Monitor, Detect, Mitigate: Combating BGP Prefix Hijacking in Real-Time with ARTEMIS

TL;DR

ARTEMIS is a real-time BGP hijacking detection and mitigation system that autonomously identifies and responds to hijacks within seconds to minutes, significantly improving response times over existing third-party solutions.

Contribution

This paper introduces ARTEMIS, the first system evaluated through extensive real Internet experiments for autonomous, rapid detection and mitigation of BGP prefix hijacking.

Findings

ARTEMIS detects hijacks within a few seconds.

ARTEMIS mitigates hijacks within minutes.

Control-plane sources effectively monitor routing changes.

Abstract

The Border Gateway Protocol (BGP) is globally used by Autonomous Systems (ASes) to establish route paths for IP prefixes in the Internet. Due to the lack of authentication in BGP, an AS can hijack IP prefixes owned by other ASes (i.e., announce illegitimate route paths), impacting thus the Internet routing system and economy. To this end, a number of hijacking detection systems have been proposed. However, existing systems are usually third party services that -inherently- introduce a significant delay between the hijacking detection (by the service) and its mitigation (by the network administrators). To overcome this shortcoming, in this paper, we propose ARTEMIS, a tool that enables an AS to timely detect hijacks on its own prefixes, and automatically proceed to mitigation actions. To evaluate the performance of ARTEMIS, we conduct real hijacking experiments. To our best knowledge, it is the first time that a hijacking detection/mitigation system is evaluated through extensive experiments in the real Internet. Our results (a) show that ARTEMIS can detect (mitigate) a hijack within a few seconds (minutes) after it has been launched, and (b) demonstrate the efficiency of the different control-plane sources used by ARTEMIS, towards monitoring routing changes.