Detecting Bogus BGP Route Information: Going Beyond Prefix Hijacking

Border Gateway Protocol (BGP) is the de facto inter-domain routing protocol of the Internet. However, the BGP system has been built based on the implicit trust among individual administrative domains and no countermeasure prevents bogus routes from being injected and propagated through the system. Attackers might exploit bogus routes to gain control of arbitrary address spaces (i.e. prefixes), to either hijack the relevant traffic or launch stealthy attacks. Attackers can directly originate the bogus routes of the prefixes, or even stealthier, further spoof the AS paths of the routes to make them appear to be originated by others. We propose a real-time detection system for ISPs to provide protection against bogus routes. The system learns from the historical BGP routing data the basic routing information objects that assemble BGP routes, and detect the suspicious routes comprised of unseen objects. In particular, we leverage a directed AS-link topology model to detect path spoofing routes that violate import/export routing policies. Moreover, we explore various heuristics to infer the potentially legitimate routing information objects to reduce false alarms. The experiments based on several documented incidents show that our system can yield a nearly 100% detection rate while bounding the false positive rate to as low as 0.02%.