Resources Research

Paper Accepted

Reliable Assessment of BGP Hijacking Attacks

April 26, 2016 || Dr. Johann Schlamp

State-of-the-art routing monitors often suffer from high rates of false alarms or fall short to detect elaborate hijacking attacks.
The Hijacking Event Analysis Program (HEAP) is a novel approach to evaluate such routing anomalies.

HEAP combines several unique data sources to identify a legitimate cause behind suspicious routing anomalies. It is not designed to raise new types of alarms, but to receive input from readily available detection techniques. In its effort to reduce high rates of false alarms, HEAP is suitable to address BGP hijacking alarms both in terms of automated reasoning and manual investigation. It is well-suited to reliably disprove malicious intent by identifying the root cause for benign routing anomalies.

We evaluated the HEAP framework in practice to assess its capabilities of legitimizing routing anomalies. By studying common day-to-day events, we established an encouraging base line for practical validation of hijacking alarms. In this respect, we learned that HEAP is able to legitimize up to 56.9% of such events. Restricting the input events to more valuable targets for an attack, HEAP yields an even higher rate of 81.2% legitimate events. More importantly, we evaluated a set of publicly reported hijacking alarms and showed that HEAP can still identify nearly 10% false positives in such a carefully selected set of alarms. We further conducted a case study on a suspected hijacking incident taking place in Bulgaria, which involved abusive use of corresponding networks to send large amounts of spam. By taking into account all data sources provided by HEAP, we discovered substantial evidence against a real hijacking attack.

We will shortly integrate this powerful technique to assess hijacking alarms into our routing analytics suite.

J. Schlamp, R. Holz, Q. Jacquemart, G. Carle, and E. W. Biersack.
"HEAP: Reliable Assessment of BGP Hijacking Attacks"

IEEE Journal on Selected Areas in Communications (JSAC) — Special Issue on Measuring and Troubleshooting the Internet
Volume 34, Issue 6, pp. 1849-1861, June 2016.
Publisher: IEEE
DOI: 10.1109/JSAC.2016.2558978