Improving IP Prefix Hijacking Detection by Tracing Hijack Fingerprints and Verifying Them through RIR Databases

Abstract

In spite of significant on-going research, the Border Gateway Protocol (BGP) still encompasses conceptual vulnerability issues regarding impersonating the ownership of IP prefixes for ASes (Autonomous Systems). In this context, a number of research studies focused on securing BGP through historical-based and statistical-based behavioural models. This paper improves the earlier IP prefix hijack detection method presented in (Alshamrani et al. 2015) by identifying false positives showing up due to the organisations that may use multiple ASNs (Autonomous System Numbers) to advertise their routes. To solve this issue, we link a Verification Database to the previously proposed detection method to improve the accuracy. The method extracts the organisation names (unique code) and associated ASNs from different ASN delegators and RIRs (Regional Internet Registries), more specifically the RIPE (Reseaux IP Europeans) dump database (John Stamatakis 2014) in order to evaluate the method. Since the organisation name is not available in the BGP updates, the data are extracted and processed to produce a structured database (Verification DB). The algorithm excludes false positive IP prefix hijack detection events in the SFL (Suspicious Findings List) introduced in (Alshamrani et al. 2015). Finally, the algorithm is validated using the 2008 YouTube Pakistan hijack event and the Con-Edison hijack (2006); the analysis demonstrates that the improved algorithm qualitatively increases the accuracy of detecting the IP prefix hijacks, specifically reducing the false positives.