Detecting Large Route Leaks

Prefix hijacking, in which an unauthorized network announces IP prefixes of other networks, is a major threat to the Internet routing security. Existing detection systems either generate many false positives, requiring frequent human intervention, or are designed to protect a small number of specific prefixes. Therefore they are not suitable to protect data traffic at networks other than the prefix owner during on-going hijacks. We design and implement a system that detects a specific type of prefix hijacking, large route leaks, at real time and without requiring authoritative prefix ownership information. In a large route leak, an unauthorized network hijacks prefixes owned by multiple different networks. By correlating suspicious routing announcements along the time dimension and comparing with a network’s past behavior, we are able to identify a network’s abnormal behavior of offending multiple other networks at the same time. Applying the detection algorithm to routing data from 2003 through 2009, we identify five to twenty large route leaks every year. They typically hijack prefixes owned by a few tens of other networks, last from a few minutes to a few hours, and pollute routes at most vantage points of the data collector. In 2009 there are ten events detected, none of which was mentioned on operator mailing lists, but most are confirmed through our communication with individual operators of affected networks. The system can take real-time routing data feed and conduct the detection quickly, enabling automated response to these attacks without requiring authoritative prefix ownership information or human intervention.