Oscilloscope: Detecting BGP Hijacks in the Data Plane

TL;DR

Oscilloscope is a real-time traffic analysis method that detects BGP hijacks by identifying traffic pattern changes specific to hijacking events, effectively filtering out normal network variations.

Contribution

It introduces a novel traffic-based detection approach that distinguishes hijacks from normal network events by analyzing traffic change patterns across related prefixes.

Findings

Accurately detects BGP hijacks in realistic traffic traces.

Reduces false positives by filtering normal network events.

Detects hijacks quickly and reliably.

Abstract

The lack of security of the Internet routing protocol (BGP) has allowed attackers to divert Internet traffic and consequently perpetrate service disruptions, monetary frauds, and even citizen surveillance for decades. State-of-the-art defenses rely on geo-distributed BGP monitors to detect rogue BGP announcements. As we show, though, attackers can easily evade detection by engineering their announcements. This paper presents Oscilloscope, an approach to accurately detect BGP hijacks by relying on real-time traffic analysis. As hijacks inevitably change the characteristics of the diverted traffic, the key idea is to track these changes in real time and flag them. The main challenge is that "normal" Internet events (e.g., network reconfigurations, link failures, load balancing) also change the underlying traffic characteristics - and they are way more frequent than hijacks. Naive traffic analyses would hence lead to too many false positives. We observe that hijacks typically target a subset of the prefixes announced by Internet service providers and only divert a subset of their traffic. In contrast, normal events lead to more uniform changes across prefixes and traffic. Oscilloscope uses this observation to filter out non-hijack events by checking whether they affect multiple related prefixes or not. Our experimental evaluation demonstrates that Oscilloscope quickly and accurately detects hijacks in realistic traffic traces containing hundreds of events.