Cooperative Detection of Internet Prefix Hijacking

IP prefix hijacking in the Internet remains a threat to the security of routing and network applications. It is difficult for a router or network operator to identify the spoofed announcement of prefix ownership in a timely and accurate way for the lack of complete knowledge or authentication. This paper proposes a method, called CoMonitor, for prefix hijacking detection based on cooperation among Autonomous Systems (ASes). Every participating AS exchanges self-defined prefix-to-origin mapping information with others, and they monitor local BGP updates respectively. Once a participant discovers that the origin information of a BGP route is inconsistent with the learned prefix-to-origin mapping information, it notifies related participants immediately. The self-organized overlay network can help ASes detect prefix hijacks quickly and effectively. The paper describes its architecture, mechanisms and implementation details. Its effectiveness is validated through experiments and analysis.