PHDS: IP Prefix Hijack Detection System

Abstract

Border Gateway Protocol (BGP) is the routing protocol for routing information between autonomous systems (AS) on the Internet. Back in 1989, BGP was not developed with a security perspective. Therefore, there are many security concerns regarding BGP, and it is highly vulnerable to malicious attacks. Due to rapid development in Internet technology, the Internet is filled with malicious users. It is not challenging to hijack someone's address space and use it for malicious activities such as denial-of-service attacks (DoS attacks) and spamming. Our aim behind this research work is to figure out and discuss all the techniques regarding BGP prefix hijacking and design a system that can be used to detect IP prefix hijacking attacks and facilitate mitigation. In this type of hijack attack, to avoid Multiple Origin AS (MOAS) conflicts, the attacker announces a hijacked prefix with AS number belongs to victim AS; this creates the illusion that BGP speaker has a direct connection with victim AS. To accurately detect IP prefix hijack attacks, we design a system called Prefix Hijack Detection System (PHDS). To test our system, we have collected all the Autonomous Systems (ASes) of Pakistan and their prefixes using RIPEstat API. PHDS collect BGP updates for every prefix using RIPEstat API. To monitor all 5,845 prefixes of Pakistan, we have collected 3.35 million BGP updates; all this data is collected from November 03, 2018, to November 20, 2018. We have monitored these prefixes through PHDS and found our system correctly detecting all types of IP prefix hijacks. Therefore, this system is useful for early detection of IP prefix hijack attacks. PHDS detects 47,223 malicious updates out of 3.35 million BGP updates. PHDS detected 983 unique IP prefix hijack attacks from 47,223 malicious updates. Hijack, a prefix, and it's AS is the most common type of attack; PHDS detected 983 prefix hijack attacks, and out of these, 898 are hijacked a prefix, and its AS.