinian ISP. Dyn Blog, January 2015.
  4. 4.
    Madory, D.: UK traffic diverted through Ukraine. Dyn Blog, March 2015.
  5. 5.
    Zhang, Z., Zhang, Y., Hu, Y.C., Mao, Z.M., Bush, R.: iSPY: detecting IP prefix hijacking on my own. IEEE/ACM Trans. Netw. 18(6), 1815–1828 (2010)CrossRefGoogle Scholar
  6. 6.
    Liu, Y., Luo, X., Chang, R., Su, J.: Characterizing inter-domain rerouting by betweenness centrality after disruptive events. IEEE J. Sel. Areas Commun. 31(6), 1147–1157 (2013)CrossRefGoogle Scholar
  7. 7.
    Salvador, P., Nogueira, A.: Customer-side detection of internet-scale traffic redirection. In: 16th International Telecommunications Network Strategy and Planning Symposium (NETWORKS 2014), September 2014Google Scholar
  8. 8.
    Silva, M., Nogueira, A., Salvador, P.: Modular platform for customer-side detection of BGP redirection attacks. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, pp. 199–206. INSTICC, SciTePress (2018)Google Scholar
  9. 9.
    Salvador, P.: A quasi-realistic internet graph. In: Proceedings of the 14th International Joint Conference on e-Business and Telecommunications (ICETE 2017), pp. 27–32 (2017)Google Scholar
  10. 10.
    Lad, M., Massey, D., Pei, D., Wu, Y., Zhang, B., Zhang, L.: PHAS: a prefix hijack alert system. In: Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15. USENIX-SS 2006. USENIX Association, Berkeley (2006).
  11. 11.
    Schlamp, J., Holz, R., Jacquemart, Q., Carle, G., Biersack, E.W.: HEAP: reliable assessment of BGP hijacking attacks. IEEE J. Sel. Areas Commun. 34(6), 1849–1861 (2016)CrossRefGoogle Scholar
  12. 12.
    Kasiviswanathan, S.P., Eidenbenz, S., Yan, G.: Geography-based analysis of the internet infrastructure. In: 2011 Proceedings IEEE INFOCOM, pp. 131–135, April 2011Google Scholar
  13. 13.
    Mátray, P., Hága, P., Laki, S., Csabai, I., Vattay, G.: On the network geography of the internet. In: 2011 Proceedings IEEE INFOCOM, pp. 126–130, April 2011Google Scholar
  14. 14.
    Landa, R., Araújo, J.T., Clegg, R.G., Mykoniati, E., Griffin, D., Rio, M.: The large-scale geography of internet round trip times. In: 2013 IFIP Networking Conference, pp. 1–9, May 2013Google Scholar
  15. 15.
    Durairajan, R., Ghosh, S., Tang, X., Barford, P., Eriksson, B.: Internet Atlas: a geographic database of the internet. In: Proceedings of the 5th ACM Workshop on HotPlanet, HotPlanet 2013, pp. 15–20. ACM, New York (2013).
  16. 16.
    Durairajan, R., Barford, P., Sommers, J., Willinger, W.: Intertubes: a study of the us long-haul fiber-optic infrastructure. SIGCOMM Comput. Commun. Rev. 45(4), 565–578 (2015). Scholar
  17. 17.
    Alexander, J.: Loxodromes: A rhumb way to go. Mathematics Magazine 77, December 2004Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.DETI, University of Aveiro, Instituto de TelecomunicaçõesAveiroPortugal

Personalised recommendations