Investigating the Nature of Routing Anomalies: Closing in on Subprefix Hijacking Attacks

  • Johann SchlampEmail author
  • Ralph Holz
  • Oliver Gasser
  • Andreas Korsten
  • Quentin Jacquemart
  • Georg Carle
  • Ernst W. Biersack
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9053)


The detection of BGP hijacking attacks has been at the focus of research for more than a decade. However, state-of-the-art techniques fall short of detecting subprefix hijacking, where smaller parts of a victim’s networks are targeted by an attacker. The analysis of corresponding routing anomalies, so-called subMOAS events, is tedious since these anomalies are numerous and mostly have legitimate reasons.

In this paper, we propose, implement and test a new approach to investigate subMOAS events. Our method combines input from several data sources that can reliably disprove malicious intent. First, we make use of the database of a Internet Routing Registry (IRR) to derive business relations between the parties involved in a subMOAS event. Second, we use a topology-based reasoning algorithm to rule out subMOAS events caused by legitimate network setups. Finally, we use Internet-wide network scans to identify SSL-enabled hosts in a large number of subnets. Where we observe that public/private key pairs do not change during an event, we can eliminate the possibility of an attack. We can show that subprefix announcements with multiple origins are harmless for the largest part. This significantly reduces the search space in which we need to look for hijacking attacks.


Ground Truth Business Relationship Graph Database Border Gateway Protocol Topology Reasoning 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ballani, H., Francis, P., Zhang, X.: A study of prefix hijacking and interception in the Internet. In: Proc. ACM SIGCOMM 2007, pp. 265–276 (2007)Google Scholar
  2. 2.
    Hepner, C., Zmijewski, E.: Defending against BGP man-in-the-middle attacks. Talk at BlackHat 2009 (2009)Google Scholar
  3. 3.
    Hu, X., Mao, Z.M.: Accurate real-time identification of IP prefix hijacking. In: Proc. IEEE Symposium on Security and Privacy, pp. 3–17 (2007)Google Scholar
  4. 4.
    Huston, G., Bush, R.: Securing BGP and SIDR. IETF Journal 7(1) (2011)Google Scholar
  5. 5.
    Kent, S., Lynn, C., Seo, K.: Secure Border Gateway Protocol (SBGP). IEEE Journal on Selected Areas in Communications 18(4), April 2000Google Scholar
  6. 6.
    Khan, A., Kim, H.-C., Kwon, T., Choi, Y.: A comparative study on ip prefixes and their origin ases in bgp and the irr. SIGCOMM Comput. Commun. Rev. 43(3), 16–24 (2013)CrossRefGoogle Scholar
  7. 7.
    Lad, M., Massey, D., Pei, D., Wu, Y., Zhang, B., Zhang, L.: PHAS: a prefix hijack alert system. In: Proc. 15th USENIX Security Symposium, vol. 15 (2006)Google Scholar
  8. 8.
    Pilosov, A., Kapela, T.: Stealing the Internet: An Internet-scale man in the middle attack. In: Talk at DEFCON 16 (2008)Google Scholar
  9. 9.
    Qiu, J., Gao, L.: Detecting bogus BGP route information: going beyond prefix hijacking. In: Proc. 3rd Int. Conf. on Security and Privacy in Communication Networks (SecureComm) (2007)Google Scholar
  10. 10.
    Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. In: Proc. ACM SIGCOMM 2006 (2006)Google Scholar
  11. 11.
    Schlamp, J., Carle, G., Biersack, E.W.: A forensic case study on as hijacking: the attacker’s perspective. ACM SIGCOMM CCR 43(2), 5–12 (2013)CrossRefGoogle Scholar
  12. 12.
    Shi, X., Xiang, Y., Wang, Z., Yin, X., Wu, J.: Detecting prefix hijackings in the Internet with argus. In: Proc. ACM SIGCOMM IMC (2012)Google Scholar
  13. 13.
    Wählisch, M., Maennel, O., Schmidt, T.C.: Towards Detecting BGP Route Hijacking Using the RPKI. ACM SIGCOMM CCR 42(4), 103–104 (2012)CrossRefGoogle Scholar
  14. 14.
    Zhang, Z., Zhang, Y., Hu, Y.C., Mao, Z.M., Bush, R.: iSPY: Detecting IP prefix hijacking on my own. IEEE/ACM Trans. on Networking 18(6), 1815–1828 (2010)CrossRefGoogle Scholar
  15. 15.
    Zheng, C., Ji, L., Pei, D., Wang, J., Francis, P.: A light-weight distributed scheme for detecting IP prefix hijacks in real-time. In: Proc. ACM SIGCOMM 2007 (2007)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  • Johann Schlamp
    • 1
    Email author
  • Ralph Holz
    • 2
  • Oliver Gasser
    • 1
  • Andreas Korsten
    • 1
  • Quentin Jacquemart
    • 3
  • Georg Carle
    • 1
  • Ernst W. Biersack
    • 3
  1. 1.Technische Universität MünchenMünchenGermany
  2. 2.NICTASydneyAustralia
  3. 3.Eurecom Sophia AntipolisBiotFrance

Personalised recommendations